Page MenuHomePhabricator

Mitar (Mitar)
User

Projects

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Sunday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 6:11 AM (255 w, 6 d)
Availability
Available
LDAP User
Mitar
MediaWiki User
Mitar [ Global Accounts ]

Recent Activity

May 8 2017

Mitar added a comment to T71232: Provide "authenticate" endpoint for regular users.

I would still prefer just getting rid of manual reauthentications though.

May 8 2017, 10:01 PM · MediaWiki-extensions-OAuth
Mitar added a comment to T71232: Provide "authenticate" endpoint for regular users.

You do not have to update database on all API requests, only on calls to authenticate and related OAuth calls (or are you calling OAuth calls API requests)? In any way, I do not mind having no expiration time, this is just if somebody really wants some dialogs. I am for less of them anyway. :-)

May 8 2017, 6:05 PM · MediaWiki-extensions-OAuth

May 2 2017

Mitar added a comment to T71232: Provide "authenticate" endpoint for regular users.

I still don't understand what abuses are here? I mean, the rest f the world uses OAuth with "authentication". Why they do not have to worry about this type of abuse, or what is a difference in trade-offs and threat models?

May 2 2017, 8:21 PM · MediaWiki-extensions-OAuth

Jun 26 2016

Mitar added a comment to T138694: Allow access to deleted articles to all past contributors to the article and talk page.

Also, here I am trying to address a general case, not my specific case.

Jun 26 2016, 7:50 AM · MediaWiki-Page-deletion
Mitar added a comment to T138694: Allow access to deleted articles to all past contributors to the article and talk page.

But in some cases it is clear that it was deleted not because it contains sensitive information. We know why things get deleted based on various rules references. Why it could not be available based on those?

Jun 26 2016, 7:50 AM · MediaWiki-Page-deletion
Mitar created T138694: Allow access to deleted articles to all past contributors to the article and talk page.
Jun 26 2016, 6:44 AM · MediaWiki-Page-deletion

Apr 10 2015

Mitar added a comment to T88757: Add way for OAuth apps to only authenticate (no other valid rights).

Security is always a trade-off. Usability, security, attention, habituation, all those things. The issue is that even with asking the user for permission every time you can introduce security issues. Maybe it makes you feel better because it becomes user's responsibility, but it is also a problem of you designing such a system.

Apr 10 2015, 11:26 PM · Reading-Infrastructure-Team-Old (Don't use), MediaWiki-extensions-OAuth

Mar 11 2015

Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT98384d218b67: Updated mediawiki/extensions Project: mediawiki/extensions/OAuth… (authored by Mitar).
Updated mediawiki/extensions Project: mediawiki/extensions/OAuth…
Mar 11 2015, 6:13 AM

Mar 1 2015

Ricordisamoa awarded T71250: Allow adding custom parameters to the callback for OAuth a Piece of Eight token.
Mar 1 2015, 6:58 AM · MediaWiki-extensions-OAuth

Feb 6 2015

Mitar added a comment to T88757: Add way for OAuth apps to only authenticate (no other valid rights).

Hm, why only permissionless apps? Other big sites which use OAuth do not make this distinction? Try GitHub, you get asked for permissions the first time, but then you just get redirected. You can also make the token expire after some time and then they have to reauthorize. But to have to authorize every time if they are any permissions is also not good security practice. Security research is showing that the danger is user habituation to the prompt. Then they will stop reading it. And next time an evil developer will change permissions requested, they will just click OK. Habituation to prompts are a big problem. So it is better to make a prompt only when there is something important. Like permissions being asked change. Or token expired. Or there was some other security issue (login happened from strange IP, geoIP is showing multiple connections from multiple continents, etc.).

Feb 6 2015, 1:04 AM · Reading-Infrastructure-Team-Old (Don't use), MediaWiki-extensions-OAuth
Mitar added a comment to T88757: Add way for OAuth apps to only authenticate (no other valid rights).

I think there are two things here. One is authenticate-only permissions. But the other is confusion with Mediawiki OAuth between "authorize" OAuth flow and "authenticate" OAuth flow. In "authorize" user should be prompted with a dialog to confirm the permissions. But in "authenticate" they should not be if they have confirmed the permissions in the past, and the same permissions are being requested. Then user is just redirected through the flow, which makes it feel like they stayed on the original site the whole time.

Feb 6 2015, 12:35 AM · Reading-Infrastructure-Team-Old (Don't use), MediaWiki-extensions-OAuth

Dec 15 2014

Mitar added a comment to T78223: Attempt to login into Phabricator fails with a 503 Service Unavailable error.

Was this now deployed or reverted back? Was schema applied?

Dec 15 2014, 1:21 PM · Operations, Schema-change, MediaWiki-extensions-OAuth, Phabricator

Dec 13 2014

Mitar added a comment to T78463: RCStream: Upgrade server protocol to socket.io v1.

Latest socket.io-client is currently 1.2.1. So 0.9.17 is quite old. :-)

Dec 13 2014, 8:26 AM · Wikimedia-Stream
Mitar created T78463: RCStream: Upgrade server protocol to socket.io v1.
Dec 13 2014, 8:24 AM · Wikimedia-Stream

Dec 10 2014

Mitar committed rEOAU489f34f72603: Allow adding custom parameters to the callback for OAuth. (authored by Mitar).
Allow adding custom parameters to the callback for OAuth.
Dec 10 2014, 8:30 PM
Mitar committed rEOAU7aaf835205e5: Really fail if OAuth request source IP is invalid. (authored by Mitar).
Really fail if OAuth request source IP is invalid.
Dec 10 2014, 5:33 PM
Mitar committed rEOAU569980f8596d: PHP 5.4 compatibility. (authored by Mitar).
PHP 5.4 compatibility.
Dec 10 2014, 5:33 PM