Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #27519 TuleapFarm: unlog one user everywhere
    Actions
    Infos
    #27519
    Manuel Vacelet (vaceletm)
    2022-09-09 14:59
    2022-06-28 11:19
    29064
    Details
    TuleapFarm: unlog one user everywhere

    How to terminate all sessions of one user across all the farm and/or per project ?

    I would need such a route in following cases:

    • User is removed from project => they loses write access to one instance
    • User status changed (Deleted/Suspended/...) => they loses access to all instances

    AFAICT, I can only flush all sessions farm wide or per instance

    Mediawiki Standalone
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Robert Vogel (rvogel), Dejan Savuljesku (dsavuljesku)
    Stage
    Dejan Savuljesku (dsavuljesku)
    Closed
    2022-09-09
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #26815 Tuleap Releases 14.0 Delivered 2022-10-12 09:57 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #27519

    Git commit

    tuleap/tuleap/stable

    Extract common part of OIDC token generation 24c1f9d0c1
    User avatar Thomas Gerbet (tgerbet) , 2022-06-30 21:49
    Users removed from the project members are logs out from the MW instance cbf848d76b
    User avatar Thomas Gerbet (tgerbet) , 2022-07-27 11:09
    Update "Tuleap MediaWiki" extensions 8d33627c9c
    User avatar Thomas Gerbet (tgerbet) , 2022-09-06 09:08
    fix(mw-standalone): Unlog user everywhere on status changes 9518dbea34
    User avatar Manuel Vacelet (vaceletm) , 2022-09-09 11:10
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2022-07-27 10:37

    I just tried to do the implementation but I was unable to make it work for a specific user on all instances, when I call /mediawiki/w/rest.php/tuleap/maintenance/*/terminate-sessions all users are log out even if ask for a specific user. It works fine when I specify an explicit instance name.

    User avatar
    Thomas Gerbet (tgerbet)2022-07-01 15:15

    Sorry, i just now saw your comment, after implementation. For now i did the easy change, of just specifying the username and using the normal MW mechanism.

    Since it is almost already there, we will use that. We could still move to something else later on if necessary.

    User avatar
    Dejan Savuljesku (dsavuljesku)2022-06-30 15:02

    Sorry, i just now saw your comment, after implementation. For now i did the easy change, of just specifying the username and using the normal MW mechanism.

    Example: to terminate all sessions for user Testuser, call

    curl -X POST -k -H 'Content-Type: application/json' -i 'https://tuleap.com/mediawiki/w/rest.php/tuleap/maintenance/*/terminate-sessions' --data '{
  "user": "Testuser"
}'

    Change https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TuleapWikiFarm/+/809985

    User avatar
    Thomas Gerbet (tgerbet)2022-06-30 10:20

    For this one, if that's okay for you, I suggest we go with the standard/generic OIDC way and use the OIDC Back-Channel Logout.

    On the Tuleap side it involves sending a specific payload to an endpoint exposed by MediaWiki. MediaWiki would have to validate the logout token to revoke the sessions of a user. To drop access on a specific instance we can add an additional claim with the project ID or shortname.

    I would prefer using this generic OIDC possibility instead of a specific endpoint like the one we have with tuleap/maintenance/:instance_name/terminate-sessions because it could be re-used outside the specific MW implementation and this way it will get more testing.