Page MenuHomePhabricator

Attempting to approve some OAuth consumers results in error
Closed, ResolvedPublic

Description

Several OAuth admins report not being able to approve either of my latest proposed consumers: https://www.mediawiki.org/wiki/Special:OAuthListConsumers?name=&publisher=Ragesoss&stage=0

The error message they get is:
"Someone changed the attributes of this consumer as you viewed it. Please try again. You may want to check the change log."


Version: unspecified
Severity: critical

Details

Reference
bz72634

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 3:58 AM
bzimport set Reference to bz72634.
Ragesoss created this task.Oct 28 2014, 5:44 PM

Uhg, fatality of the updates to user tokens.

MWOAuthDAO::getChangeToken() relies on recalculating a hash that uses User::getEditToken().

The csrf token should be checked already, so for collision detection, we probably should just use the user id instead of their edit token.

gerritadmin wrote:

Change 169593 had a related patch set uploaded by CSteipp:
Remove edit token from conflict detection

https://gerrit.wikimedia.org/r/169593

gerritadmin wrote:

Change 169593 merged by jenkins-bot:
Remove edit token from conflict detection

https://gerrit.wikimedia.org/r/169593

Now that the fix is merged and deployed, can someone approve my apps to see if it worked? :)