Last modified: 2013-12-20 21:03:09 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T60731, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 58731 - getOAuthAccessToken() should check title before invoking isSpecial()
getOAuthAccessToken() should check title before invoking isSpecial()
Status: NEW
Product: MediaWiki extensions
Classification: Unclassified
OAuth (Other open bugs)
master
All All
: Unprioritized normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-12-20 06:06 UTC by spage
Modified: 2013-12-20 21:03 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description spage 2013-12-20 06:06:16 UTC 
The fatal stack trace in Bug 58705 suggests that calling  $wgLang->getDir() to determine RTL direction can trigger establishing a user, which can run the UserLoadFromSession hook, in response OAuth's getOAuthAccessToken() calls $title->isSpecial()... which crashes with "Fatal error: Call to a member function isSpecial() on a non-object" because if you do this early enough,  RequestContext::getMain() ->getTitle() doesn't return a title object.

Bug 58380 ended up at the same fatal  It seems there enough ways this could fail that the getOAuthAccessToken() function should guard against it.
Comment 1 Brad Jorsch 2013-12-20 17:02:28 UTC 
Note that "check the title" means either "throw an MWException" or "figure out a way to do this same check that doesn't involve RequestContext::getMain()->getTitle() at all". Suggestions welcome.

Both of the fatals so far were caused by other extensions trying to access the User object from $wgExtensionHooks, which now has documentation saying not to do that.
Comment 2 Chris Steipp 2013-12-20 17:54:40 UTC 
Thanks for opening the bug S. I've been trying to think of a better way to do this for a while.

Brad, should onUserLoadFromSession check if this is an api call, and only fill the user object if so? Then we can skip the check if it's a special page.
Comment 3 Brad Jorsch 2013-12-20 18:19:01 UTC 
It *could*, I suppose. I think it's nice that OAuth can work for the whole site and not just the API though.
Comment 4 Chris Steipp 2013-12-20 21:03:09 UTC 
Fixing 41201 would be even better.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links