On Mon, 03 Jun 2013 19:43:28 -0700, Tyler Romeo tylerromeo@gmail.com wrote:
On Mon, Jun 3, 2013 at 8:18 PM, Chris Steipp csteipp@wikimedia.org wrote:
We are trying to finish the items in scope (SUL rework, OAuth, and a review of the OpenID extension) by the end of this month.
Speaking of this, there's an OAuth framework attempt here: https://gerrit.wikimedia.org/r/66286
Am I the only person who thinks it's a bad idea for the AuthPlugin class to be relying on the ApiBase class for its interface? Especially since the AuthPlugin framework isn't supposed to handle authorization logic anyway.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
OAuth shouldn't even be implemented with AuthPluigin in the first place. At a few glances that code looks messed up. The use of a ScopedCallback (who the hell added this in the first place) looks messed up too, I see that as something that could be prone to mistakes. Looks like if you carelessly forget to hold on to it long enough and all of a sudden code that's supposed to have limited permissions could get full permissions.