Commit graph

125 commits

Author SHA1 Message Date
thiemowmde 2def63118e Replace BadMethodCallException with LogicException
The BadMethodCallException is documented as "thrown if a callback
refers to an undefined method or if some arguments are missing".
This is not what happens in these places.

Change-Id: Ic95b67acc2e17eea1dd0fa1d72f9ac94a86bcf17
2023-11-16 19:10:50 +00:00
Bartosz Dziewoński 0f63d6011c Parse wikitext in page titles with filter number as parameter
Follow-up to 0ff282dcc3.

Bug: T343994
Change-Id: I14cc0cebcf10fb552475ef6ffbab9dcfa55221cd
2023-10-05 20:54:58 +00:00
Bartosz Dziewoński 1e54192b1b Fix non-escaped messages used in page subtitles
Reported by Phan, and also discoverable with ?uselang=x-xss.

Change-Id: Ieb41d11acf543784f1cfbca5ea2272ac0bffc9a9
2023-10-05 22:51:21 +02:00
jenkins-bot df88b1b4b7 Merge "Revert "Remove unused SecurityCheck-ReDoS suppression"" 2023-09-25 20:19:36 +00:00
Daimona Eaytoy 7896e8f2c4 Revert "Remove unused SecurityCheck-ReDoS suppression"
This reverts commit 2107ee4f38.

Reason for revert: T347220

Change-Id: If76c4d0d7564d48bf231173d1d8f5177127fc5fa
2023-09-25 16:07:21 +00:00
C. Scott Ananian 0ff282dcc3 Use OutputPage::setPageTitleMsg() instead of ::setPageTitle()
The new method formats the message with Message::escaped() which
better protects from bad HTML in the message.

The ::setPageTitleMsg() method was added in 1.41 and this extension
already requires MW >= 1.41.

Bug: T343994
Change-Id: Ic07cde3bafeaa0325024fe89b4948680d04c4820
2023-09-22 21:18:03 +00:00
C. Scott Ananian 2107ee4f38 Remove unused SecurityCheck-ReDoS suppression
Change-Id: I7809c29e1150ea6770f3aa70a3fb790f3e4ce32f
2023-09-22 21:17:31 +00:00
Matěj Suchánek 9beeca3752 Fix various typos and documentation issues
Change-Id: I1e9d297f665282d251343598e102e1d342488965
2023-09-04 12:55:17 +02:00
Umherirrender cd7e9d31a7 Use namespaced Title
Bug: T321681
Change-Id: I66fd9b70a5de06ac3c81bdf6a2a5bca64ed094c2
2023-08-19 19:49:36 +02:00
jenkins-bot 9aa87e9234 Merge "Clean up AbuseFilterViewTestBatch" 2023-07-12 13:12:47 +00:00
Tim Starling fe592746b7 Use the new Wikimedia\Diff namespace
Bug: T339184
Change-Id: I381686678524868c85466bdafde3856a73a8cb1c
2023-06-29 11:56:13 +10:00
Matěj Suchánek c2a40fb0ff Clean up AbuseFilterViewTestBatch
Inject dependencies, use implicit form validation.

Change-Id: I74afeeceb39ada93cf3c20d5d3fc417ab4e3bf4b
2023-06-27 10:53:45 +02:00
jenkins-bot 0c33716f5b Merge "Mark protected stuff in classes with no subclasses as private" 2023-06-23 18:35:48 +00:00
thiemowmde 9316a7d65f Mark some unused public class features as private
These are not used anywhere outside of these classes.

Change-Id: I0a0a5cf1e84133bae69b95da771c285ee27f926c
2023-06-23 12:32:38 +02:00
thiemowmde 24888bea15 Mark protected stuff in classes with no subclasses as private
Protected effectively means "public to subclasses" and should be
avoided for the same reasons as marking everything as public should
be avoided.

Change-Id: Iba674b486ce53fd1f94f70163d47824e969abb77
2023-06-23 12:28:06 +02:00
thiemowmde b63d5c138e Use much more narrow IReadableDatabase and related where possible
Much more narrow interfaces. This code doesn't need more.

Change-Id: Iab0f1da27968246333a4a555b02bfb750cf9eedb
2023-06-14 19:42:01 +00:00
thiemowmde 7e6132d4d7 Remove bits of unused code across the codebase
Mostly found with the code inspection tools in PHPStorm.

Change-Id: I7f59dddca0aaab0ddd1093d52c07ec12efd20d6d
2023-06-14 19:41:00 +00:00
thiemowmde 84058c3d96 Make use of the ??= operator and such where it makes sense
We can avoid a bit of code duplication and move code closer together
when it belongs together.

Change-Id: Iffca7e4abfbf03d4663ee909220057bcbd54da75
2023-06-12 10:27:03 +02:00
Daimona Eaytoy caee78c24d Replace deprecated MWException
These are all unchecked.

Bug: T328220
Change-Id: I8d2f098a8b634d4a226b40ddaef31f0303a0789f
2023-06-07 17:41:20 +02:00
jenkins-bot 290dd70bb2 Merge "Replace deprecated database object access methods" 2023-03-27 09:11:46 +00:00
Matěj Suchánek 8f6a428f02 Replace deprecated database object access methods
Use the very new getPrimaryDatabase and getReplicaDatabase.
We skip FilterLookup and CentralDBManager in this patch.

Change-Id: I22c6f8fa60be90599ee177a4ac4a97e1547f79be
2023-03-08 16:50:56 +01:00
TheresNoTime fdcf2aab36 abusefilter.css: Increase the default abusefilter editor width
Increase default widths from `65%` to `90%` for the editor, notes,
description, group inputs.
Add `mw-abusefilter-edit-description-input` id to
`abusefilter-edit-description` TextInputWidget.

Bug: T294856
Change-Id: Ia9472298170740a39fd24864003b766078fcdfaf
2023-02-07 20:59:13 +00:00
Matěj Suchánek 5dbb4792b7 Add styles to display zero contributions link in red
Bug: T327603
Change-Id: I319b69d21f3c6195cd9192285a3f0ec3b52bcfd0
2023-01-24 15:11:19 +01:00
Matěj Suchánek 396d892c60 Use ActionSpecifier to load the IP address
To avoid access to the global request context.

Change-Id: I4d97dbe8b693f1fcd5a4e84f2376752d8e954c18
2022-12-17 22:52:24 +01:00
Matěj Suchánek 52dcd4624f Use ActionSpecifier throughout the code
The motivation is to have a single immutable object providing
information about the action. It can represent the current
action being filtered, but also a past action stored in the
abuse log. It will hopefully help us get rid of passing
User(Identity) and Title/LinkTarget objects around together.

Change-Id: I52fa3a7ea14c98d33607d4260acfed3d3ba60f65
2022-12-16 22:52:03 +00:00
thiemowmde 8f50f2a1a6 Fix missing null check for deprecated configuration
$wgAbuseFilterAnonBlockDuration is documented to be deprecated and
fall back to $wgAbuseFilterBlockDuration. This was just missing here.
This makes code fail in PHP 8.x where null is not allowed any more in
functions that expect a string.

Change-Id: I0edb0f14630aed88635aa564a11d6f42e470c29f
2022-11-04 15:36:13 +00:00
libraryupgrader 380f7b010a
build: Updating dependencies
composer:
* mediawiki/mediawiki-phan-config: 0.11.1 → 0.12.0

npm:
* stylelint-config-wikimedia: 0.13.0 → 0.13.1

Change-Id: I424244de96b2da894d781047a1e336514cb7707c
2022-10-07 21:05:41 +03:00
Umherirrender 081a8e3c3c Add LinkBatch to Special:AbuseFilter/home and /history
Combine the check for red/blue user/talk links into one database query
This can improve the performance of the page view when many filters
from many different users are linked

Change-Id: I0b87ee15ecee4cecd5d5d6164e8c18e1b788ecd1
2022-07-29 13:56:03 +02:00
Umherirrender dc4dd928b7 Call IContextSource::getAuthority instead of IContextSource::getUser
Change to use Authority object where possible
to use the interface instead of implementation

Change-Id: I90ef126b3d799c3fc27467a4ffe671785c446d3e
2022-07-03 16:37:18 +02:00
Matěj Suchánek be247401bb Clean up AbuseFilterViewExamine and AbuseFilterExaminePager
Move most stuff from the pager to the view class to untangle
circular dependency. Declare class properties as private.
Leave input validation to the form.

Change-Id: Ia8b1a9d08af9c0cac23b34f6bbbe2c44d01f6c8c
2022-07-03 11:29:43 +02:00
Matěj Suchánek 3b5b3cbae7 Show syntax error message in an error box on Special:AbuseFilter/test
Otherwise it's barely noticable.

Change-Id: Iff10036996c9e190c850d0b24f3ea0817624b95f
2022-06-30 20:23:22 +00:00
Matěj Suchánek 60e03c965e Fix form input normalization
Prevent invalid assignments to properties. On
Special:AbuseFilter/test/123, handle when id of
a non-existing filter was provided. Allow '0'
as user and title on Special:AbuseLog and
Special:AbuseFilter/test.

Change-Id: I196ae62b165d1a60babaf4fe6bd733aa52be1726
2022-06-29 12:19:24 +02:00
jenkins-bot e6c61b94f3 Merge "Replace deprecated HTMLForm methods" 2022-06-28 19:47:11 +00:00
Matěj Suchánek 5dca456535 Replace deprecated HTMLForm methods
Change-Id: Ic9ba981b94541b181acf88c3c40c205ab81962a8
2022-06-28 19:01:54 +00:00
Matěj Suchánek 40564ca635 Remove $info argument from ReversibleConsequence::revert
It was a temporary catch-all variable, but we can replace it
(and probably won't need it).

Change-Id: Ie1a64455c47445050bd83c853b3cafd283d5d020
2022-06-08 11:59:18 +02:00
DannyS712 9de0b19ba4 AbuseFilterViewDiff: simplifications to prepare for refactor
Clean up the existing code a bit before refactoring to be reusable
for a diff button in the edit form.

Includes:
* use the Html class rather than the Xml class for building the display html, and avoid manual
html strings

* replace formatVersionLink() with getVersionHeading() to reduce duplication in the handling of
the headings for the old and new versions, and in the process fix the name used as a parameter to
the old version heading (should be the old version editor, not the new version editor)

* rename some parameters for clarity

* organization and other cleanup

Bug: T180954
Change-Id: I1c02f407e72789a871a23b0d4a279a5c341b1e93
2022-04-30 19:31:21 +00:00
Thiemo Kreuz a25e2c784a Fix capitalization of method calls accross the codebase
Change-Id: Icbbad4858735c24611daee693c53af479c75d1fb
2022-04-26 17:42:34 +02:00
Func 24f5ca6e2d Use setTitle() instead of setAction() where posible
The getLocalURL() method can return url with query string when
wgArticlePath is configured to do so, and query string of GET form
would be ignored by browsers.
The setAction() method is problematic (T285464 and above) and hard to
warn the wrong usage. I'm going to go through and fix every use case,
and finally deprecate it.

Change-Id: I66b634f0cc996be3d7048d410b46fe77c88f9879
2022-03-27 21:06:38 +08:00
jenkins-bot def507f6d3 Merge "Refactor ConsequencesExecutor to process consequences in more steps" 2022-03-23 09:06:55 +00:00
Func 3ff1a7f34d ViewRevert: Adjust use cases of HTMLForm
Use setTitle() instead of setAction(), T285464.

HTMLForm would set edit token for post form, use setTokenSalt() to amend.

HTMLForm would fetch user input value from the request itself, since
the two form shared the same field name, the 'default' params assigned
are unfunctional.

HTMLForm would prefix descriptor keys with 'wp' as the default name
of generated input fields, make use of this feature.

Bug: T285464
Change-Id: I2cc3c1d042998b65df5ee51f0715fe25a5e18e72
2022-03-20 23:28:06 +08:00
Daimona Eaytoy 2de5fce177 Refactor ConsequencesExecutor to process consequences in more steps
Introduce shorter methods, one for each steps, so that it's easier to
understand what the code is doing and figure out if the order makes
sense. The ConsequencesExecutor test is now a proper unit test. Also
simplify AbuseFilterConsequencesTest, removing old/wrong logic and
fixing two expected values that were actually wrong (but worked because
of the aforementioned wrong logic).

The only functional changes should be:
 - We pick the longest block *after* checking the ConsequenceDisabler
   consequences, so e.g. if a filter has a long block + warn and another
   filter has a shorter block, we still keep the second one if warn will
   disable the block.
 - Remove disallow in presence of dangerous actions after checking
   ConsequenceDisabler's and deduplicating blocks. Otherwise we may
   remove disallow for filters where block (etc.) doesn't end up being
   disabled. We may also want to consider not removing disallow at all,
   now that messages are customizable.

Bug: T303059
Change-Id: If00adbf2056758222eaaea70b16d3b4f89502c20
2022-03-19 15:49:36 +00:00
Daimona Eaytoy b5c22f2b77 Improve wording for throttled filter warnings
List which actions were disabled, or explicitly say that no actions were
disabled if that's the case. Also avoid the word "throttle" in messages
as it may be hard to translate. Also don't suggest optimizations to the
filter conditions -- unoptimized rules have nothing to do with a filter
being throttled.

Bug: T200036
Change-Id: Id989fb185453d068b7685241ee49189a2df67b5f
2022-02-22 11:10:19 +00:00
Matěj Suchánek 238649ebc1 Declare AbuseFilterView::$mParams as protected
It is not supposed to be read or written to by other classes.

Change-Id: I02fe2861a6102ddf1a587cdd7e7423a62d8e0c57
2022-02-02 12:32:09 +01:00
Alexander Vorwerk d22ea2b57e Don't use array keys for OOUI in AbuseFilterViewDiff
Bug: T299463
Change-Id: I3d02e18566532e9e4824a089c9504ec13b6ad33e
2022-01-18 22:57:02 +00:00
Alexander Vorwerk edcefa729c Don't use array keys for OOUI
Bug: T299463
Change-Id: Id1f6e0c43db38003c1b198ab86c37b1c37412124
2022-01-18 23:20:32 +01:00
Thiemo Kreuz 489cfa4f3d Don't use array keys for OOUI GroupElement items
Change-Id: Id120e49c7e6d62c1ad30a3109afbe9bf77c4d81d
Required-For: I7a19fba8bce65640bdb69b3a63812537e1d29af3
2022-01-13 16:37:04 +01:00
Thiemo Kreuz 0e8a08ebca Replace custom regex with TextContent::normalizeLineEndings()
This does the same as before, replacing \r\n as well as \r with \n.
Additionally the new method applies an rtrim() on both strings. I
believe this is even a good thing. It possibly removes irrelevant
noise from the diff.

Change-Id: I584740a24e6b25bbcbc928c2369f09b785a485c8
2021-10-01 08:49:49 +02:00
Matěj Suchánek 632b39f8ca Stop requiring the Skin interface in AbuseFilterChangesList
IContextSource is now enough for ChangesList.

Change-Id: Iebb525227efe841a17c799d460d352017a2cfc4f
2021-09-25 10:28:50 +02:00
jenkins-bot a332b3ff0f Merge "Remove afl_filter entirely" 2021-09-25 01:39:08 +00:00
Daimona Eaytoy e8471a717c Add method to properly check visibility of AbuseLog entries
This replaces the previous pattern of callers having to use
RevisionLookup if the result was 'implicit'. Also, in some cases where
we were just hiding things if the visibility was !== true, properly
handle the implicit case by using the new method. Make the new method
return string constants rather than bool|string.

The new method also fixes some potential info leaks which happened when
the row was hidden, the user could view suppressed AbuseLog entries, but
the associated revision was also deleted and the user couldn't see it
(this shouldn't be relevant for WMF wikis since AF deletion is
oversight-level).

Also add a bunch of tests for the various cases to ensure we don't
regress again.

Bug: T261532
Change-Id: I929f865acf5d207b739cb3af043f70cb59243ee0
2021-09-25 00:08:33 +00:00