https://bugzilla.wikimedia.org/show_bug.cgi?id=64822
Bug ID: 64822
Summary: ve.ui.MWMediaSearchWidget.js: JSONP does not work on
local private wikis
Product: VisualEditor
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Unprioritized
Component: Editing Tools
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected], [email protected],
[email protected], [email protected],
[email protected]
Web browser: ---
Mobile Platform: ---
Tested on MW 1.22.6 with stable snapshot of VisualEditor, but looking at the
master branches I'm quite sure that this still applies.
Steps to reproduce
==================
1. Set wiki to have read access only for users:
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = true;
Note that if testing on local environment, you will have to first open VE
with the 'Edit' button, so that Parsoid is not locked out by this
configuration.
2. Open the 'Media' button in the VE toolbar and search for something.
3. The AJAX request will return 'readapidenied', because it won't recognise the
user credentials.
Cause
=====
ve.ui.MWMediaSearchWidget.js makes a JSONP request to the localhost. However,
MediaWiki's ApiMain.php:180
(https://git.wikimedia.org/blob/mediawiki%2Fcore.git/9db61c9ab58b11b639a1f95916b37b57530ec674/includes%2Fapi%2FApiMain.php#L180)
will remove user credentials from JSONP requests for security reasons.
Therefore, the user is treated as not being logged in and the 'readapidenied'
message is returned.
Solution
========
There is already a TODO here from Trevor Parschal bf268e82:
// TODO: Only use JSON-P for cross-domain.
// jQuery has this logic built-in (if url is not same-origin ..)
// but isn't working for some reason.
However, I can't see anything in the jQuery $.ajax docs that says it will
switch from JSONP to JSON for same-origin requests.
So if it's not automatic, the obvious fix is to add a function that checks for
same-origin in the Javascript. But since this issue is hard to debug and may
occur again for other extension developers, I think it would be better to patch
the MW core so that it only strips user credentials for cross-origin JSONP
requests ApiMain.php:180.
I didn't want to make a patch for this without checking about the security
implications, and also to ask if there is an existing utility function in
MediaWiki which checks if a request is same-origin?
Workaround
==========
If you are only searching the private wiki and no external sources, a temporary
workaround is to change "'datatype': 'jsonp'" to "'datatype': 'json'" in
ve.ui.MWMediaSearchWidget.js
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
