[05:36:42] <N3X15>	 Is there a tool for managing multiple mediawiki vhosts on the same box?  I've made scripts for doing stuff like updates and ugly extension management, but I'm guessing someone's already taken a crack at it
[08:47:00] <khalella>	 it seems that <code> does not imply <nowiki>. some things inside a <code> block are still parsed, such as links. is there a way to set <code> to imply <nowiki> as well? 
[08:47:20] <khalella>	 obviously this is important if <code> ever contains code
[09:29:48] <Abulafia>	 A client is customizing the wording on various extensions. Should I add a new language in languages/messages/ with en as a fallback, modify the message text directly, or do something else? I'm looking for a solution that won't get overwritten when we do updates and follows best practices.
[09:32:29] <Nikerabbit>	 Abulafia: use a hook...
[09:32:59] <Nikerabbit>	 MessageCache::get
[09:35:21] <Abulafia>	 Thanks Nikerabbit. And override the file to one of my own? Is it safe to keep the new file in the extension's directory, or should I have a directory for the customizations?
[09:35:56] <Nikerabbit>	 Abulafia: you can make an extension, use the hook to rename the messages you want to override and translate them as that extension's messages
[13:08:34] <khalella>	 hmmm running cleanupTitles.php changed a page named "ヴァル" to "Broken/id:6440"
[13:08:54] <khalella>	 not exactly what i had in mind. any idea why it did that ?
[13:10:10] <khalella>	 it also seems to have changed the title to "ヴァル" which doesn't render correctly anymore, showing empty boxes in place of some of the characters
[19:38:30] * revansx[m] sent a long message:  < https://matrix.org/_matrix/media/v1/download/matrix.org/vSOwPfveUZVimynPVcmWLPzU >
[19:40:17] <Trela>	 Just paste what you typed here.
[19:40:28] <Trela>	 revansx[m]: ^
[19:42:53] * revansx[m] sent a long message:  < https://matrix.org/_matrix/media/v1/download/matrix.org/IrioelMzAYTzVCvqKnOBSIcH >
[19:43:35] <Trela>	 revansx[m]: ^
[19:43:47] <revansx[m]>	 @Trela, Is that what you meant?
[19:44:18] <Trela>	 "revansx[m]	sent a long message:  < https://matrix.org/_matrix/media/v1/download/matrix.org/IrioelMzAYTzVCvqKnOBSIcH >"
[19:44:59] <revansx[m]>	 Trela: ah.. sec
[19:45:43] <Trela>	 Just pointing out that appearing in a channel and dropping a reasonably suspicious link will not make people click on it.  :P
[19:45:49] <revansx[m]>	 can someone take a peek at task: ```https://phabricator.wikimedia.org/T191730``` for the "Auth_RemoteUser" extension and tell me if they think it relates to the "First Save" bug reported here:
[19:45:50] <revansx[m]>	 ```https://meta.wikimedia.org/wiki/User_talk:Otheus/Auto_Login_via_REMOTE_USER#First-Save_Bug```
[19:47:33] <revansx[m]>	 Trela: gotcha. thanks. that said.. are the link I just sent rendered as the text I wrote or are they appearing as a "long message" link?
[19:48:03] <Trela>	 Just appearing as a "long message" link.  Looks like a classic IRC scam to get people to clink on links that distribute malware.
[19:48:44] <Trela>	 Oof, yeah, that is an annoying bug with the AuthManager sessions.  I previous had that in the SessionProvider I wrote for my stack and it took a lot of work to fix it.
[19:50:51] <tgr>	 matrix.org is not really suspicious, it's like pastebin (in this case; more generally it's a chat network similar to and compatible with IRC)
[19:51:07] <Trela>	 Assuming that you know what it is.
[19:51:27] <revansx[m]>	 oh, wow.. that you know about this is very encouraging.
[19:51:28] <tgr>	 which is why I'm helpfully telling you :)
[19:51:42] <revansx[m]>	 again thanks.
[19:51:47] <Trela>	 I know what Matrix.org is.  Still looks like a classic IRC scam.  :P
[19:51:57] <Trela>	 From what I remember it was more or less that the session was technically anonymous until the user made an edit.  Then the session would be recreated, but kill the edit token.
[19:52:39] <tgr>	 anyway, you should not use session_start in 1.27+, MediaWiki has its own session handling from there on
[19:52:46] <Trela>	 The SessionProvider I created was a light provider in that it just tried to "assist" the base SessionProvider provided by MediaWiki's code.  I ended up having to extend and override more of the base class methods to actually properly wrangled the sessions.
[19:53:07] <revansx[m]>	 yes, exactly... i have seen a work-around from the MW 1.7 era, but nothing that translates to the MW 1.30 era.. any thoughts?
[19:53:12] <tgr>	 which might or might not be implemented via PHP sessions depending on how the wiki is configured
[19:54:21] <revansx[m]>	 i'm really in a bind because of it 😞
[19:54:44] <Trela>	 That extension author probably just needs to do a full audit of the code to see where the root cause of the issue is.  :/
[19:55:41] <revansx[m]>	 I'm encouraged that someone else as recently as April of  this year made a phabricator task for it, but I have had the most difficult time trying to find anyone to talk to me about it with some firsthand experience..
[19:55:52] <revansx[m]>	 how did you solve it?
[19:55:57] <revansx[m]>	 (or work around it)
[19:56:41] <revansx[m]>	 ah.. just read your comment above
[19:58:18] <revansx[m]>	 i'm just a novice programmer and could not take on the task of extending/overriding the base class methods to actually properly wrangled the sessions like you did.. but I could implement a fix that someone else prescribes.. that's what I'm hoping for in lieu of the author fixing it properly
[19:58:21] <tgr>	 the Phab task does not say what class.user.php does so it's not particularly useful, but in general mixing MediaWiki sessions with sessions set up by another application is not supported, and IMO not a reasonable thing to do
[19:58:58] <tgr>	 as in, it worked pre 1.27 but could backfire in any number of ways
[19:59:13] <revansx[m]>	 but the session from another application (iiuc) is literally what my session provider is doing
[19:59:28] <tgr>	 if you do insist on doing it, there are two ways I can think of
[20:00:23] <revansx[m]>	 here is my exact set-up: ```https://www.mediawiki.org/wiki/Topic:Ug7imtddoqehuvx4```
[20:01:17] <revansx[m]>	 I'm using CA Policy Agent to enforce secure authenticated sessions
[20:01:28] <tgr>	 one of them is to set $wgPHPSessionHandling = 'disable', which detaches MediaWiki from PHP sessions entirely, and then you can do with them as you wish
[20:01:57] <tgr>	 which is something that needs to be set by the site administrator, not the extension author, so that's a bit problematic
[20:02:03] <revansx[m]>	 nice.. the other?
[20:02:12] <tgr>	 also AFAIK no big site uses it so not well tested
[20:06:31] <Trela>	 I had to go to the bathroom.(Helps me remember too!)  Basically all our session persistence was previously being done through cookies.  With the change over to the new SessionProvider setup we moved to a two-pair setup with most of the session data being stored in Redis and only key token being stored in the cookies.  That got around issues with cookies being unintentionally destroyed and allowed us to recreate those cookies if needed
[20:06:31] <Trela>	  without losing the session.
[20:08:10] <revansx[m]>	 ha. bio-breaks not a bug, they are a feature! ha ha
[20:08:31] <Trela>	 They get the bugs out!
[20:09:04] <tgr>	 the other is to back up the session, clear it, call the external session handling code, read what you need, restore the session
[20:09:31] <revansx[m]>	 indeed! lol ... my site is a small private enterprise site. small site behind a the firewall of a big organization..
[20:09:39] <tgr>	 RequestContext::importScopedSession has an example of that, although a somewhat overcomplicated one
[20:10:56] <tgr>	 I guess you can just do something like
[20:11:06] <revansx[m]>	 i'm completely dumb with respect to cookie, and session, security issues .. and even dumber about who mediawiki session and cookie handling need to work
[20:11:16] <tgr>	 $ctx = RequestContext::getMain();
[20:11:29] <tgr>	 $session = $ctx->exportSession();
[20:11:56] <tgr>	 $scope = $ctx->importScopedSession( $session );
[20:12:24] <revansx[m]>	 from my perspective the situation is simple.. RHEL7 with CA Policy Agent enforcing remotely authenticated browser sessions.. mediawiki installed on top with Auth_RemoteUser providing automatic user-login
[20:12:39] <Trela>	 revansx[m]: NASA Glenn?  :O
[20:12:47] <tgr>	 ScopedCallback::consume( $scope );
[20:12:53] <revansx[m]>	 would you be willing to make these comments on my Talk Page Topic: ```https://www.mediawiki.org/wiki/Topic:Ug7imtddoqehuvx4```
[20:13:28] <tgr>	 and call the external code which messes with the session between creating and consuming the scope
[20:14:18] <revansx[m]>	 yes. trying to bring our part of the agency up to date with sematic open-linked data tools
[20:14:29] <tgr>	 what does remotely authenticated browser session mean?
[20:14:58] <revansx[m]>	 but stumbling terribly on the basics of user authentication and authorization
[20:16:37] <revansx[m]>	 it means that by the time a client browser get to interact with my site, their browser session has already been authenticated by an agency identity provided that has a trust relationship with my server
[20:16:52] <Trela>	 tgr: US government organizations typically use browser plugins that preauthenticate the user, typically with a CAC(card), to give the user access.
[20:17:14] <revansx[m]>	 so my server can 'trust' the identity properties provided in the session header
[20:17:27] <tgr>	 sure, but how is that information transferred to your site?
[20:17:48] <revansx[m]>	 the agency user a product called "Policy Agent" by a company called "Computer Associates"
[20:17:51] <tgr>	 the code in T191730 suggests that it happens via the PHP session backend which sounds rather horrible
[20:17:52] <stashbot>	 T191730: Calling session_start() with  Auth_remoteuser extension causes AuthManager tokens not to match - https://phabricator.wikimedia.org/T191730
[20:18:19] <revansx[m]>	 see my session data here: ```https://www.mediawiki.org/wiki/File:2018-06-04--09-51-53--screenshot-rkevans001.png```
[20:19:14] <revansx[m]>	 that screenshot details each step of the remote authentication process
[20:19:25] <tgr>	 well, that's cookie data, not session data
[20:19:32] <tgr>	 not PHP session data I mean
[20:19:55] <tgr>	 in that case just write a SessionProvider which reads from those cookies
[20:20:01] <revansx[m]>	 oh, .. see.. i'm a moron
[20:20:45] <revansx[m]>	 I wish I knew how to do what you are describing .. you make is sound so simple
[20:20:46] <Trela>	 Oh... ha.  Yeah, that would work.
[20:20:51] <tgr>	 subclass ImmutableSessionProviderWithCookie, override provideSessionInfo
[20:21:34] <tgr>	 it gets a WebRequest, check the cookie through that, return a SessionInfo
[20:21:56] <revansx[m]>	 is that something I would write in LocalSettings.php?
[20:22:08] <Trela>	 You would need to create an extension to handle his.
[20:22:52] <tgr>	 the problem seems to be that the existing code in includes/class.user.ph sets a PHP session, so if you can just stop it from doing that, your existing code should work
[20:23:07] <tgr>	 but ideally you'd have a session handling extension for this, yeah
[20:23:40] <revansx[m]>	 that sounds promising.
[20:23:52] <Trela>	 Give me a few minutes and I can stub one out for you.
[20:24:36] <revansx[m]>	 oh, wow.. you would be my hero
[20:24:54] <Trela>	 I mean, you would have to find out if it actually works.  :P
[20:30:02] <revansx[m]>	 i'm a great guinea pig! lol
[20:34:16] <Trela>	 I am taking a look at the existing extension first hoping it is a simple bug.
[20:38:23] <tgr>	 revansx[m]: Trela: it would look something like this: https://www.mediawiki.org/wiki/Manual:SessionManager_and_AuthManager/SessionProvider_examples
[20:39:03] <Trela>	 Does your web server have register globals turned on?  Is $HTTP_AGENCYUID setup by the PHP process start up?  That looks like it...
[20:39:09] <Trela>	 revansx[m]: ^
[20:39:54] <Trela>	 If so you should update to $_SERVER['HTTP_AGENCYUID'] and similar for the rest of those.
[20:40:27] <Trela>	 That or $_SESSION.
[20:41:21] <revansx[m]>	 I know that the variable $HTTP_AGENCYUID is defined, i have no idea if it qualifies as a registered  global variable
[20:41:39] <revansx[m]>	 Please bear with me as I try to make sense of everything you are saying
[20:41:42] <revansx[m]>	 (and thank you)
[20:42:05] <revansx[m]>	 do I use the ```https://www.mediawiki.org/wiki/Manual:SessionManager_and_AuthManager/SessionProvider_examples``` as is?
[20:42:09] <Trela>	 Did you define that variable somewhere?  If not your server is turning register_globals on which is 1.) Bad for security 2.) Not necessarily supported by MediaWiki.
[20:42:28] <revansx[m]>	 and where do I install it? .. in LocalSettings.php?
[20:42:43] <Trela>	 Read that example a little closer.  "getLoggedInStatusFromCookieSomehow"  It stubs it out, but the logic still needs to be filled in.
[20:44:44] <Trela>	 I would start first with updating your configuration to make sure that no old cruft is causing new code to misbehave.
[20:45:51] * revansx[m] sent a long message:  < https://matrix.org/_matrix/media/v1/download/matrix.org/yVpukuBzEfdXLaRADuCqXFVz >
[20:46:37] <revansx[m]>	 that the CA Policy Agent guarantees that that attribute is valid
[20:48:04] <Trela>	 Ah, yeah.  So you or someone else in the past did turn off register_globals(good) and put in that work around to keep from having to update it everywhere else.
[20:49:34] <revansx[m]>	 I need to update my Topic to include that.. sec..
[20:49:43] <Trela>	 What are you using a string of "NULL" instead of regular old null?  $wgAuthRemoteuserUserName will use string of "NULL" as a valid user name.
[20:52:23] <revansx[m]>	 that "NULL" string could be anything. It only only needs to be some string that is guaranteed to never be a registered user by the agency
[20:53:12] <Trela>	 Right, but the Auth_remoteuser extension will take the "NULL" string as a literal user and attempt to create a valid session for it.  Which can pollute the end user's session cookies.
[20:53:21] <Trela>	 *literal valid user
[20:54:00] <revansx[m]>	 ah! ok.. so is there a better way to configure Auth_RemoteUser for my application?
[20:54:15] <Trela>	 Just take the quotes off "NULL".  :D
[20:54:25] <Trela>	 So that it is the data type of NULL.
[20:54:50] <Reedy>	 null
[20:55:04] <revansx[m]>	 will do
[20:55:24] <revansx[m]>	 do you think that alone might create a positive result?
[20:56:26] <Trela>	 Only one way to find out.
[21:02:45] <revansx[m]>	 changed the ```="NULL";``` to ```=null;``` .. no joy
[21:09:10] <Trela>	 :(
[21:09:40] * revansx[m] sent a long message:  < https://matrix.org/_matrix/media/v1/download/matrix.org/BqhSCXMcnJZpmOzndwdxjEZv >
[21:09:54] <revansx[m]>	 The metric is the "First Save" bug
[21:10:17] <revansx[m]>	 whatever MW is doing upon first save attempt needs to happen upon first visit
[21:11:22] <revansx[m]>	 because after the failed "first save" attempt, things pretty much work
[21:11:25] <revansx[m]>	 ok
[21:13:19] <Trela>	 Sorry, I have to go.  :O  Good luck!
[21:13:57] <revansx[m]>	 you have been extremely helpful and have provided some serious leads for me to explore
[21:13:57] <revansx[m]>	 thank you!
[21:35:07] <revansx[m]>	 tgr and Trela .. thank youo
[21:35:43] <revansx[m]>	 thank "you"