Page MenuHomePhabricator

OAuth: Dialog for granting an app permission should clarify or link to what "basic rights" are
Closed, DuplicatePublic

Description

When an application requests the ability to edit on my behalf there is an unordered list with the rights.

But when an app requests basic rights there is only a plain text message saying app "X" requests basic rights. I have no idea what that means. As a developer I'm hoping that means reading. As a user, I'd think "basic" includes editing as well, and I really don't want to grant certain apps that permission (e.g. the kind of tools that abuse OAuth as a way to do OpenID).

Digging back into overview of what these rights mean was hard. After granting access, I found the special page via the Preferences page, then "manage access" which listed "Basic rights" and had a linked list item to https://meta.wikimedia.org/wiki/Special:OAuth/grants#useoauth

That's where I finally found the information.


Version: unspecified
Severity: minor

Details

Reference
bz66978

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:32 AM
bzimport set Reference to bz66978.
bzimport added a subscriber: Unknown Object (MLST).
Krinkle created this task.Jun 23 2014, 12:12 PM

We considered linking the individual grants to their Special:OAuth/grants entry, iirc UX didn't think it would be a good idea.

Jared, could you or someone on UX let us know if linking all of those would be problem?

The rationale was that this option only shows when no other rights were requested in is only shown when an app wants to use Oauth as a means for account creation. Can someone link to a test app or screen shot of the case where "basic rights" is displayed.

Jared--https://tools.wmflabs.org/gerrit-patch-uploader/ and click on the "Log in using your mediawiki.org account" link at the top.

Thanks Chris, I'd recommend we make "basic access" a link but not style it as such, no color change, no underline until hover. This way we can preserve the simple look for the majority of end users who are likely not to care and should be distracted to go read more about a rather technical issue.

Tgr added a subscriber: Tgr.Jun 29 2015, 11:52 PM

AIUI this was solved by introducing "basic access only" applications with a different dialog text.