•  
      request #27186 Cannot access MediaWiki as anonymous user
    Infos
    #27186
    Manuel Vacelet (vaceletm)
    2022-09-06 10:51
    2022-06-17 18:17
    28732
    Details
    Cannot access MediaWiki as anonymous user

    Tuleap platforms can be configured to be accessed by Anonymous users hence, MediaWiki should allow this configuration per instance.

    As of today, when anonymous reach a MW instance, it gets redirected toward Tuleap login page

    Platform Project User Mediawiki
    anonymous Public Anonymous Access Granted
    Authenticated Access Granted
    Private Anonymous Prompt for login
    Authenticated, not project member Access Refused
    Authenticated, project member Access Granted
    regular Public Anonymous Prompt for login
    Authenticated Access Granted
    Private Anonymous Prompt for login
    Authenticated, not project member Access Refused
    Authenticated, project member Access Granted
    restricted Public including restricted Anonymous Prompt for login
    Restricted user Access Granted
    Regular user Access Granted
    Public without restricted Anonymous Prompt for login
    Restricted user Access Refused
    Regular user Access Granted
    Private with restricted Anonymous Prompt for login
    Restricted user, not project member Access Refused
    Restricted user, project member Access Granted
    Regular user, not project member Access Refused
    Regular user, project member Access Granted
    Private without restricted Anonymous Prompt for login
    Restricted user Access Refused
    Regular user, not project member Access Refused
    Regular user, project member Access Granted
    Mediawiki Standalone
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Robert Vogel (rvogel), Dejan Savuljesku (dsavuljesku)
    Stage
    Dejan Savuljesku (dsavuljesku)
    Closed
    2022-09-06
    Attachments
    Empty
    References

    Follow-ups

    User avatar

    It seems that finally we have a working shape with gerrit #26486

    Platform Project User Mediawiki Results Note
    anonymous Public Anonymous Access Granted (anonymous) OK
    Authenticated Access Granted OK
    Private Anonymous Prompt for login OK
    Authenticated, not project member Access Refused OK
    Authenticated, project member Access Granted OK
    regular Public Anonymous Prompt for login OK
    Authenticated Access Granted OK
    Private Anonymous Prompt for login OK
    Authenticated, not project member Access Refused OK
    Authenticated, project member Access Granted OK
    restricted Public including restricted Anonymous Prompt for login OK
    Restricted user Access Granted OK
    Regular user Access Granted OK
    Public without restricted Anonymous Prompt for login OK
    Restricted user Access Refused OK
    Regular user Access Granted OK
    Private with restricted Anonymous Prompt for login OK
    Restricted user, not project member Access Refused OK
    Restricted user, project member Access Granted OK
    Regular user, not project member Access Refused OK
    Regular user, project member Access Granted OK
    Private without restricted Anonymous Prompt for login OK
    Restricted user Access Refused OK
    Regular user, not project member Access Refused OK
    Regular user, project member Access Granted OK
    User avatar

    Refactored the permission check functionality in a following way:

    • Removed all presets from MW side, all permission assignments done by mediawiki_standalone_permission endpoint.
    • On first access, if Tuleap says anon can read, allow them
    • If not ask for login
    • After login, if user can read allow them, if not, block them
    • After login, assign additional groups for writers and admins if allowed

    Change https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TuleapIntegration/+/829164

    Only configuration needed on MW side is $GLOBALS['wgGroupPermissions']['*']['read'] = true; This is needed to prevent MW from doing "can user read" checked. We allow all to read, and then integration will block access if needed.

    User avatar

    Test with https://gerrit.tuleap.net/c/tuleap/+/26486/7/plugins/mediawiki_standalone/additional-packages/mediawiki-extensions/composer.json -> mediawiki/tuleap-integration": "dev-master#3cbed9085860cf5f41c35ec0f7064a55c414d69f

    Platform Project User Mediawiki Results Note
    anonymous Public Anonymous Access Granted OK
    Authenticated Access Granted OK
    Private Anonymous Prompt for login OK
    Authenticated, not project member Access Refused Access Granted MW doesnt take Tuleap permissions into account { "permissions" : { "is_reader" : false , "is_writer" : false , "is_admin" : false , "is_bot" : false } }
    Authenticated, project member Access Granted OK
    regular Public Anonymous Prompt for login OK
    Authenticated Access Granted OK
    Private Anonymous Prompt for login OK
    Authenticated, not project member Access Refused Access Granted MW doesnt take Tuleap permissions into account { "permissions" : { "is_reader" : false , "is_writer" : false , "is_admin" : false , "is_bot" : false } }
    Authenticated, project member Access Granted OK
    restricted Public including restricted Anonymous Prompt for login OK
    Restricted user Access Granted Access denied Tuleap doesnt send the appropriate is_reader permission { "permissions" : { "is_reader" : false , "is_writer" : false , "is_admin" : false , "is_bot" : false } }
    Regular user Access Granted OK
    Public without restricted Anonymous Prompt for login OK
    Restricted user Access Refused OK
    Regular user Access Granted OK
    Private with restricted Anonymous Prompt for login OK
    Restricted user, not project member Access Refused OK
    Restricted user, project member Access Granted OK
    Regular user, not project member Access Refused OK
    Regular user, project member Access Granted OK
    Private without restricted Anonymous Prompt for login OK
    Restricted user Access Refused OK
    Regular user, not project member Access Refused OK
    Regular user, project member Access Granted OK
    User avatar

    Made additional fix, already merged in TuleapIntegration, ready for testing

    I have tested all combinations, all looks fine

    User avatar

    There is an issue with private projects. I updated the description with all the cases to be tests

    At this point:

    Platform Project User Mediawiki Comment
    anonymous Public Anonymous Access Granted Ok
    Authenticated Access Granted Ok
    Private Anonymous Prompt for login Nok No prompt, exception

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2022-08-23 12:06

    Hi,

    We just tried this change with gerrit #26486 and it does not seems to work when wgTuleapAccessPreset is set to something different than anonymous. For example if we set wgTuleapAccessPreset to regular the OAuth2 flow is not started and the attempt to retrieve information from the Tuleap API does not end well since the user is supposed to be authenticated.

    2022-08-23 09:47:41 web plugin_mediawiki_120: [f891098965c4ebd259c8ebe5] /mediawiki/renamed-issue-007   GuzzleHttp\Exception\ClientException from line 113 of /usr/share/mediawiki-tuleap-flavor/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php: Client error: `GET https://tuleap-web.tuleap-aio-dev.docker/api/projects/120/3rd_party_integration_data?currently_active_service=plugin_mediawiki_standalone` resulted in a `401 Unauthorized` response:
    {"error":{"code":401,"message":"Unauthorized"}}
    
    #0 /usr/share/mediawiki-tuleap-flavor/vendor/guzzlehttp/guzzle/src/Middleware.php(65): GuzzleHttp\Exception\RequestException::create()
    
    User avatar
    Thomas Gerbet (tgerbet)2022-07-27 12:02

    Regarding starting the OAuth2 flow always: I tried this, but if I set the project to "public" in Tuleap, the authorization url wouldn't redirect an anon user to the wiki, but show me a login form instead. Is there anything else to configure?

    Yes, you can ask the OAuth2 flow to not display the login form by setting the prompt parameter to none in the authorization URL. When the user is not authenticated on the Tuleap side it will be redirected immediately to the callback URL with the error code login_required (see the specification for more info on the auth request error).

    From that you will want to set prompt=none or not depending on the situation:

    • preset permissions allow anonymous users: start the OAuth2/OIDC flow with prompt=none, if you get an error code login_required continue as anonymous
    • preset permissions do not allow anonymous users: start the OAuth2/OIDC flow without prompt=none (like it is currently done), if the auth request fails for some reasons always show the error page and maybe ask the users to try again
    User avatar
    Robert Vogel (rvogel)2022-07-18 18:01

    I have created https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TuleapIntegration/+/814850

    But this is not exactly what you have proposed. It will load the sidebar also for unauthenticated users. But if a user logs in manually the data may not be updated properly. I need to do some more tests.

    Regarding starting the OAuth2 flow always: I tried this, but if I set the project to "public" in Tuleap, the authorization url wouldn't redirect an anon user to the wiki, but show me a login form instead. Is there anything else to configure?

    User avatar

    I confirm that on a public Tuleap project on a platform open to anonymous, I'm no longer mandated to log but:

    • The Sidebar is not loaded at all
    • If I'm logged in on Tuleap and I click on "Mediawiki", Mediawiki doesn't tries to authenticate me so I'm not logged in at all.

    For the issue n°2, @tgerbet suggests that MW should always initiate the OAuth2 flow and, when platform is open to anonymous and user is not logged in Tuleap should returns to MW that user is anonymous.

    User avatar

    gerrit #26270 (Add missing permission setup in MediaWiki settings) integrated in Tuleap 13.10.99.57

    @dsavuljesku I gave it a try with the change I just merged + the pending patch on your side but it still seems to forbid anonymous users. Is that expected ?