Background
ApiMain::checkAsserts checks that the calling user is the right type of user. It accepts one of anon, user or bot.
Currently, temporary accounts are considered to be in the user category:
switch ( $params['assert'] ) { case 'anon': if ( $user->isRegistered() ) { $this->dieWithError( 'apierror-assertanonfailed' ); } break; case 'user': if ( !$user->isRegistered() ) { $this->dieWithError( 'apierror-assertuserfailed' ); } break; case 'bot': if ( !$this->getAuthority()->isAllowed( 'bot' ) ) { $this->dieWithError( 'apierror-assertbotfailed' ); } break; }
This will break the assumption by any callers that assert=user filters for users who have filled in a registration form. However, if we consider temporary users as separate, that will break assumption that assert=user filters for anyone with a row in the user table.
We discussed how to handle cases like this in T337103: Decide a standard approach for classifying temporary, IP and registered users and decided that we would give temporary users their own category.
What needs doing
Since only a single value can be given, it seems sensible to allow temporary users to be filtered alongside either user type, as well as on their own. In which case we should add the following to the assert param:
| Value | Checks for |
|---|---|
| temp | User::isTemp() |
| anonOrTemp | !User::isNamed() |
| userOrTemp | User::isRegistered() |
...and change the check for the user value to User::isNamed.
Acceptance criteria
- The new values temp, anonOrTemp and userOrTemp are added
- The check for user is updated
- The changes are recorded in the release notes