Commit graph

25 commits

Author SHA1 Message Date
Daimona Eaytoy c469fb4b76 Mostly remove $wgUser
There are lots of cases where we can inject a User object without
additional efforts. Now $wgUser is only used inside AFComputedVariable,
which is a little bit harder to handle because some instances of that
class are serialized in the DB, and thus we cannot easily change the
constructor until T213006 is resolved.

This partly copies what Ia474f02dfeee8c7d067ee7e555c08cbfef08f6a6 tried
to do, but adopting a different approach for various can*() methods:
they're now static methods in the AbuseFilter class, so future callers
don't need to instantiate an AbuseFilterView class. This also allows to
re-use those methods in an API module for editing filters (T213037).

Bug: T213037
Bug: T159299
Change-Id: I22743557e162fd23b3b4e52951a649d8c21109c8
2019-08-27 13:20:37 +02:00
Daimona Eaytoy 71e3719e12 Clarify "filter" field in SpecialAbuseLog and ApiQueryAbuseLog
The "filter" fields can also accept a list of filters, and also global filters, so make it clear in the UI and in messages.

Change-Id: Ib258716d8e6792fd496938ebb4e8a2565d6370b7
2019-08-04 16:55:05 +00:00
Daimona Eaytoy 6ea767f171 Tweak methods related to global filters
To make the switch to afl_filter_id and afl_global easier.

Bug: T227095
Depends-On: Ie550889495232b534c0f9aec31039cf21b2135b1
Change-Id: If557bad8f5c1a6d15e3556e4bfbd0330d7d49c59
2019-07-02 17:02:50 +02:00
Daimona Eaytoy 6100955242 Use more verbose names for filter IDs
Follow-up of Ie550889495232b534c0f9aec31039cf21b2135b1, suggested by
Krinkle.

Change-Id: Ia8f40644c7f4a6ed53186a5edab5df1bd313166a
2019-06-25 18:20:32 +00:00
Daimona Eaytoy e7cd4b2a98 Rewrite AbuseFilter::decodeGlobalName
Now it returns an array with a bit more info, and has a different name
to reflect the fact that its input is now split in two parts. Plus, make
it throw whenever it gets an unexpected input, and add a bunch of test
cases for it.

Depends-On: Ib5fdeb75c1324f672b4ded39681f006fde34b4d1
Change-Id: Ie550889495232b534c0f9aec31039cf21b2135b1
2019-06-12 23:56:25 +00:00
Daimona Eaytoy 291c35cea0 Don't send empty array to Database::makeList
Check that the provided param is not empty, as otherwise
Database::makeList will throw and the exception will bubble up to the
user.

Bug: T222531
Change-Id: Icf5db25037a0d0a7b4076f21e7f1c9a6ee1d5a87
2019-05-18 10:55:26 +02:00
Daimona Eaytoy 9a315f2a6e Revert "Use string cast for Postgres compatibility"
This reverts commit 4ab12305f1.

Bug: T221357
Change-Id: Id0f26f48ad9904e73a8b65d76586957c2be93e82
2019-04-18 11:51:16 +00:00
Daimona Eaytoy 4ab12305f1 Use string cast for Postgres compatibility
We JOIN integer and text, so Postgres would always fail on these. As
mentioned in the task description, this is only a temporary solution
(although a clean and durable one), while the long-term one is
I7460a2d63f60c2933b36f8383a8abdbba8649e12.

Bug: T42757
Change-Id: Ifddd0bca1e8eaa7c70511fb0d0588457b4fd0669
2019-03-23 12:44:02 +01:00
Daimona Eaytoy 01f699ff07 Remove useless SpecialAbuseLog::getNotDeletedCond
The method is used to make afl_deleted = null treated as afl_deleted =
0. Digging into code history, I found that it's in place because:

*In rEABF14b850f891de27ea09a1439e3835f66c49ad773f the afl_deleted field
was introduced as NULL, and wasn't used.
*In rEABFfe39e38282fc4c7903eb3f8080dbf0bab0f697f4 it was ALTERed to be
"NOT NULL DEFAULT 0"
*And in rEABFa2ead8bfb5166e0b354f3bb3e09f39795cb5b1c0 this function was
introduced to "negate the need for a schema change".

However, when ALTERing afl_deleted to be NOT NULL DEFAULT 0, all NULL
values have been automatically converted to 0 thanks to the DEFAULT
clause, and being the column NOT NULL, of course no NULL are still
there... The ALTER was applied to all wikis (in 2010), so afl_deleted is
NOT NULL everywhere and we can safely treat it as such.

Change-Id: Iebd843629d26e392d2e24efc2795c767e854897a
2019-03-23 11:49:30 +01:00
Daimona Eaytoy 2a0246ddb5 Remove ancient permission checks
In both SpecialAbuseLog and ApiQueryAbuseLog, we use
Title::getUserPermissionsErrors to check if the user is allowed to
perform 'abusefilter-log' on the API page... However, this is a
completely redundant check (which is also pretty expensive and queries
the master): for the SpecialPage, we can specify the required right in
the constructor and use checkPermissions, and for the API we can simply use checkUserRightsAny.
If I'm not mistaken, there's no benefit in using
getUserPermissionsErrors.

Change-Id: I4c4dbace67b24cc1f45e50ab1c0d251522935513
2019-01-31 21:16:18 +00:00
Huji Lee b523194032 SECURITY: Remove private information from the API results
Later, we will add a new POST request which will allow retrieving
the private details; it will have a mandatory "reason" parameter,
and will result in a log entry in the private details access log,
just like the web interface.

Bug: T210329
Change-Id: Iaca492371f48fecf543268c179a651841ed12c3f
Signed-off-by: sbassett <sbassett@wikimedia.org>
2018-12-03 23:11:32 +00:00
Daimona Eaytoy badde6ba75 Revert "Revert "Add typehinting for every object-only parameter""
This reverts commit 1ed75b4ae0.
Fixed the one which caused errors, by making articleFromTitle
only use WikiPage, instead of silently mixing WikiPage and Article.

Note for reviewers: this patch is identical to the one which was
previously +2ed, which was mostly correct. To see the actual change,
diff AFComputedVariable with 1..current.

Change-Id: I6747eaed861af6c40a3b1610aebcc1174296e9ed
2018-11-15 10:09:16 +01:00
Daimona Eaytoy 103dfa3b66 Remove info leak
Oversighted/deleted edits and log actions were entirely accessible to
non-oversighters via AbuseFilter/examine for RC, and via AbuseFilter/test.
Now, we take into account the revision/log visibility and user permissions to
determine what to show.
Other changes in this patch:
*Show the examine link if and only if the user can examine the given row
*If a revision is hidden but the user can see it, don't hide its elements in
 ChangesList (only leave them striked/greyed)
*Make APIs better understand revision visibility.
*Make a clear distinction between deleted and suppressed edits/log
entries.

Co-authored with rxy <git@rxy.jp>

Bug: T207085
Change-Id: Icfa48e366a7e5e3abd5d2155ecfddfc09b378088
2018-10-23 10:53:39 +00:00
Jforrester 1ed75b4ae0 Revert "Add typehinting for every object-only parameter"
This reverts commit 69d7669069.

Reason for revert: Causing UBN train blocker

Bug: T207220
Change-Id: I3445d9b3065149e2beb149e10fbbf5502b480f57
2018-10-17 01:22:23 +00:00
Daimona Eaytoy 69d7669069 Add typehinting for every object-only parameter
This patch covers every object-only parameter, adding a typehint for it
to avoid errors.

Change-Id: Iebf700621b9dbff78c3bd8f3c136ed15ef4b8d4b
2018-10-15 09:56:09 +02:00
Daimona Eaytoy d390144c69 Add the log ID as API param for query abuselog
The patch adds the logid parameter to the queryAbuseLog API, so that
users will be able to retrieve a single result with the given logid.

Bug: T36731
Change-Id: I9160c3690e86ea40560f6fa7721918965234c29e
2018-07-14 15:03:17 +02:00
Matěj Suchánek 45d1d71def Reduce use of globals in favor of Config
I'd like to have this reviewed by more than one user before merging, to avoid regressions of annoying typos.

Change-Id: I91a9c5cca55e540a6c95b750579c1c369a760b15
2018-05-02 02:27:26 +00:00
Daimona Eaytoy caa4b1c763 Add phan configuration
This is taken from I6a57a28f22600aafb2e529587ecce6083e9f7da4 and makes
all the needed changes to make phan pass. Seccheck will instead fail,
but since it's not clear how to fix it (and it is non-voting), for the
moment we may merge this and enable phan on IC.

Bug: T192325
Change-Id: I77648b6f8e146114fd43bb0f4dfccdb36b7ac1ac
2018-04-30 08:32:58 +00:00
Daimona Eaytoy 3c3a521fec Fix coding conventions exclusion rules
This should fix every error with excluded rules, leaving only the one
for $wgTitle. A double check would be nice in order to avoid regressions
due to stupid mistakes.

Bug: T178007
Change-Id: I22c179f3a01d652640304b59e43fcb5b5a9abac3
2018-04-20 08:40:18 +00:00
Kunal Mehta 2633839630 API: Fix "Undefined index: wiki" warnings
Bug: T186914
Change-Id: I7e9d5524302f5f90d0e82f0f4d41a542e2990ed5
2018-02-09 12:00:07 -08:00
Matěj Suchánek 10aea65219 Allow filtering AbuseLog in API by wiki
Bug: T113414
Change-Id: I833f223b160810d69f084ae4b060adbdd956aa83
2018-02-03 17:45:37 +00:00
Umherirrender a2ebd0c70a Improve some parameter docs
Change-Id: Ibac10a20243a4eedd826485d56eddd5234da6fec
2017-10-07 00:54:58 +02:00
Matěj Suchánek 55c27a8f6b Require MediaWiki 1.29
After I544cdfa75c7472f2d98b2561bc6f6f9c2d2ad639 (dieWithError
and checkUserRightsAny), this is the oldest MediaWiki version
AbuseFilter can be run on.

AbortMove was removed from MediaWiki in 1.25, UploadVerifyFile
is only relevant for 1.27 and older.

(Replaces I1e962217c3b20d901a5742cf76339a3f488a6e97.)

Change-Id: Iec237b2887f72b115fdcef78d2d7a944ba82c784
2017-08-10 11:01:34 +02:00
Max Semenik b67cb42c09 Fix some deprecated function usage
Change-Id: I544cdfa75c7472f2d98b2561bc6f6f9c2d2ad639
2017-08-07 16:35:21 -07:00
Max Semenik 2f250127b4 Normalize file layout
Aka move all code into includes/.

Change-Id: I21f7b80bb6df04abbed6bfccb94f92100dc8f071
2017-08-07 16:11:38 -07:00
Renamed from api/ApiQueryAbuseLog.php (Browse further)