Page MenuHomePhabricator
Create Task
Maniphest T332431

Update ConfirmEdit for IP masking
Closed, ResolvedPublic
Actions

Description

Required changes identified in the review on T327570:

  • Temp users have the same CAPTCHA requirements as normal users. This might allow bypassing CAPTCHA for actions that require it if it's possible to create a temp user account by performing some action that doesn't require it, so it should probably be changed to use the same requirements as logged out users, unless specified otherwise in the config.
  • Some throttle for login attempts treats logged in and logged out users differently, not sure what should be done there.

Related Objects
Search...

Event Timeline

matmarex created this task.Mar 17 2023, 6:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 17 2023, 6:56 PM
matmarex added a parent task: T326876: Update Editing Team-owned products that may be affected by temporary users.Mar 17 2023, 6:59 PM
matmarex mentioned this in T327570: [SPIKE] Document the changes IP Masking will require the Editing Team to make.
matmarex added a project: Temporary accounts.Mar 23 2023, 3:21 PM
ppelberg subscribed.Aug 8 2023, 4:52 PM
matmarex claimed this task.Aug 8 2023, 6:55 PM
matmarex added a project: Editing-team (Kanban Board).
matmarex added a project: MediaWiki-Platform-Team.Aug 16 2023, 2:00 PM

While ConfirmEdit is nominally owned by the Editing team, this is a historical accident that resulted from us adding CAPTCHA support to VisualEditor back in the day, and no one on the team (including myself) has any experience with the rest of it. I'm still going to work on this, but I'll try to get someone from the MediaWiki Platform team to review the changes.

ppelberg mentioned this in T344468: QA Editing-related IP Masking changes.Aug 17 2023, 10:23 PM
ppelberg added a project: Goal.Aug 22 2023, 7:48 PM
matmarex added a comment.Aug 24 2023, 12:57 AM

Some throttle for login attempts treats logged in and logged out users differently, not sure what should be done there.

It turns out that nothing needs to be done about this. There are actually unrelated throttles for login attempts from an IP address (but not related to IP users in any way) and login attempts using a given username (so not relevant to temp users, since they can't log in).

This took me a few hours to work out, so I improved documentation: https://www.mediawiki.org/w/index.php?title=Extension:ConfirmEdit&diff=6079039 and the code: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/ /952023 so that maybe the next person will find it easier.

matmarex added a comment.Aug 24 2023, 1:19 AM

Temp users have the same CAPTCHA requirements as normal users. This might allow bypassing CAPTCHA for actions that require it if it's possible to create a temp user account by performing some action that doesn't require it, so it should probably be changed to use the same requirements as logged out users, unless specified otherwise in the config.

This has been resolved in rMWdd2f898f86ee: Add temporary users to a 'temp' group, and stop adding them to 'user'.

matmarex moved this task from Inbox, needs triage to Current Sprint on the MediaWiki-Platform-Team board.Aug 24 2023, 2:23 AM
matmarex moved this task from Incoming to Doing on the Editing-team (Kanban Board) board.
matmarex added a comment.Aug 24 2023, 2:28 AM

I've asked folks from MediaWiki-Platform-Team to double-check, but I think this task is done.

matmarex closed this task as Resolved.Aug 29 2023, 11:25 PM
Ryasmeen added a project: Verified.Sep 9 2023, 4:54 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits