Author: puhelin09

Description:
MediaWiki 1.13.0
PHP 5.2.6 (apache2handler)
MySQL 5.0.67-log

Warning - you are about to enter the world of X Files!

I have implemented the UserLoadFromSession hook (UserAuthTGST.php code attached) to authenticate the user via our SSO. It was quite a battle (see bug 17077) but I thought I'd finally sorted it. Apparently not - strap yourself in! I have two IDs - SS (created in the standard way) and Sam.Sexton (created using the hook).

When, as SS, I gave Sam.Sexton sysop and bureaucrat access, the latter could see the restricted pages in Special Pages. However, when I granted someone group membership via the User rights management page, instead of clearing the group list etc., the page refreshed showing the boxes I'd ticked as empty.

I did some research and updated the hook so that it called User->loadFromId() rather than loadFromDatabase(), as the former manages the cache. That was successful, but it made no effective difference. I have turned on SQL debugging and can see where the successful and failing paths diverge.

Before I show you those, the problem disappeared for Sam.Sexton after I commented out the hook definition in LocalSettings, logged in as SS and then reversed that process - it all works fine for Sam.Sexton now but the problem persists with users to whom I have granted admin rights.

Here is the indication of the successful call to loadFromId() from my own logging file:

2009-02-03 13:48:23 Page: /d3wiki/index.php/Special:UserRights
2009-02-03 13:48:23 TGSTWiki cookie found
2009-02-03 13:48:23 Entering UserAuthTGST::loadFromDatabaseTGST ...
2009-02-03 13:48:23 Cookie exploded: 8001532, Kxxx.Bxxx@mydomain.com, Kxxx, Bxxx
2009-02-03 13:48:23 DB entry found for employee id 8001532 with user id 133 and name Kxxx.Bxxx
2009-02-03 13:48:23 loadFromId succeeded for user ID 133 and name Kxxx.Bxxx

From Special:Listusers:

Kxxx.Bxxx ?(bureaucrat, nsD3PRIVRW, nsD3PRIV_TalkRW, sysop)

Here are extracts from the debug log for (firstly) a failed attempt by KB to give GB nsD3PRIVRW membership. The full logs are in the attachement.

Start request
POST /d3wiki/index.php/Special:UserRights
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.46 Safari/525.19

...

Connecting to localhost wikidbD3...
SQL: SET /* Database::open */ NAMES utf8
SQL: SET /* Database::open */ sql_mode = ''
Connected
...
SQL: SELECT /* User::loadFromDatabase Kxxx.Bxxx */ * FROM d3_user WHERE user_id = '968' LIMIT 1
SQL: SELECT /* User::loadGroups Kxxx.Bxxx */ ug_group FROM d3_user_groups WHERE ug_user = '968'

This is where the paths diverge ....

SQL: SELECT /* Parser::replaceLinkHolders Kxxx.Bxxx */ page_id, page_namespace, page_title, page_is_redirect, page_len FROM d3_page WHERE (page_namespace=2 AND page_title IN('Gxxx.Bxxx')) OR (page_namespace=3 AND page_title IN('Gxxx.Bxxx'))
SQL: SELECT /* IndexPager::reallyDoQuery (LogPager) Kxxx.Bxxx */ log_type,log_action,log_user,log_namespace,log_title,log_params,log_comment,log_id,log_deleted,log_timestamp,user_name,user_editcount FROM d3_logging FORCE INDEX (page_time,user_time),d3_user WHERE (log_type != 'suppress') AND log_type = 'rights' AND log_namespace = '2' AND log_title = 'Gxxx.Bxxx' AND (user_id = log_user) ORDER BY log_timestamp DESC LIMIT 51
SQL: SELECT /* Job::pop Kxxx.Bxxx */ * FROM d3_job WHERE job_id >= 0 ORDER BY job_id LIMIT 1
SQL: COMMIT
SQL: BEGIN
SQL: SELECT /* LinkBatch::doQuery Kxxx.Bxxx */ page_id, page_namespace, page_title, page_len, page_is_redirect FROM d3_page WHERE (page_namespace=2 AND page_title='Kxxx.Bxxx') OR (page_namespace=3 AND page_title='Kxxx.Bxxx')
SQL: SELECT /* User::checkNewtalk Kxxx.Bxxx */ user_id FROM d3_user_newtalk WHERE user_id = '133' LIMIT 1
OutputPage::sendCacheControl: private caching; **
Request ended normally

and here's a successful one for Sam.Sexton adding the same permission:

Start request
POST /d3wiki/index.php/Special:UserRights
Host: d3wiki.nott.ime.mydomain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
...
Connecting to localhost wikidbD3...
SQL: SET /* Database::open */ NAMES utf8
SQL: SET /* Database::open */ sql_mode = ''
Connected
...
SQL: SELECT /* User::loadFromDatabase Sam.Sexton */ * FROM d3_user WHERE user_id = '968' LIMIT 1
SQL: SELECT /* User::loadGroups Sam.Sexton */ ug_group FROM d3_user_groups WHERE ug_user = '968'

This is where the paths diverge ....

SQL: DELETE /* User::removeGroup Sam.Sexton */ FROM d3_user_groups WHERE ug_user = '968' AND ug_group = 'bot'
SQL: UPDATE /* User::invalidateCache Sam.Sexton */ d3_user SET user_touched = '20090203143753' WHERE user_id = '968'
SQL: DELETE /* User::removeGroup Sam.Sexton */ FROM d3_user_groups WHERE ug_user = '968' AND ug_group = 'sysop'
SQL: UPDATE /* User::invalidateCache Sam.Sexton */ d3_user SET user_touched = '20090203143753' WHERE user_id = '968'
SQL: DELETE /* User::removeGroup Sam.Sexton */ FROM d3_user_groups WHERE ug_user = '968' AND ug_group = 'bureaucrat'
...
oldGroups: Array
(
)
newGroups: Array
(

[0] => nsD3PRIVRW

)
SQL: INSERT /* LogPage::saveContent Sam.Sexton */ INTO d3_logging (log_id,log_type,log_action,log_timestamp,log_user,log_namespace,log_title,log_comment,log_params) VALUES (NULL,'rights','rights','20090203143748','3','2','Gxxx.Bxxx','','\nnsD3PRIVRW')

... and on to sweet success ...

I've pored over User.php to see if there's something I'm missing, but if so, I can't find it.
This has (I'm convinced!) to be something I'm not doing correctly in the hook, but there was no sample code, so I had to migrate the old code (hacked into User.php for 1.8.2 by a departed colleague) into the hook. I've provided the code I ended up with in the talk page for the hook at http://www.mediawiki.org/wiki/Manual_talk:Hooks/UserLoadFromSession and will update that when this is sorted.

Many thanks in advance for any advice.

Version: 1.13.x
Severity: enhancement
OS: Solaris
Platform: Other
URL: http://(internal)