Context
AbuseFilter provides the ability to define consequences in response to triggers. These are currently things like block, deny action, etc. It would be nice to define a consequence to show a CAPTCHA via the ConfirmEdit extension, for cases where the AbuseFilter exists to deny bot editing.
Proposal
- Introduce a CaptchaConsequence that can be used for actions in AbuseFilter
- Users with skipcaptcha right can continue to bypass CAPTCHA even if they trigger the AbuseFilter
Consequences
- It is possible to configure AbuseFilters that show a CAPTCHA when conditions are matched
Next steps
- Complete QA
- Enable on all wikis
Original report
Author: mike.lifeguard+bugs
Description:
To either slow down human abusers or weed out bots, please allow AbuseFilter to present a CAPTCHA & allow the change only if solved. Yes, I'm aware that captchas are mean to humans both blind and sighted (though of course a particular horror from an accessibility standpoint) - they'd have to be used sparingly etc, but that's a useful option IMO.
Version: unspecified
Severity: enhancement
Details- Reference
- bz18110
Subject Repo Branch Lines +/- ConfirmEditHandler: Remove method_exists checks operations/mediawiki-config master +18 -1 SimpleCaptcha: Allow invoking CAPTCHA display from other extensions mediawiki/extensions/AbuseFilter wmf/1.43.0-wmf.5 +24 -5 CaptchaConsequence: Use SessionManager to communicate with AbuseFilter mediawiki/extensions/AbuseFilter master +65 -0 zuul: Update AbuseFilter/ConfirmEdit phan and test dependencies integration/config Comment ActionsHey, noticed on testwiki that some of you are trying this from your main account; that probably has skipcaptcha rights so will never be shown one.
FWIW, I
Comment ActionsChange #1031549 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):
[mediawiki/extensions/ConfirmEdit@master] CaptchaConsequence: Use SessionManager to communicate with AbuseFilter
Comment ActionsChange #1031550 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):
[mediawiki/extensions/AbuseFilter@master] ConfirmEditHandler: Use Session instead of WebRequest
Comment Actions
Yeah, I realized that and switched to using a logged out user for the test. Thanks for flagging though, it's easy to forget about that!
FWIW, I have also tried this on your patch demo, and also get no captcha. Also tried on a local wiki, and again get no captcha. I even tried loading AbuseFilter before ConfirmEdit (a bad idea, breaks the "throttle" filters and also causes T151116), and still no luck.
Thanks for that. I've uploaded an alternative approach that I think would be more robust.
Comment Actions
Tried that on my local wiki (all edits made logged out):
- Loading ConfirmEdit before AbuseFilter (the same order as WMF wikis), I get no captcha on the first attempted edit. I do get a CAPTCHA, the next time I open a page for editing, even before I try to publish.
- Loading AbuseFilter before ConfirmEdit, I get a "Incorrect or missing CAPTCHA. " error (even though I would have had no idea a CAPTCHA was to be expected). Also, the message is at the top, but the CAPTCHA entry form is at the bottom. But reversing the order would be a very bad idea; it would cause "throttle" filters to trip on innocent users struggling with the CAPTCHA, and also prevent any user from adding an external link, if they also trip a "warn" filter.
Comment Actions
Aha. Yeah, I am loading AbuseFilter before ConfirmEdit in my local wiki. Thank you for testing the patches and leaving the detailed notes. OK, I'll look at this more closely tomorrow.
Comment ActionsFWIW, I have also tried this on your patch demo, and also get no captcha.
Correction. I didn't realize that the "Type 'patchdemo' here as an anti-spam measure." box was coming from QuestyCaptcha, and thought it was some generic anti-spam measure on all patchdemos.
So what actually happened is that I did get a request for a CAPTCHA, but the box was there before I even tried to click "Publish"! This cannot be coming from AbuseFilter; the filters haven't even been checked yet. Do you have ConfirmEdit enabled for all edits with something like $wgCaptchaTriggers['edit'] = true;?
Comment Actions
The user notice should wait, because the functionality isn't working yet in production.
Comment ActionsChange #1031757 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):
[mediawiki/extensions/ConfirmEdit@master] AbuseFilterHooks: Provide feature flags for AF custom actions
Comment ActionsChange #1031550 abandoned by Kosta Harlan:
[mediawiki/extensions/AbuseFilter@master] ConfirmEditHandler: Use Session instead of WebRequest
Reason:
Doesn't fix the underlying issue, which is due to order of extension loading in production.
Comment ActionsChange #1031549 abandoned by Kosta Harlan:
[mediawiki/extensions/ConfirmEdit@master] CaptchaConsequence: Use SessionManager to communicate with AbuseFilter
Reason:
Doesn't fix the underlying issue, which is due to order of extension loading in production.
Comment Actions
It will break other things.
I’m working on a patch that uses a different approach, will clean it up and push for review later today.
Comment ActionsChange #1031885 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):
[mediawiki/extensions/ConfirmEdit@master] [WIP] SimpleCaptcha: Allow invoking from other extensions
Comment ActionsChange #1031886 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):
[mediawiki/extensions/AbuseFilter@master] [WIP] ConfirmEditHandler: Use SimpleCaptcha to invoke CAPTCHA display
Comment ActionsChange #1031921 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):
[mediawiki/extensions/ConfirmEdit@wmf/1.43.0-wmf.5] AbuseFilterHooks: Provide feature flags for AF custom actions
Comment ActionsChange #1031757 merged by jenkins-bot:
[mediawiki/extensions/ConfirmEdit@master] AbuseFilterHooks: Provide feature flags for AF custom actions
Comment ActionsChange #1031921 merged by jenkins-bot:
[mediawiki/extensions/ConfirmEdit@wmf/1.43.0-wmf.5] AbuseFilterHooks: Provide feature flags for AF custom actions
Comment ActionsComment Actions
@suffusion_of_yellow Yeah, Patch Demo isn't a good environment for verifying these patches because it sets a CAPTCHA for all edits for not logged-in users, and gives all logged-in users skipcaptcha right. We'd need to make some adjustments. The config it uses (extensions-ConfirmEdit.php):
$wgCaptchaTriggers['edit'] = true;
$wgCaptchaTriggers['createaccount'] = true;
/ Don't show CAPTCHA when logged in
$wgGroupPermissions['user']['skipcaptcha'] = true;
I've reworked the functionality for the AbuseFilter/ConfirmEdit integration in these two patches: https://gerrit.wikimedia.org/r/c/1031885 https://gerrit.wikimedia.org/r/c/1031886
Tried these patches. I am using the 2010 editor, and these options:
wfLoadExtensions( ['ConfirmEdit', 'ConfirmEdit/QuestyCaptcha'] );
$wgCaptchaQuestions = [
'What is the answer to Life, the Universe, and Everything?' => '42'
];
$wgConfirmEditEnabledAbuseFilterCustomActions = [ 'showcaptcha' ];
wfLoadExtension( 'AbuseFilter' );
First, I set a filter to "showcaptcha", and attempted an edit NOT adding external links. After clicking "publish" the first time, at the top of the page, I got the message "Incorrect or missing CAPTCHA." even though I was never asked for one in the first place. The actual CAPCTHA was at the bottom of the page. The page saved successfully when I answered correctly.
Second, I attempted an edit adding external links, keeping the filter set to "showcaptcha". This time, I got the standard "Your edit includes new external links..." message, and the captcha input was at the top, right below the message. (This is the expected behavior.)
Third, I set a filter to "warn" and "showcaptcha", and attempted an edit NOT adding external links. This time, I was bounced back and forth endlessly between the warning message and the request for a CAPTCHA. There was no way to save the page.
Fourth, I attempted an edit adding external links, keeping the filter set to "warn" and "showcaptcha". This time I got one request for a CAPTCHA, then the warning, then a second request, but the edit finally saved. (This is not optimal, but AFAIK an existing problem not caused by this patch.)
So three improvements are needed here:
- The message should say something other than "Incorrect or missing CAPTCHA." when no CAPTCHA was ever asked for.
- The CAPTCHA input should be at the top, near the message (same as when adding external links)
- There should be some way to save a page when a filter is set to warn+showcaptcha (other than adding a new link), or this option should be forbidden when saving a filter.
Comment Actions
Thanks so much for testing and for the detailed notes!
So three improvements are needed here:
- The message should say something other than "Incorrect or missing CAPTCHA." when no CAPTCHA was ever asked for.
I think this should be possible without too many hacks.
- The CAPTCHA input should be at the top, near the message (same as when adding external links)
This one, I am not sure about yet. Maybe we could do that in a follow-up task?
- There should be some way to save a page when a filter is set to warn+showcaptcha (other than adding a new link), or this option should be forbidden when saving a filter.
I would lean towards going with the latter ("forbidden when saving a filter") but I am not sure about how possible that is with AbuseFilter.
Comment Actions
@Dreamy_Jazz has +2'ed the patches and one of us will make follow up patches for these issues. The feature is behind a config flag so there is not a risk of this being in front of users.
Comment ActionsChange #1031886 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] ConfirmEditHandler: Use SimpleCaptcha API to invoke CAPTCHA display
Comment ActionsChange #1031885 merged by jenkins-bot:
[mediawiki/extensions/ConfirmEdit@master] SimpleCaptcha: Allow invoking CAPTCHA display from other extensions
Comment Actions
I would lean towards going with the latter ("forbidden when saving a filter") but I am not sure about how possible that is with AbuseFilter.
FWIW, I tried setting one filter to "warn", and another to "showcaptcha", and it worked! I got both the warning and the CAPTCHA form on the same page, and after filling in the CAPTCHA, I was able to save the page. Not sure why it doesn't work when both settings are on the same filter; maybe it's just a minor bug?
Comment ActionsChange #1052909 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):
[mediawiki/extensions/ConfirmEdit@master] SimpleCaptcha: Show captcha-edit message if forceShowCaptcha is set
Comment ActionsChange #1053238 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):
[operations/mediawiki-config@master] ConfirmEdit: Enable showcaptcha action on testwiki and beta wikis
Comment ActionsChange #1053238 merged by jenkins-bot:
[operations/mediawiki-config@master] ConfirmEdit: Enable showcaptcha action on testwiki and beta wikis
Comment ActionsMentioned in SAL (#wikimedia-operations) [2024-07-10T08:06:49Z] <kharlan@deploy1002> Finished scap: Backport for [[gerrit:1053238|ConfirmEdit: Enable showcaptcha action on testwiki and beta wikis (T20110)]] (duration: 09m 41s)
Comment ActionsChange #1052909 merged by jenkins-bot:
[mediawiki/extensions/ConfirmEdit@master] SimpleCaptcha: Show captcha-edit message if forceShowCaptcha is set
Comment Actions
That is done in SimpleCaptcha: Show captcha-edit message if forceShowCaptcha is set. Although, it's worth noting that VisualEditor and DiscussionTools do not update their CAPTCHA message on failure (not related to this implementation) as far as I can tell. But for source editor, you'll get an updated message after failing to submit an edit.
The showcaptcha AbuseFilter consequence is now available on testwiki and beta cluster wikis.
Comment ActionsFor QA, it would be helpful to test out:
- Adding a showcaptcha consequence
- Triggering that consequence through API edits (VisualEditor, DiscussionTools) and non-API edits
The intention for this consequence is to be used in an editing context, but would be helpful to know how well it works / doesn't work in other situations (account creations, page moves, etc).
It could also be helpful to understand how the throttled notifications issue works out as discussed in T303433#10017793, but that could be QA'ed separately, if there isn't time to look at it here.
Comment ActionsChange #1056146 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):
[operations/mediawiki-config@master] AbuseFilter: Enable showcaptcha consequence everywhere
Comment Actions
I have seen the captcha for source editor, VE and DiscussionTools, and successfully edited after completing the captcha.
Editing via the API I get a response:
{
"edit": {
"captcha": {
"type": "image",
"mime": "image/png",
"id": "218847720",
"url": "/w/index.php?title=Spezial:Captcha/image&wpCaptchaId=218847720"
},
"result": "Failure"
}
}
The intention for this consequence is to be used in an editing context, but would be helpful to know how well it works / doesn't work in other situations (account creations, page moves, etc).
createaccount
Testing a filter with action=="createaccount".
I could not get the captcha to work for the createaccount action on beta. Perhaps this is because IP and newly created users already see a captcha when trying to create an account.
Locally, I had to set $wgCaptchaTriggers['createaccount'] = false; in order to see the AF captcha consequence after trying to submit Special:CreateAccount. However, even after completing the captcha and re-submitting it does not succeed and continues to show the error Incorrect or missing CAPTCHA.
autocreateaccount
Filter with action=="autocreateaccount".
Testing on dewiki beta, I do see the captcha after attempting to submit the edit. However, the temporary account has already been created at this point.
move
I could not get this to work for the move action. On beta, IP and newly created users cannot move articles. I had to test this locally and give all users move rights.
I did not test other actions like upload or delete.
Other observations
I could not get this to work for a global filter (testing on
Comment ActionsChange #1056146 merged by jenkins-bot:
[operations/mediawiki-config@master] AbuseFilter: Enable showcaptcha consequence everywhere
Comment Actions[see https://meta.wikimedia.org/wiki/Special:AbuseLog/2803401 for context] Under my alternative account, I've decided to test if it will show me the CAPTCHA, and it didn't; it just allowed me to create the page completely.
Also, it's worth noting that this action is NOT a restricted action per
Comment Actions
I can reproduce on VE. For Source Editor, I can only reproduce if I have a single AB rule which triggers both a warning and a captcha.
I wonder if it is the same bug as T151116. @kostajh?
@codenamenoreste Does the user have the skipcaptcha right? This is assigned to autoconfirmed users, for example.
Comment Actions
I will do more testing of multiple/conflicting abuse filters when we implement T372642. I will move this along.
@codenamenoreste Does the user have the skipcaptcha right? This is assigned to autoconfirmed users, for example.
I could have just checked this myself. The right.
I assume that is the reason they did not see the captcha.
Comment ActionsChange #1102740 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):
[mediawiki/extensions/AbuseFilter@master] ConfirmEditHandler: Remove method_exists checks
Comment ActionsChange #1102740 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] ConfirmEditHandler: Remove method_exists checks
Comment ActionsChange #1102863 had a related patch set uploaded (by Reedy; author: Kosta Harlan):
[mediawiki/extensions/AbuseFilter@REL1_43] ConfirmEditHandler: Remove method_exists checks
Comment ActionsChange #1102863 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@REL1_43] ConfirmEditHandler: Remove method_exists checks
Code of Conduct · GPL ·
- Reference
- bz18110
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| ConfirmEditHandler: Remove method_exists checks | operations/mediawiki-config | master | +18 -1 | |
| SimpleCaptcha: Allow invoking CAPTCHA display from other extensions | mediawiki/extensions/AbuseFilter | wmf/1.43.0-wmf.5 | +24 -5 | |
| CaptchaConsequence: Use SessionManager to communicate with AbuseFilter | mediawiki/extensions/AbuseFilter | master | +65 -0 | |
| zuul: Update AbuseFilter/ConfirmEdit phan and test dependencies | integration/config | Comment Actions Hey, noticed on testwiki that some of you are trying this from your main account; that probably has skipcaptcha rights so will never be shown one. FWIW, I Comment Actions Change #1031549 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan): [mediawiki/extensions/ConfirmEdit@master] CaptchaConsequence: Use SessionManager to communicate with AbuseFilter Comment Actions Change #1031550 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan): [mediawiki/extensions/AbuseFilter@master] ConfirmEditHandler: Use Session instead of WebRequest Comment Actions Yeah, I realized that and switched to using a logged out user for the test. Thanks for flagging though, it's easy to forget about that!
Thanks for that. I've uploaded an alternative approach that I think would be more robust. Comment Actions Tried that on my local wiki (all edits made logged out):
Comment Actions Aha. Yeah, I am loading AbuseFilter before ConfirmEdit in my local wiki. Thank you for testing the patches and leaving the detailed notes. OK, I'll look at this more closely tomorrow. Comment Actions
Correction. I didn't realize that the "Type 'patchdemo' here as an anti-spam measure." box was coming from QuestyCaptcha, and thought it was some generic anti-spam measure on all patchdemos. So what actually happened is that I did get a request for a CAPTCHA, but the box was there before I even tried to click "Publish"! This cannot be coming from AbuseFilter; the filters haven't even been checked yet. Do you have ConfirmEdit enabled for all edits with something like $wgCaptchaTriggers['edit'] = true;? Comment Actions The user notice should wait, because the functionality isn't working yet in production. Comment Actions Change #1031757 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan): [mediawiki/extensions/ConfirmEdit@master] AbuseFilterHooks: Provide feature flags for AF custom actions Comment Actions Change #1031550 abandoned by Kosta Harlan: [mediawiki/extensions/AbuseFilter@master] ConfirmEditHandler: Use Session instead of WebRequest Reason: Doesn't fix the underlying issue, which is due to order of extension loading in production. Comment Actions Change #1031549 abandoned by Kosta Harlan: [mediawiki/extensions/ConfirmEdit@master] CaptchaConsequence: Use SessionManager to communicate with AbuseFilter Reason: Doesn't fix the underlying issue, which is due to order of extension loading in production. Comment Actions It will break other things. I’m working on a patch that uses a different approach, will clean it up and push for review later today. Comment Actions Change #1031885 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan): [mediawiki/extensions/ConfirmEdit@master] [WIP] SimpleCaptcha: Allow invoking from other extensions Comment Actions Change #1031886 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan): [mediawiki/extensions/AbuseFilter@master] [WIP] ConfirmEditHandler: Use SimpleCaptcha to invoke CAPTCHA display Comment Actions Change #1031921 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan): [mediawiki/extensions/ConfirmEdit@wmf/1.43.0-wmf.5] AbuseFilterHooks: Provide feature flags for AF custom actions Comment Actions Change #1031757 merged by jenkins-bot: [mediawiki/extensions/ConfirmEdit@master] AbuseFilterHooks: Provide feature flags for AF custom actions Comment Actions Change #1031921 merged by jenkins-bot: [mediawiki/extensions/ConfirmEdit@wmf/1.43.0-wmf.5] AbuseFilterHooks: Provide feature flags for AF custom actions Comment Actions @suffusion_of_yellow Yeah, Patch Demo isn't a good environment for verifying these patches because it sets a CAPTCHA for all edits for not logged-in users, and gives all logged-in users skipcaptcha right. We'd need to make some adjustments. The config it uses (extensions-ConfirmEdit.php): I've reworked the functionality for the AbuseFilter/ConfirmEdit integration in these two patches: https://gerrit.wikimedia.org/r/c/1031885 https://gerrit.wikimedia.org/r/c/1031886 Tried these patches. I am using the 2010 editor, and these options: First, I set a filter to "showcaptcha", and attempted an edit NOT adding external links. After clicking "publish" the first time, at the top of the page, I got the message "Incorrect or missing CAPTCHA." even though I was never asked for one in the first place. The actual CAPCTHA was at the bottom of the page. The page saved successfully when I answered correctly. Second, I attempted an edit adding external links, keeping the filter set to "showcaptcha". This time, I got the standard "Your edit includes new external links..." message, and the captcha input was at the top, right below the message. (This is the expected behavior.) Third, I set a filter to "warn" and "showcaptcha", and attempted an edit NOT adding external links. This time, I was bounced back and forth endlessly between the warning message and the request for a CAPTCHA. There was no way to save the page. Fourth, I attempted an edit adding external links, keeping the filter set to "warn" and "showcaptcha". This time I got one request for a CAPTCHA, then the warning, then a second request, but the edit finally saved. (This is not optimal, but AFAIK an existing problem not caused by this patch.) So three improvements are needed here: Thanks so much for testing and for the detailed notes! So three improvements are needed here: I think this should be possible without too many hacks. This one, I am not sure about yet. Maybe we could do that in a follow-up task? I would lean towards going with the latter ("forbidden when saving a filter") but I am not sure about how possible that is with AbuseFilter. @Dreamy_Jazz has +2'ed the patches and one of us will make follow up patches for these issues. The feature is behind a config flag so there is not a risk of this being in front of users. Change #1031886 merged by jenkins-bot: [mediawiki/extensions/AbuseFilter@master] ConfirmEditHandler: Use SimpleCaptcha API to invoke CAPTCHA display Change #1031885 merged by jenkins-bot: [mediawiki/extensions/ConfirmEdit@master] SimpleCaptcha: Allow invoking CAPTCHA display from other extensions I would lean towards going with the latter ("forbidden when saving a filter") but I am not sure about how possible that is with AbuseFilter. FWIW, I tried setting one filter to "warn", and another to "showcaptcha", and it worked! I got both the warning and the CAPTCHA form on the same page, and after filling in the CAPTCHA, I was able to save the page. Not sure why it doesn't work when both settings are on the same filter; maybe it's just a minor bug? Change #1052909 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan): [mediawiki/extensions/ConfirmEdit@master] SimpleCaptcha: Show captcha-edit message if forceShowCaptcha is set Change #1053238 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan): [operations/mediawiki-config@master] ConfirmEdit: Enable showcaptcha action on testwiki and beta wikis Change #1053238 merged by jenkins-bot: [operations/mediawiki-config@master] ConfirmEdit: Enable showcaptcha action on testwiki and beta wikis Mentioned in SAL (#wikimedia-operations) [2024-07-10T08:06:49Z] <kharlan@deploy1002> Finished scap: Backport for [[gerrit:1053238|ConfirmEdit: Enable showcaptcha action on testwiki and beta wikis (T20110)]] (duration: 09m 41s) Change #1052909 merged by jenkins-bot: [mediawiki/extensions/ConfirmEdit@master] SimpleCaptcha: Show captcha-edit message if forceShowCaptcha is set That is done in SimpleCaptcha: Show captcha-edit message if forceShowCaptcha is set. Although, it's worth noting that VisualEditor and DiscussionTools do not update their CAPTCHA message on failure (not related to this implementation) as far as I can tell. But for source editor, you'll get an updated message after failing to submit an edit. The showcaptcha AbuseFilter consequence is now available on testwiki and beta cluster wikis. For QA, it would be helpful to test out: The intention for this consequence is to be used in an editing context, but would be helpful to know how well it works / doesn't work in other situations (account creations, page moves, etc). It could also be helpful to understand how the throttled notifications issue works out as discussed in T303433#10017793, but that could be QA'ed separately, if there isn't time to look at it here. Change #1056146 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan): [operations/mediawiki-config@master] AbuseFilter: Enable showcaptcha consequence everywhere I have seen the captcha for source editor, VE and DiscussionTools, and successfully edited after completing the captcha. Editing via the API I get a response: The intention for this consequence is to be used in an editing context, but would be helpful to know how well it works / doesn't work in other situations (account creations, page moves, etc). createaccount Testing a filter with action=="createaccount". I could not get the captcha to work for the createaccount action on beta. Perhaps this is because IP and newly created users already see a captcha when trying to create an account. Locally, I had to set $wgCaptchaTriggers['createaccount'] = false; in order to see the AF captcha consequence after trying to submit Special:CreateAccount. However, even after completing the captcha and re-submitting it does not succeed and continues to show the error Incorrect or missing CAPTCHA. autocreateaccount Filter with action=="autocreateaccount". Testing on dewiki beta, I do see the captcha after attempting to submit the edit. However, the temporary account has already been created at this point. move I could not get this to work for the move action. On beta, IP and newly created users cannot move articles. I had to test this locally and give all users move rights. I did not test other actions like upload or delete. Other observations I could not get this to work for a global filter (testing on Change #1056146 merged by jenkins-bot: [operations/mediawiki-config@master] AbuseFilter: Enable showcaptcha consequence everywhere [see https://meta.wikimedia.org/wiki/Special:AbuseLog/2803401 for context] Under my alternative account, I've decided to test if it will show me the CAPTCHA, and it didn't; it just allowed me to create the page completely. Also, it's worth noting that this action is NOT a restricted action per I can reproduce on VE. For Source Editor, I can only reproduce if I have a single AB rule which triggers both a warning and a captcha. I wonder if it is the same bug as T151116. @kostajh? @codenamenoreste Does the user have the skipcaptcha right? This is assigned to autoconfirmed users, for example. I will do more testing of multiple/conflicting abuse filters when we implement T372642. I will move this along. @codenamenoreste Does the user have the skipcaptcha right? This is assigned to autoconfirmed users, for example. I could have just checked this myself. The right. I assume that is the reason they did not see the captcha. Change #1102740 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan): [mediawiki/extensions/AbuseFilter@master] ConfirmEditHandler: Remove method_exists checks Change #1102740 merged by jenkins-bot: [mediawiki/extensions/AbuseFilter@master] ConfirmEditHandler: Remove method_exists checks Change #1102863 had a related patch set uploaded (by Reedy; author: Kosta Harlan): [mediawiki/extensions/AbuseFilter@REL1_43] ConfirmEditHandler: Remove method_exists checks Change #1102863 merged by jenkins-bot: [mediawiki/extensions/AbuseFilter@REL1_43] ConfirmEditHandler: Remove method_exists checks Code of Conduct · GPL · |
)){kind=link}
)){kind=link}
)){kind=link}
)){kind=link}