Page MenuHomePhabricator

dbarratt (David Barratt)
Software Engineer, Anti-Harassment Tools

Projects (11)

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Wednesday

  • Clear sailing ahead.

User Details

User Since
May 30 2017, 9:17 PM (123 w, 6 d)
Availability
Available
IRC Nick
davidwbarratt
LDAP User
Dbarratt
MediaWiki User
DBarratt (WMF) [ Global Accounts ]

Recent Activity

Today

dbarratt moved T200938: Special:CentralAuth should provide the same blocking information as Special:BlockList does from Review to In Progress on the Anti-Harassment (The Letter Song) board.
Mon, Oct 14, 5:23 PM · Core Platform Team Workboards (Clinic Duty Team), Anti-Harassment (The Letter Song), Patch-For-Review, MediaWiki-extensions-CentralAuth, Stewards-and-global-tools, MediaWiki-User-management
dbarratt added a comment to T200938: Special:CentralAuth should provide the same blocking information as Special:BlockList does.

@Niharika We've run into several edge cases regarding localization of foreign namespaces. Even "common" namespaces can have issues (for instance, Project namespace may be overridden on different languages). @Tchanders and I would like to propose a new solution: Instead of listing the pages and namespaces, we'll instead say "3 pages" or "2 namespaces" and that text will link to the Special:BlockList on the local wiki. Then, if we'd like to expand that list later, we can do so with T226651 which will make client-side API requests to get the localized pages and namespaces. How does that sound?

Mon, Oct 14, 5:23 PM · Core Platform Team Workboards (Clinic Duty Team), Anti-Harassment (The Letter Song), Patch-For-Review, MediaWiki-extensions-CentralAuth, Stewards-and-global-tools, MediaWiki-User-management
dbarratt updated the task description for T235389: IP Address ranges (CIDR) are stored as strings and cannot be queried.
Mon, Oct 14, 1:27 PM · MediaWiki-extensions-WikibaseRepository, Wikidata
dbarratt updated the task description for T235389: IP Address ranges (CIDR) are stored as strings and cannot be queried.
Mon, Oct 14, 1:26 PM · MediaWiki-extensions-WikibaseRepository, Wikidata
dbarratt added a comment to T235389: IP Address ranges (CIDR) are stored as strings and cannot be queried.

I don’t understand what this means. What kind of access are you talking about? Because the Query Service can’t be accessed from wikitext (parser functions or lua) either.

Mon, Oct 14, 1:24 PM · MediaWiki-extensions-WikibaseRepository, Wikidata

Yesterday

dbarratt added a comment to T235391: Provide means to tag some query as sensitive.

I feel like it would be somewhat difficult to correlate Wikidata-Query-Service usage with CheckUser usage, how would you go about doing that (especially if a tool existed for anyone to do a reverse-lookup of any IP address with the same type of query)?

Sun, Oct 13, 6:27 PM · Wikidata-Query-Service, Wikidata
dbarratt added a comment to T235389: IP Address ranges (CIDR) are stored as strings and cannot be queried.

Again, MW has functionality for doing this conversion, splitting, reformatting etc. You could store a start, store an end of the range like we do elsewhere for ranges. Wikibase stores most things in json blobs, so not like we're going to need schema changes, and storing a couple of extra fields for a property that aren't that widely used... Doesn't seem like a storage consideration we really need to care about

Sun, Oct 13, 5:49 PM · MediaWiki-extensions-WikibaseRepository, Wikidata
dbarratt added a comment to T235389: IP Address ranges (CIDR) are stored as strings and cannot be queried.

Not really, and MW has functionality for telling you that. Wikibase could expose/use that

Sun, Oct 13, 5:40 PM · MediaWiki-extensions-WikibaseRepository, Wikidata
dbarratt updated the task description for T235389: IP Address ranges (CIDR) are stored as strings and cannot be queried.
Sun, Oct 13, 4:45 PM · MediaWiki-extensions-WikibaseRepository, Wikidata
dbarratt updated the task description for T235389: IP Address ranges (CIDR) are stored as strings and cannot be queried.
Sun, Oct 13, 4:38 PM · MediaWiki-extensions-WikibaseRepository, Wikidata
dbarratt added a parent task for T235389: IP Address ranges (CIDR) are stored as strings and cannot be queried: T91505: [Epic] Adding new datatypes to Wikidata (tracking).
Sun, Oct 13, 4:37 PM · MediaWiki-extensions-WikibaseRepository, Wikidata
dbarratt added a subtask for T91505: [Epic] Adding new datatypes to Wikidata (tracking): T235389: IP Address ranges (CIDR) are stored as strings and cannot be queried.
Sun, Oct 13, 4:37 PM · Outreach-Programs-Projects, Epic, Tracking-Neverending, MediaWiki-extensions-WikibaseRepository, Wikidata
dbarratt created T235389: IP Address ranges (CIDR) are stored as strings and cannot be queried.
Sun, Oct 13, 4:35 PM · MediaWiki-extensions-WikibaseRepository, Wikidata

Sat, Oct 12

dbarratt added a comment to T228950: Replace UserIsHidden with GetUserBlock in CentralAuth.

@Tchanders & @Niharika when the UI says: "global users list" is that just Special:GlobalUsers ? If so, it looks like GlobalUsersPager::getQueryInfo to ensure that only users who are not hidden in any way are shown:

$conds = [ 'gu_hidden' => CentralAuthUser::HIDDEN_NONE ];

or are we talking about some other page?

Sat, Oct 12, 5:00 PM · Patch-For-Review, MW-1.34-notes (1.34.0-wmf.21; 2019-09-03), Anti-Harassment (The Letter Song), MediaWiki-extensions-CentralAuth
dbarratt added a comment to T226995: Replace Redux with useReducer() & Redux Observable with useEffect().

@dbarratt Are you still working on this task? We could drop it from the board, otherwise. I'd rather wrap up blocks and get started with CU now.

Sat, Oct 12, 1:25 PM · Anti-Harassment (The Letter Song), InteractionTimeline
dbarratt claimed T228950: Replace UserIsHidden with GetUserBlock in CentralAuth.
Sat, Oct 12, 2:42 AM · Patch-For-Review, MW-1.34-notes (1.34.0-wmf.21; 2019-09-03), Anti-Harassment (The Letter Song), MediaWiki-extensions-CentralAuth
dbarratt moved T228950: Replace UserIsHidden with GetUserBlock in CentralAuth from QA/Testing to In Progress on the Anti-Harassment (The Letter Song) board.

@Niharika there is an open question from @Tchanders, I think we talked about it but didn't come to a resolution:

With this change, the account is no longer hidden when an admin chooses "Account is hidden from the global users list" in Special:CentralAuth.
If we wanted to allow a user to be hidden but not blocked, we'd need to reintroduce something like the UserIsHidden hook, and set the mHideName flag directly on the User, without setting a block.
I don't think we should do that - the fact that a user cannot now be hidden without a block is not a regression, but an intended consequence of deprecating the UserIsHidden hook (explained in T228948).

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/534849#message-4ea3c3988f99592353e78565ede94973db385139

Sat, Oct 12, 2:41 AM · Patch-For-Review, MW-1.34-notes (1.34.0-wmf.21; 2019-09-03), Anti-Harassment (The Letter Song), MediaWiki-extensions-CentralAuth
dbarratt moved T230616: Upgrade node.js to v10 from Review to QA/Testing on the Anti-Harassment (The Letter Song) board.

I went ahead and merged this, giving @dom_walden an opportunity to QA (if you want it). :)

Sat, Oct 12, 2:00 AM · InteractionTimeline, Anti-Harassment (The Letter Song)
dbarratt updated subscribers of T188435: Bring consistency to visual design of Interaction Timeline.

This looks good to me so I've merged it, I can deploy it whenever, but wanted to give @dom_walden an opportunity to QA (if you want) before deployment. :)

Sat, Oct 12, 1:50 AM · Anti-Harassment (The Letter Song), Readers-Web-Backlog (Design), InteractionTimeline, Design
dbarratt moved T188435: Bring consistency to visual design of Interaction Timeline from Review to QA/Testing on the Anti-Harassment (The Letter Song) board.
Sat, Oct 12, 1:49 AM · Anti-Harassment (The Letter Song), Readers-Web-Backlog (Design), InteractionTimeline, Design
dbarratt added a comment to T188435: Bring consistency to visual design of Interaction Timeline.

https://github.com/wikimedia/InteractionTimeline/pull/115

Sat, Oct 12, 1:41 AM · Anti-Harassment (The Letter Song), Readers-Web-Backlog (Design), InteractionTimeline, Design

Fri, Oct 11

dbarratt moved T200938: Special:CentralAuth should provide the same blocking information as Special:BlockList does from In Progress to Review on the Anti-Harassment (The Letter Song) board.
Fri, Oct 11, 9:16 PM · Core Platform Team Workboards (Clinic Duty Team), Anti-Harassment (The Letter Song), Patch-For-Review, MediaWiki-extensions-CentralAuth, Stewards-and-global-tools, MediaWiki-User-management

Thu, Oct 10

dbarratt edited projects for T233597: Refactor ApiMain to use OutputPage::sendCacheControl, added: MediaWiki-API; removed Anti-Harassment (The Letter Song).
Thu, Oct 10, 3:08 PM · Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, MediaWiki-API

Wed, Oct 9

dbarratt moved T233595: Clear block cookie when tracking block, not when checking block from Review to QA/Testing on the Anti-Harassment (The Letter Song) board.
Wed, Oct 9, 10:20 PM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), MediaWiki-User-management, Anti-Harassment (The Letter Song)
dbarratt added a comment to T6845: CAPTCHA doesn't work for people with visual impairments.

I'm diving on this grenade until or unless someone else takes it over. I'm very interested in using our Captcha system for doing micro-curation tasks (both for visual and non-visual contributions), either for training machine-learning models, or for more heuristic one-off projects. I'll try to get more educated on the topic, and hopefully give more information in the coming weeks.

Wed, Oct 9, 1:56 PM · Security, WCAG-Level-A, Security-Extensions, Design, Accessibility, ConfirmEdit (CAPTCHA extension)
dbarratt added a comment to T233595: Clear block cookie when tracking block, not when checking block.

Thanks for the explanation, @dbarratt and @Tchanders. Is there a reason we want to change the existing behavior (hard 24 hours expiry)?

Wed, Oct 9, 2:01 AM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), MediaWiki-User-management, Anti-Harassment (The Letter Song)
dbarratt updated the task description for T196575: Add block cookie for browser-based API edits (including VisualEditor & MobileFrontend).
Wed, Oct 9, 1:23 AM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, Anti-Harassment (The Letter Song), MediaWiki-User-management

Tue, Oct 8

dbarratt updated subscribers of T233595: Clear block cookie when tracking block, not when checking block.

Follow up from https://gerrit.wikimedia.org/r/c/mediawiki/core/+/537099/1/includes/block/BlockManager.php#467

Tue, Oct 8, 10:46 PM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), MediaWiki-User-management, Anti-Harassment (The Letter Song)
dbarratt moved T227174: Improve the consistency of block error notices from Review to QA/Testing on the Anti-Harassment (The Letter Song) board.
Tue, Oct 8, 7:58 PM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Anti-Harassment (The Letter Song), MediaWiki-User-management
dbarratt updated subscribers of T233594: Allow cookie-block tracking from any uncached web request.

It looks like instances of RedirectSpecialPage and ActionRaw are not getting the block cookies. For RedirectSpecialPage I'm not sure this is an issue because the user will get the cookies after the redirect is complete. For ActionRaw it looks like it sets its own headers rather than using OutputPage, perhaps a new task should be created for one or both of these issues.

Tue, Oct 8, 5:50 PM · Performance-Team (Radar), MW-1.35-notes (1.35.0-wmf.1; 2019-10-08), Core Platform Team Workboards (Clinic Duty Team), MediaWiki-User-management, Anti-Harassment (The Letter Song)
dbarratt added a comment to T233594: Allow cookie-block tracking from any uncached web request.

For logged in users with autoblocks against their accounts

Tue, Oct 8, 3:21 PM · Performance-Team (Radar), MW-1.35-notes (1.35.0-wmf.1; 2019-10-08), Core Platform Team Workboards (Clinic Duty Team), MediaWiki-User-management, Anti-Harassment (The Letter Song)
dbarratt added a comment to T234765: Broken docker images?.

I followed the docker hub install method which is the "Using on a single web server" method, also sort of related mediawiki log errors don't/won't propagate out from the container (even when setting logfile to /dev/stdout) making debugging this really really hard

Tue, Oct 8, 1:21 PM · MediaWiki-Docker
dbarratt added a comment to T234765: Broken docker images?.

I added a step on using Composer to download the PHP dependencies (if that is what the problem is): https://www.mediawiki.org/wiki/Docker/Hub#Using_for_MediaWiki_Development

Tue, Oct 8, 4:02 AM · MediaWiki-Docker

Sun, Oct 6

dbarratt added a comment to T234765: Broken docker images?.

Which instruction did you follow? I just realized if it's the dev instructions I forgot to include that composer install needs to be run.

Sun, Oct 6, 8:54 PM · MediaWiki-Docker

Sat, Oct 5

dbarratt added a subtask for T196575: Add block cookie for browser-based API edits (including VisualEditor & MobileFrontend): T152462: Add cookie when blocking anonymous users.
Sat, Oct 5, 3:36 PM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, Anti-Harassment (The Letter Song), MediaWiki-User-management
dbarratt added a parent task for T152462: Add cookie when blocking anonymous users: T196575: Add block cookie for browser-based API edits (including VisualEditor & MobileFrontend).
Sat, Oct 5, 3:36 PM · MW-1.32-notes (WMF-deploy-2018-05-29 (1.32.0-wmf.6)), Anti-Harassment (AHT Sprint 21/22), Patch-For-Review, Trust-and-Safety, MediaWiki-User-management
dbarratt removed a subtask for T152462: Add cookie when blocking anonymous users: T196575: Add block cookie for browser-based API edits (including VisualEditor & MobileFrontend).
Sat, Oct 5, 3:35 PM · MW-1.32-notes (WMF-deploy-2018-05-29 (1.32.0-wmf.6)), Anti-Harassment (AHT Sprint 21/22), Patch-For-Review, Trust-and-Safety, MediaWiki-User-management
dbarratt removed a parent task for T196575: Add block cookie for browser-based API edits (including VisualEditor & MobileFrontend): T152462: Add cookie when blocking anonymous users.
Sat, Oct 5, 3:35 PM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, Anti-Harassment (The Letter Song), MediaWiki-User-management
dbarratt added a parent task for T196575: Add block cookie for browser-based API edits (including VisualEditor & MobileFrontend): T233597: Refactor ApiMain to use OutputPage::sendCacheControl.
Sat, Oct 5, 3:34 PM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, Anti-Harassment (The Letter Song), MediaWiki-User-management
dbarratt added a subtask for T233597: Refactor ApiMain to use OutputPage::sendCacheControl: T196575: Add block cookie for browser-based API edits (including VisualEditor & MobileFrontend).
Sat, Oct 5, 3:33 PM · Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, MediaWiki-API
dbarratt added a comment to T233595: Clear block cookie when tracking block, not when checking block.

@Tchanders Is there a patch for this? (sorry I went to this in the opposite direction)

Sat, Oct 5, 4:26 AM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), MediaWiki-User-management, Anti-Harassment (The Letter Song)
dbarratt moved T233597: Refactor ApiMain to use OutputPage::sendCacheControl from Review to In Progress on the Anti-Harassment (The Letter Song) board.
Sat, Oct 5, 4:24 AM · Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, MediaWiki-API

Fri, Oct 4

dbarratt added a comment to T231577: Deploy Special:Mute features.

@dbarratt This task is more like a "rolling task" for deploying Special:Mute everywhere. It is only on betas and testwiki for now.

Fri, Oct 4, 7:42 PM · Anti-Harassment (The Letter Song), Epic

Wed, Oct 2

dbarratt closed T231577: Deploy Special:Mute features as Resolved.
Wed, Oct 2, 7:55 PM · Anti-Harassment (The Letter Song), Epic

Tue, Oct 1

dbarratt moved T233594: Allow cookie-block tracking from any uncached web request from Review to QA/Testing on the Anti-Harassment (The Letter Song) board.
Tue, Oct 1, 11:09 PM · Performance-Team (Radar), MW-1.35-notes (1.35.0-wmf.1; 2019-10-08), Core Platform Team Workboards (Clinic Duty Team), MediaWiki-User-management, Anti-Harassment (The Letter Song)
dbarratt added a parent task for T233983: Add SQLite Schema: T234276: Install CheckUser on thegoodplace wiki.
Tue, Oct 1, 10:29 PM · Patch-For-Review, Anti-Harassment (The Letter Song), CheckUser
dbarratt added a subtask for T234276: Install CheckUser on thegoodplace wiki: T233983: Add SQLite Schema.
Tue, Oct 1, 10:29 PM · CheckUser, Anti-Harassment
dbarratt added a comment to T233595: Clear block cookie when tracking block, not when checking block.

Doesn't the cookie expire anyways?

Tue, Oct 1, 9:59 PM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), MediaWiki-User-management, Anti-Harassment (The Letter Song)

Thu, Sep 26

dbarratt moved T233983: Add SQLite Schema from Ready to Review on the Anti-Harassment (The Letter Song) board.
Thu, Sep 26, 7:38 PM · Patch-For-Review, Anti-Harassment (The Letter Song), CheckUser
dbarratt updated the task description for T233983: Add SQLite Schema.
Thu, Sep 26, 7:37 PM · Patch-For-Review, Anti-Harassment (The Letter Song), CheckUser
dbarratt created T233983: Add SQLite Schema.
Thu, Sep 26, 7:37 PM · Patch-For-Review, Anti-Harassment (The Letter Song), CheckUser

Thu, Sep 19

dbarratt updated subscribers of T231943: Uncheck "Automatically block the last IP address" by default on Special:Block on officewiki.

I actually don't see why this option should even be availble if you have $wgBlockDisablesLogin enabled.... I propose we disable the field completely... unless @Tchanders or @dmaza can think of a use case where autoblocks would be used under that condition?

Thu, Sep 19, 1:16 AM · Anti-Harassment, Patch-For-Review, User-DannyS712, MediaWiki-User-management, MediaWiki-Special-pages, Wikimedia-Site-requests, Office-IT
dbarratt added a project to T231943: Uncheck "Automatically block the last IP address" by default on Special:Block on officewiki: Anti-Harassment.
Thu, Sep 19, 1:10 AM · Anti-Harassment, Patch-For-Review, User-DannyS712, MediaWiki-User-management, MediaWiki-Special-pages, Wikimedia-Site-requests, Office-IT

Wed, Sep 18

dbarratt added a comment to T233209: Collapse Partial block options on Special:Block.

This seems like a duplicate of T217363 ?

Wed, Sep 18, 12:39 PM · Anti-Harassment, MediaWiki-User-management

Mon, Sep 16

dbarratt closed T228486: Partially blocked users cannot delete revisions as Resolved.
Mon, Sep 16, 5:29 PM · MW-1.34-notes (1.34.0-wmf.23; 2019-09-17), Core Platform Team Workboards (Clinic Duty Team), MediaWiki-API, Patch-For-Review, Anti-Harassment (The Letter Song), Technical-Debt, MediaWiki-User-management
dbarratt closed T228486: Partially blocked users cannot delete revisions, a subtask of T221682: Improve Block handling where User::isBlocked() was used previously, as Resolved.
Mon, Sep 16, 5:29 PM · Epic, Anti-Harassment (The Letter Song), Technical-Debt, MediaWiki-User-management
dbarratt closed T231919: Don't pass global request object into BlockManager::getUserBlock constructor as Resolved.
Mon, Sep 16, 5:29 PM · MW-1.34-notes (1.34.0-wmf.23; 2019-09-17), MediaWiki-User-management, Anti-Harassment (The Letter Song)
dbarratt closed T221682: Improve Block handling where User::isBlocked() was used previously as Resolved.
Mon, Sep 16, 4:33 PM · Epic, Anti-Harassment (The Letter Song), Technical-Debt, MediaWiki-User-management
dbarratt reopened T221682: Improve Block handling where User::isBlocked() was used previously as "Open".
Mon, Sep 16, 4:32 PM · Epic, Anti-Harassment (The Letter Song), Technical-Debt, MediaWiki-User-management
dbarratt closed T221682: Improve Block handling where User::isBlocked() was used previously as Resolved.
Mon, Sep 16, 4:32 PM · Epic, Anti-Harassment (The Letter Song), Technical-Debt, MediaWiki-User-management
dbarratt added a comment to T196575: Add block cookie for browser-based API edits (including VisualEditor & MobileFrontend).

Together with @Krinkle I'm currently trying to figure out how to make this kind of thing work without global state.

Mon, Sep 16, 3:42 PM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, Anti-Harassment (The Letter Song), MediaWiki-User-management
dbarratt moved T188435: Bring consistency to visual design of Interaction Timeline from Ready to Review on the Anti-Harassment (The Letter Song) board.
Mon, Sep 16, 2:50 PM · Anti-Harassment (The Letter Song), Readers-Web-Backlog (Design), InteractionTimeline, Design
dbarratt added a project to T188435: Bring consistency to visual design of Interaction Timeline: Anti-Harassment (The Letter Song).
Mon, Sep 16, 2:50 PM · Anti-Harassment (The Letter Song), Readers-Web-Backlog (Design), InteractionTimeline, Design

Sep 12 2019

dbarratt updated the task description for T232176: Enable cross-origin resource sharing (CORS) in Core REST API.
Sep 12 2019, 8:22 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) in Core REST API.

Also that would mean we'd be requiring registration for anyone to be able to use the REST API. Anons would be locked out.

Sep 12 2019, 7:39 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt moved T196575: Add block cookie for browser-based API edits (including VisualEditor & MobileFrontend) from In Progress to Review on the Anti-Harassment (The Letter Song) board.
Sep 12 2019, 6:47 PM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, Anti-Harassment (The Letter Song), MediaWiki-User-management
dbarratt updated the task description for T232176: Enable cross-origin resource sharing (CORS) in Core REST API.
Sep 12 2019, 5:52 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) in Core REST API.

Errr.. ok, we would need Access-Control-Allow-Headers: Authorization :)

Sep 12 2019, 5:44 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) in Core REST API.

My reading of that, combined with "A CORS non-wildcard request-header name is a byte-case-insensitive match for Authorization." would be that allow-credential just affect browser managed credentials, and if you explicitly put Authorization in the allowed headers (must be explicit, it is not included with a wildcard), then you can override the value of the Authorization header.

Sep 12 2019, 5:33 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) in Core REST API.

But if your authentication is coming from an Authorization header, and no cookies are involved, the Access-Control-Allow-credentials would have no effect, as that only controls browser level credentials (cookies, TLS certs, http basic auth, etc)

Sep 12 2019, 5:15 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) in Core REST API.

So in this scenario, if we're using solely the authorization header and no cookies (And i presume using our own authorization header, not HTTP basic auth or anything like that), why would we need Access-Control-Allow-credentials?

Sep 12 2019, 5:09 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) in Core REST API.

I'm confused. Are you talking about setting Access-Control-Allow-Credentials: true when Access-Control-Allow-Origin: *. My reading of https://fetch.spec.whatwg.org/#cors-protocol-and-credentials is that that is banned in the spec.

Sep 12 2019, 4:47 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt updated the task description for T232176: Enable cross-origin resource sharing (CORS) in Core REST API.
Sep 12 2019, 4:44 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) in Core REST API.

@Bawolff I realized above, that I was conflating two different things (storage of the sessions and how the session token is transmitted to the server). What I mean is this:

Sep 12 2019, 4:44 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) in Core REST API.

Ok, let me rephrase this in the context of this task...

Sep 12 2019, 4:24 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt added a comment to T232692: Should MediaWiki stop storing sessions on the server?.

So what's the specific problem with regard to MediaWiki? Is this blocking something? Would it enable us to do something of particular value in our contexts here?

Sep 12 2019, 4:04 PM · MediaWiki-Authentication-and-authorization
dbarratt added a comment to T196575: Add block cookie for browser-based API edits (including VisualEditor & MobileFrontend).

That assumes all MW code paths are allowed to set cookies and that something else will take responsibility for disabling Cache-Control. I suspect neither is the case, but I haven't yet tried to confirm this.

Sep 12 2019, 3:14 PM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, Anti-Harassment (The Letter Song), MediaWiki-User-management
dbarratt added a comment to T232692: Should MediaWiki stop storing sessions on the server?.

The problem section doesn't explain what's problematic. It describes the current situation, where we keep sessions server-side and centralized. What's the problem with this approach?

Sep 12 2019, 2:08 PM · MediaWiki-Authentication-and-authorization
dbarratt updated the task description for T232692: Should MediaWiki stop storing sessions on the server?.
Sep 12 2019, 4:07 AM · MediaWiki-Authentication-and-authorization
dbarratt updated the task description for T232692: Should MediaWiki stop storing sessions on the server?.
Sep 12 2019, 3:56 AM · MediaWiki-Authentication-and-authorization
dbarratt updated the task description for T232692: Should MediaWiki stop storing sessions on the server?.
Sep 12 2019, 3:54 AM · MediaWiki-Authentication-and-authorization
dbarratt removed a project from T232692: Should MediaWiki stop storing sessions on the server?: MediaWiki-User-management.
Sep 12 2019, 3:14 AM · MediaWiki-Authentication-and-authorization
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) in Core REST API.

I created a task for discussing making MediaWiki unaware of the logged in status of its users: T232692

Sep 12 2019, 12:17 AM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt created T232692: Should MediaWiki stop storing sessions on the server?.
Sep 12 2019, 12:16 AM · MediaWiki-Authentication-and-authorization
dbarratt closed T221444: Partially blocked users cannot tag revisions on unrelated pages, nor add, deactive or delete tags, a subtask of T221682: Improve Block handling where User::isBlocked() was used previously, as Resolved.
Sep 12 2019, 12:04 AM · Epic, Anti-Harassment (The Letter Song), Technical-Debt, MediaWiki-User-management
dbarratt closed T221444: Partially blocked users cannot tag revisions on unrelated pages, nor add, deactive or delete tags as Resolved.
Sep 12 2019, 12:04 AM · MW-1.34-notes (1.34.0-wmf.23; 2019-09-17), Core Platform Team Workboards (Clinic Duty Team), Anti-Harassment (The Letter Song), Patch-For-Review, MediaWiki-User-management, MediaWiki-Change-tagging

Sep 11 2019

dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) in Core REST API.

If you don't vary on Origin, then what prevents a response to a request from a whitelisted origin (or a non-CORS request, for that matter) from being cached and served to a request from a non-whitelisted origin?

Sep 11 2019, 4:27 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt moved T229035: Deprecate 'GetBlockedStatus' hook and reduce visibility of User::mBlock, User::mBlockedBy and User::mHideName from Review to In Progress on the Anti-Harassment (The Letter Song) board.
Sep 11 2019, 3:32 PM · MW-1.34-notes (1.34.0-wmf.23; 2019-09-17), Anti-Harassment (The Letter Song), Patch-For-Review, MediaWiki-User-management
dbarratt edited projects for T160233: Enable administrators to update block logs, added: Anti-Harassment; removed Anti-Harassment (The Letter Song).

I moved this onto the development board too eagerly. This needs product input from @Niharika. :)

Sep 11 2019, 3:30 PM · Anti-Harassment, Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, User-DannyS712, MediaWiki-Logging, MediaWiki-User-management, Community-Wishlist-Survey-2016
dbarratt closed T232004: NamespaceInfo::$canonicalNames is missing NS_MAIN as Resolved.
Sep 11 2019, 3:27 PM · MW-1.34-notes (1.34.0-wmf.22; 2019-09-10), Anti-Harassment (The Letter Song), MediaWiki-General
dbarratt closed T228539: Partially blocked users should not be prevented from using the importImages maintenance script as Resolved.
Sep 11 2019, 3:27 PM · MW-1.34-notes (1.34.0-wmf.22; 2019-09-10), Patch-For-Review, Epic, Anti-Harassment (The Letter Song), Technical-Debt, MediaWiki-User-management
dbarratt closed T228539: Partially blocked users should not be prevented from using the importImages maintenance script, a subtask of T221682: Improve Block handling where User::isBlocked() was used previously, as Resolved.
Sep 11 2019, 3:27 PM · Epic, Anti-Harassment (The Letter Song), Technical-Debt, MediaWiki-User-management
dbarratt updated the task description for T232176: Enable cross-origin resource sharing (CORS) in Core REST API.
Sep 11 2019, 3:01 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)

Sep 10 2019

dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) in Core REST API.

Related to CSRF tokens on stateless authentication: T126257

Sep 10 2019, 11:20 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) in Core REST API.

I don't know what "authentication profiles" means. I do know that the current plan seems to be for the core REST API to use the same SessionManager sessions as the rest of MediaWiki rather than trying to reinvent everything.

Sep 10 2019, 11:14 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)

Sep 9 2019

dbarratt moved T196575: Add block cookie for browser-based API edits (including VisualEditor & MobileFrontend) from Review to In Progress on the Anti-Harassment (The Letter Song) board.
Sep 9 2019, 10:44 PM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, Anti-Harassment (The Letter Song), MediaWiki-User-management
dbarratt added a comment to T196575: Add block cookie for browser-based API edits (including VisualEditor & MobileFrontend).

Calling trackBlockWithCookie() as standard part of pre-shutdown on web requests

Sep 9 2019, 4:14 PM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, Anti-Harassment (The Letter Song), MediaWiki-User-management

Sep 6 2019

dbarratt added a comment to T222388: Create a mechanism for SpecialPages and API modules to have dependencies injected into them.

@Mainframe98 would you mind updating the task description? I don't think it reflects the solution you've implemented. :)

Sep 6 2019, 5:39 PM · MW-1.34-notes (1.34.0-wmf.23; 2019-09-17), Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, MediaWiki-ServiceContainer, MediaWiki-API, MediaWiki-Special-pages, TechCom, Technical-Debt
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) in Core REST API.

I created this task as per requested in https://www.mediawiki.org/wiki/Topic:V5y8azvepfpwyfdx

Sep 6 2019, 1:56 PM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)
dbarratt renamed T232176: Enable cross-origin resource sharing (CORS) in Core REST API from Enable cross-origin resource sharing to Enable cross-origin resource sharing (CORS).
Sep 6 2019, 12:09 AM · Core Platform Team Workboards (Green), CPT Initiatives (Core REST API in PHP)