Write API should be restricted to logged-in users only

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Write API should be restricted to logged-in users only

Max Semenik
API is intended for bots, not humans. Making it accept anon edits just
allows bots to edit accidentally logged off. And the AssertEdit
extension doesn't seem to work for API. What can be done about this?

Simply adding an AlternateEdit hook call to ApiEditPage leads to ugly
HTML output.

--
  Max Semenik ([[User:MaxSem]])


_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Write API should be restricted to logged-in users only

Victor Vasiliev
Max Semenik managed to write:
> API is intended for bots, not humans. Making it accept anon edits just
> allows bots to edit accidentally logged off. And the AssertEdit
> extension doesn't seem to work for API. What can be done about this?
>
> Simply adding an AlternateEdit hook call to ApiEditPage leads to ugly
> HTML output.
>
>  
I thought about assertions in API. I'll add them this week.
--VasilievVV

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Write API should be restricted to logged-in users only

Max Semenik
On 25.05.2008, 10:52 VasilievVV wrote:

> Max Semenik managed to write:
>> API is intended for bots, not humans. Making it accept anon edits just
>> allows bots to edit accidentally logged off. And the AssertEdit
>> extension doesn't seem to work for API. What can be done about this?
>>
>> Simply adding an AlternateEdit hook call to ApiEditPage leads to ugly
>> HTML output.
>>
>>  
> I thought about assertions in API. I'll add them this week.
> --VasilievVV

This hook was implemented by Bryan Tong Minh in 35294[1], and in
conjunction wit AssertEdit  it leads, as I warned, to AssertEdit
attempting to display a HTML error page and choking with
"Fatal error: Call to a member function getPrefixedText() on a
non-object in C:\Projects\MediaWiki\includes\OutputPage.php on line
1314" instead of proper XML output. I suppose that other extensions
that don't expect to be called from API may exhibit the same
behaviour.

----
[1] http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=35294

--
Best regards,
  Max Semenik ([[User:MaxSem]])


_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Write API should be restricted to logged-in users only

Bryan Tong Minh
On Sun, May 25, 2008 at 11:48 AM, Max Semenik <[hidden email]> wrote:

> On 25.05.2008, 10:52 VasilievVV wrote:
>
>> Max Semenik managed to write:
>>> API is intended for bots, not humans. Making it accept anon edits just
>>> allows bots to edit accidentally logged off. And the AssertEdit
>>> extension doesn't seem to work for API. What can be done about this?
>>>
>>> Simply adding an AlternateEdit hook call to ApiEditPage leads to ugly
>>> HTML output.
>>>
>>>
>> I thought about assertions in API. I'll add them this week.
>> --VasilievVV
>
> This hook was implemented by Bryan Tong Minh in 35294[1], and in
> conjunction wit AssertEdit  it leads, as I warned, to AssertEdit
> attempting to display a HTML error page and choking with
> "Fatal error: Call to a member function getPrefixedText() on a
> non-object in C:\Projects\MediaWiki\includes\OutputPage.php on line
> 1314" instead of proper XML output. I suppose that other extensions
> that don't expect to be called from API may exhibit the same
> behaviour.
>
> ----
> [1] http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=35294
>
> --
> Best regards,
>  Max Semenik ([[User:MaxSem]])
>
>
> _______________________________________________
> Mediawiki-api mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
>
I think I added that hook on the wrong place. It should probably
somewhere after the title has been set.

Bryan

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Write API should be restricted to logged-in users only

Bryan Tong Minh
On Sun, May 25, 2008 at 6:53 PM, Bryan Tong Minh
<[hidden email]> wrote:

> On Sun, May 25, 2008 at 11:48 AM, Max Semenik <[hidden email]> wrote:
>> On 25.05.2008, 10:52 VasilievVV wrote:
>>
>>> Max Semenik managed to write:
>>>> API is intended for bots, not humans. Making it accept anon edits just
>>>> allows bots to edit accidentally logged off. And the AssertEdit
>>>> extension doesn't seem to work for API. What can be done about this?
>>>>
>>>> Simply adding an AlternateEdit hook call to ApiEditPage leads to ugly
>>>> HTML output.
>>>>
>>>>
>>> I thought about assertions in API. I'll add them this week.
>>> --VasilievVV
>>
>> This hook was implemented by Bryan Tong Minh in 35294[1], and in
>> conjunction wit AssertEdit  it leads, as I warned, to AssertEdit
>> attempting to display a HTML error page and choking with
>> "Fatal error: Call to a member function getPrefixedText() on a
>> non-object in C:\Projects\MediaWiki\includes\OutputPage.php on line
>> 1314" instead of proper XML output. I suppose that other extensions
>> that don't expect to be called from API may exhibit the same
>> behaviour.
>>
>> ----
>> [1] http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=35294
>>
>> --
>> Best regards,
>>  Max Semenik ([[User:MaxSem]])
>>
>>
>> _______________________________________________
>> Mediawiki-api mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
>>
> I think I added that hook on the wrong place. It should probably
> somewhere after the title has been set.
>
> Bryan
>
...or not. It appears that the error occurs because $wgTitle is not
set. It should probably be set to something sensible or $wgOut should
be set to a fake object that does nothing.

Bryan

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Write API should be restricted to logged-in users only

Max Semenik
On 25.05.2008, 22:20 Bryan wrote:

>>>> I think I added that hook on the wrong place. It should probably
>>>> somewhere after the title has been set.
>>>>
>>>> Bryan
>>>>
>>> ...or not. It appears that the error occurs because $wgTitle is not
>>> set. It should probably be set to something sensible or $wgOut should
>>> be set to a fake object that does nothing.
>>
>>> Bryan
>>
>> Probably, something like FauxOutputPage should relly be made, but it
>> would add extra time to load it and actual OutputPage from which it
>> will inherit. So my proposed patch modifies AssertEdit's behaviour to
>> depend on entry point and not to output anything if it's called from
>> API.
>>
>> --
>> Best regards,
>>  Max Semenik ([[User:MaxSem]])
>>
>>

> Thanks for the patch, but I don't really like how it depends on
> $GLOBAL['processor'] to check whether we are running through the api.
> There should be a more sane way to detect runnage via the API and if
> there is not, it really should be made.

> Bryan

How about define( 'API' ); in api.php just before constructing
ApiMain?

--
Best regards,
  Max Semenik ([[User:MaxSem]])


_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Write API should be restricted to logged-in users only

Roan Kattouw
In reply to this post by Bryan Tong Minh
Bryan Tong Minh schreef:
> ...or not. It appears that the error occurs because $wgTitle is not
> set. It should probably be set to something sensible or $wgOut should
> be set to a fake object that does nothing.
>
>  
$wgOut->disable(); in api.php should work.

Roan Kattouw (Catrope)

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Write API should be restricted to logged-in users only

Roan Kattouw
In reply to this post by Max Semenik
Max Semenik schreef:
>
> How about define( 'API' ); in api.php just before constructing
> ApiMain?
>  
Should also be done.

About this whole hooks in the API thing: the problem with the
AlternateEdit hook is that it's used to provide an alternate edit form.
It's a UI-oriented hook, which is exactly why it *shouldn't* be run from
the API. IMO the best way to do all this is to create brand new hooks
such as APIEditBeforeSave, which extensions can use to override the
result (ConfirmEdit does this already). Hooks in lower-level codepaths
(such as Title::moveTo()) preferably shouldn't be able to do anything
UI-related. I'll investigate which hooks are currently run on write API
requests, and post a proposal as to what to do about them at wikitech-l.

Roan Kattouw (Catrope)

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Write API should be restricted to logged-in users only

Sergey Chernyshev-4
In reply to this post by Max Semenik
Please correct me if I'm wrong, but I don't think it's a good idea to assume that API is only for bots - after all bot can use API on behalf of the user and use their credentials (or lack of them). API definitely has JSON implementation and can be used in GUI elements that are available to users as much as for bots.

           Sergey


--
Sergey Chernyshev
http://www.sergeychernyshev.com/

On Sat, May 24, 2008 at 4:21 PM, Max Semenik <[hidden email]> wrote:
API is intended for bots, not humans. Making it accept anon edits just
allows bots to edit accidentally logged off. And the AssertEdit
extension doesn't seem to work for API. What can be done about this?

Simply adding an AlternateEdit hook call to ApiEditPage leads to ugly
HTML output.

--
 Max Semenik ([[User:MaxSem]])

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Write API should be restricted to logged-in users only

Roan Kattouw
Sergey Chernyshev schreef:
> Please correct me if I'm wrong, but I don't think it's a good idea to
> assume that API is only for bots - after all bot can use API on behalf
> of the user and use their credentials (or lack of them). API
> definitely has JSON implementation and can be used in GUI elements
> that are available to users as much as for bots.
Exactly. It should also be considered, that just because *we* think
something is stupid or useless, a wiki admin may disagree. I'm gonna add
the 'writeapi' right right now.

Roan Kattouw (Catrope)

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api