Page MenuHomePhabricator

Flow: It's too easy to accidentally edit when logged-out
Closed, ResolvedPublic

Description

Not sure if we can do anything about this, but: with the normal wiki process it goes article - edit window - save. It's really easy to tell if you get coincidentally logged-out as you're trying to edit, because they're all different pages and so the interface changes.

With Flow, article and edit window are the same page; you can get logged-out while reading and leave a comment without the interface warning you. I'm not sure if there's anything we can do about that, but is there any way we could display a warning? The alternative is a potential increase to OS work of unknown amount.


From T122536:

  1. Log in in a browser
  2. Go to another browser (or open a different tab) - and log in with the same user credentials.
  3. Now log out of one of the browsers (or tabs).
  4. A user won't get a warning that IP will be recorded

a) The following actions do not provide any feedback to a user that IP will be recorded except in 'View history'

  • editing Board description
  • editing title

b) Attempting to 'Thank' will display 'Thank action' failed'.

c) Other actions - Reply, Edit the topic summary, editing posts - will display user's IP only upon Save.

Note:

  • Notifications will display proper warning to remind a user to log in
  • Creating a new topic triggers the blue-colored warning

Version: unspecified
Severity: enhancement

Details

Reference
bz58696

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:36 AM
bzimport set Reference to bz58696.
bzimport added a subscriber: Unknown Object (MLST).

bingle-admin wrote:

The WMF core features team tracks this bug on Mingle card https://mingle.corp.wikimedia.org/projects/flow/cards/640, but people from the community are welcome to contribute here and in Gerrit.

For the case of "I'm logged in, so interface shows my name; but I take too long - then submit and apparently was no longer logged in (session expired)":

When submitting the post, we could fetch user id from JS (mw.config.get( 'wgUserId' )), submit it along with the post content being submitted. When validating post submission, we can check if against request context user. If they don't match, we can respond with an error (similar to edit conflict) to inform the user they're no longer logged in. They could then either submit anyway, or copy the content, log in again, and re-submit.

Just one idea.

(In reply to comment #2)

For the case of "I'm logged in, so interface shows my name; but I take too
long

  • then submit and apparently was no longer logged in (session expired)":

When submitting the post, we could fetch user id from JS (mw.config.get(
'wgUserId' )), submit it along with the post content being submitted. When
validating post submission, we can check if against request context user. If
they don't match, we can respond with an error (similar to edit conflict) to
inform the user they're no longer logged in. They could then either submit
anyway, or copy the content, log in again, and re-submit.

Just one idea.

+1

We now display a big blue warning when you're logged out. Does it address the issue?

Screen Shot 2015-10-22 at 16.46.10.png (333×754 px, 47 KB)

Will that warning appear when you attempt to save and edit?
(e.g. if you start writing a comment, and is logged out before submitting it, and then tries to submit it)

Will that warning appear when you attempt to save and edit?
(e.g. if you start writing a comment, and is logged out before submitting it, and then tries to submit it)

In the case where the page is stalled (you appear to be logged in but your session has actually expired in the server) we don't show the warning.

In the case where the page is stalled (you appear to be logged in but your session has actually expired in the server) we don't show the warning.

Re-checked and decided to create T122536: Users with expired user session should be warned that their IP address will be recorded to summarize the current absence of warnings.

In the case where the page is stalled (you appear to be logged in but your session has actually expired in the server) we don't show the warning.

That issue is now covered in T217774: Structured Discussions exposes user’s IP address if logged out in other browser window/tab. I think nothing is left to do here; please reopen if I missed something.

Tgr claimed this task.