API help caching doesn't vary on $wgUser->isAnon(), causes staleness
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• MZMcBride
	Aug 14 2010, 8:14 AM

Description

From http://en.wiktionary.org/w/api.php

action=purge * Purge the cache for the given titles.

This module requires read rights.
This module requires write rights.
Parameters:

titles         - A list of titles

Example:

api.php?action=purge&titles=Main_Page|API

From http://commons.wikimedia.org/w/api.php

action=purge * Purge the cache for the given titles.

This module requires read rights.
This module requires write rights.
This module only accepts POST requests.
Parameters:

titles         - A list of titles

Example:

api.php?action=purge&titles=Main_Page|API

Commons says that it only accepts POST requests. The English Wiktionary does not. Something is wrong.

Version: unspecified
Severity: minor

Details

Reference: bz24792

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:09 PM

• bzimport added a project: MediaWiki-Action-API.

• bzimport set Reference to bz24792.

• MZMcBride created this task.Aug 14 2010, 8:14 AM

I think this might be due to caching the help message. action=purge only requires post rights if your an anon, but the cache key for the help message doesn't distinguish between logged in users and non-logged in users.

To test this theory, i went to http://commons.wikimedia.org/w/api.php which said POST needed for me at time of testing, but http://commons.wikimedia.org/w/api.php?version which uses a different cache key did not.

(In reply to comment #1)

I think this might be due to caching the help message. action=purge only
requires post rights if your an anon, but the cache key for the help message
doesn't distinguish between logged in users and non-logged in users.

Yes, it seems you're right (I just tested a bit myself with curl and Firefox). Is there a bug about this already?

Have you try it logged in on both wikis?

See at ApiPurge::mustBePosted()

public function mustBePosted() {

		global $wgUser;
		return $wgUser->isAnon();

}

(In reply to comment #3)

Have you try it logged in on both wikis?

See at ApiPurge::mustBePosted()
public function mustBePosted() {
    global $wgUser;
    return $wgUser->isAnon();
}

I tested logged in and logged out.

When I visit http://en.wiktionary.org/w/api.php right now logged in, the purge module says "This module only accepts POST requests."

As far as I understand, this behavior is wrong (or at least unexpected).

A nice and clean solution for this could be to allow modules to add to the cache key by overriding a base method.

It seems that the purge module is exceptional (it's probably the only module that makes a distinction between POST behavior based on logged-in status). Modifying the purge module to output a generic message in the documentation is probably the simplest solution, something like "If you're not logged in, you must POST this request."

Seems like the ApiHelp caching is done seperately...

Adding a variance of the isAnon would take care of this...

$key = wfMemcKey( 'apihelp', $this->getModuleName(), $wgUser->isAnon(),

			SpecialVersion::getVersion( 'nodb' ) .
			$this->getMain()->getShowVersions() );

Created attachment 7734
Patch

Stashing a patch for this so I don't accidentally commit/loose it. Still seems a sane way to go. Roan?

Attached:

b24792.patch733 BDownload

(In reply to comment #8)

Created attachment 7734 [details]
Patch

Stashing a patch for this so I don't accidentally commit/loose it. Still seems
a sane way to go. Roan?

Looks good.