[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #47 from Tyler Romeo --- (In reply to comment #46) > (In reply to comment #40) > > Also, next time a non-backwards-compatible change is made to the API, please > > try to advertise it more widely. Thanks! > > I mailed wikitech abou

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #46 from Bartosz Dziewoński --- (In reply to comment #40) > Also, next time a non-backwards-compatible change is made to the API, please > try to advertise it more widely. Thanks! I mailed wikitech about this (that is, the final fi

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #45 from Tyler Romeo --- The difference between 'hidden' and 'api' is that hidden can still be changed via the Preferences form, whereas api won't even be put on the form so it cannot be changed. -- You are receiving this mail bec

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #44 from Ryan Kaldari --- (In reply to comment #42) > Note that I18a5ffb5 created a way to register preferences that don't show up > in > Special:Preferences but can still be used via the API. We already have preferences of type 'h

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #43 from Rainer Rillke @commons.wikimedia --- (In reply to comment #41) > I guess it was the fix to bug 42202 that broke the ability to set > custom user options Indeed. But AFAIK this feature was nowhere documented. BTW, thank yo

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #42 from Brad Jorsch --- (In reply to comment #40) > (either > because it would be pref spam or you can't implement the specific interface > you > need via HTMLForm). While I agree 'userjs-' was a poor choice for a prefix, I > would

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #41 from Ryan Kaldari --- Actually, I guess it was the fix to bug 42202 that broke the ability to set custom user options, so nevermind about the non-backwards-compatible complaint :) -- You are receiving this mail because: You ar

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Ryan Kaldari changed: What|Removed |Added CC||rkald...@wikimedia.org --- Comment #40

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Bawolff (Brian Wolff) changed: What|Removed |Added CC||bawolff...@gmail.com --- Comme

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #38 from Bartosz Dziewoński --- True, this could be used by anything, but I'm sure that JavaScript user scripts will the the primary "consumer" of this, so I though that 'userjs' would be most obvous. Feel free to propose a better

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #37 from mybugs.m...@gmail.com --- (Copying from Bug 43960 comment 4, since this place seems to be more appropriated) Just to be sure, does the MW API is only usable through JavaScript? If not, maybe the "js" in "userjs" is not ver

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #36 from Bartosz Dziewoński --- Also created bug 43960 for the same thing, but in the Special:Preferences interface. I've sent a note to wikitech: http://lists.wikimedia.org/pipermail/wikitech-l/2013-January/065637.html -- You ar

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Bartosz Dziewoński changed: What|Removed |Added See Also|https://bugzilla.wikimedia. | |org/show_bug.

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Bartosz Dziewoński changed: What|Removed |Added See Also||https://bugzilla.wikimedia.

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Bartosz Dziewoński changed: What|Removed |Added See Also||https://bugzilla.wikimedia.

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 mybugs.m...@gmail.com changed: What|Removed |Added CC||mybugs.m...@gmail.com -- You a

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #34 from MZMcBride --- (In reply to comment #33) > Gerrit change I5f9ba5b0 thoroughly reviewed and merged. \o/ Congrats! And thank you for all of your work on this bug. :-) > This means this is now possible, supported, and not a

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Bartosz Dziewoński changed: What|Removed |Added Keywords|patch-in-gerrit | Status|ASSIGNED

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Andre Klapper changed: What|Removed |Added Priority|Unprioritized |Normal -- You are receiving this mail

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Beau changed: What|Removed |Added CC||b...@adres.pl --- Comment #32 from Beau --- Wh

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #31 from Bartosz Dziewoński --- > I've seen XSS thrown around, but I'm not sure how user option keys are viable XSS vectors. They aren't. They could be if you could use a GET request to set the preferences, or if the options API di

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Tyler Romeo changed: What|Removed |Added CC||tylerro...@gmail.com --- Comment #30 fro

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #29 from Bartosz Dziewoński --- (In reply to comment #28) > Indeed. This bug is imho either wontfix of duplicate of bug 21897. I have already said it, but I will repeat – this is intended not only for gadgets, but also (or even pri

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #28 from Krinkle --- (In reply to comment #26) > Reading Krinkle's comment, it sounds like WONTFIX or will be fixed when some > extension is ready in the future. So an RFC won't change this, I guess. Indeed. This bug is imho either

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Bartosz Dziewoński changed: What|Removed |Added Keywords||patch-in-gerrit Statu

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #26 from Rainer Rillke @commons.wikimedia 2012-12-04 13:04:44 UTC --- In reply to comment #24) >I could probably implement seamlessly saving the data in a user .js file in >less time than it took me to write out all these elaborate

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #25 from MZMcBride 2012-12-04 08:19:34 UTC --- No, but really: . All of you. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receivi

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #24 from Bartosz Dziewoński 2012-12-03 22:13:19 UTC --- (In reply to comment #21) > You want to avoid implementing anything that is officially reviewed and > supported (documented, reliable, maintained, not wiki/language local > im

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #23 from Brad Jorsch 2012-12-03 22:04:53 UTC --- (In reply to comment #22) > > Gadget preferences have little to do with user gadgets. > > User gadgets: No, converting a user script to a "User gadget" (with the model > I > have

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #22 from Krinkle 2012-12-03 21:55:32 UTC --- (In reply to comment #20) > (In reply to comment #18) > > So what about the use case mentioned in comment 0? That is valid indeed and > > has > > been filed as bug 21897. In fact impleme

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #21 from Krinkle 2012-12-03 21:52:53 UTC --- (In reply to comment #19) > It's all very nice, but I was hoping for something that could be reimplemented > within my lifetime. > > Especially since I already implemented what you're de

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #20 from Brad Jorsch 2012-12-03 21:30:52 UTC --- (In reply to comment #18) > > * This has been the case for years in the Special:Preferences backend, but > never on purpose. The recent security fix shows that this was indeed an >

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #19 from Bartosz Dziewoński 2012-12-03 21:29:38 UTC --- (In reply to comment #18) > (In reply to comment #14) > > [I]'d use 'userjs-' as the prefix, as 'ujs-' isn't too obvious. > > I'd recommend using a prefix like "gadget" inste

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Krinkle changed: What|Removed |Added CC||krinklem...@gmail.com --- Comment #18 from K

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #17 from Krinkle 2012-12-03 21:05:38 UTC --- (In reply to comment #12) > I think refusing to save the characters <>&'"/ might be a good compromise. (In reply to comment #15) > (In reply to comment #13) > > Ugh, to me the idea with

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #16 from Bartosz Dziewoński 2012-12-03 20:55:59 UTC --- (In reply to comment #15) > You misunderstood. The proposal isn't to remove the characters, it's to return > a warning or error and not save the submitted value at all if the

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #15 from Brad Jorsch 2012-12-03 20:53:19 UTC --- (In reply to comment #13) > Ugh, to me the idea with removing the characters altogether doesn't sound > good. You misunderstood. The proposal isn't to remove the characters, it's t

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #14 from Bartosz Dziewoński 2012-12-03 19:49:13 UTC --- (I do, of course, agree with enforcing prefixed keys - but I'd use 'userjs-' as the prefix, as 'ujs-' isn't too obvious - I couldn't figure out what is it supposed to stand fo

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #13 from Bartosz Dziewoński 2012-12-03 19:47:47 UTC --- Ugh, to me the idea with removing the characters altogether doesn't sound good. If they are megically escaped, you can at least figure out what happens; if they magically disa

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #12 from Chris Steipp 2012-12-03 19:39:03 UTC --- I like the prefix suggestion from Brad. I think it's a useful tool for user-script authors to have a place to store the prefs, and the prefix makes sure that they don't accidentally

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Roan Kattouw changed: What|Removed |Added CC||roan.katt...@gmail.com --- Comment #11

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #10 from Rainer Rillke @commons.wikimedia 2012-12-03 18:27:12 UTC --- (In reply to comment #4) > Sure, done: > . Thanks a lot MZMcBride. (In reply to comm

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Brad Jorsch changed: What|Removed |Added CC||bjor...@wikimedia.org --- Comment #9 fro

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #8 from Bartosz Dziewoński 2012-12-01 18:23:06 UTC --- To expand on my final words: it might make sense to HTML-escape the contents of unknown preferences by default, to protect the sloppy coders, and document that the preferences

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #7 from Bartosz Dziewoński 2012-12-01 18:13:13 UTC --- I talked to Chris Steipp on IRC. Summary of our discussion (posted with permission): Bartosz Dziewoński: Your action=options API security/validation patch, I98df55f2, also rem

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #6 from Bartosz Dziewoński 2012-11-30 18:54:35 UTC --- So the ability to set any option was removed with I98df55f2. Is this just collateral damage from fixing the security bug, or should this be considered binding? I already manage

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 Michael M. changed: What|Removed |Added CC||listenle...@gmail.com --- Comment #5 from

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #4 from MZMcBride 2012-09-10 00:40:18 UTC --- (In reply to comment #2) > Hi MZMcBride, could you forward this to the mailing list? I always get > confused > with the mail flood so I only joined some -announce lists. Sure, done:

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #3 from jeremyb 2012-09-09 22:52:41 UTC --- (In reply to comment #2) > I always get confused > with the mail flood so I only joined some -announce lists. You can join lists with mail delivery disabled. Or you could leave delivery

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 --- Comment #2 from rai...@rillke.eu 2012-09-09 22:39:25 UTC --- Hi MZMcBride, could you forward this to the mailing list? I always get confused with the mail flood so I only joined some -announce lists. -- Configure bugmail: https://bugzill

[Bug 40124] Request for determination: Adding user preferences via API

https://bugzilla.wikimedia.org/show_bug.cgi?id=40124 MZMcBride changed: What|Removed |Added CC||b...@mzmcbride.com --- Comment #1 from MZM