Commit graph

220 commits

Author SHA1 Message Date
Amir Sarabadani d628a99442 Blocked domains: Add support for "added by" field
This field gets added automatically when using the special page form but
is only shown to admins and other people who have access. It's not private
information (users can find it in history) but this is to avoid making
these admins an easy target for harassment (Talking to PM of moderation
team he agreed this is a good compromise).

Bug: T341626
Change-Id: I8410f39db54b96981b05de8e064fed65df30ef2f
2023-12-27 04:37:42 +01:00
Novem Linguae 88e9d8d0b6 Special:AbuseFilter page title should mention filter name
- Mentions filter number and name in the title
- Distinguishes between viewing and editing

Bug: T353106
Change-Id: Idda9854a78937033b168603810154b48288c3f4c
2023-12-22 04:55:37 -08:00
MusikAnimal 7db0e05aeb Show notification when editor links to a blocked domain
This leverages the new BlockedExternalDomains system that is now part of
AbuseFilter. It notifies editors in realtime if a link they add is
blocked. See https://w.wiki/7ZsF for more information.

BlockedExternalDomains is slated to have its own API tantamount to the
action=spamblacklist endpoint, after which case this code will need to be
updated. In the meantime, it's meant to serve as a minimal viable product
for the CWS 2023 wish <https://w.wiki/7ZsE> for wikitext users.

The new $wgAbuseFilterBlockedExternalDomainsNotification configuration
setting controls the availability of this feature.

A similar feature for VisaulEditor is tracked at T276857

Bug: T347435
Change-Id: I7eae55f12da9ee58be5786bfc153e549b09598e7
2023-10-31 15:32:02 +00:00
Amir E. Aharoni 77cea2bf02 Remove "Back to" from two messages
These two messages appear at the top of pages such as
https://en.wikipedia.org/wiki/Special:AbuseFilter/history/50/diff/prev/27425

The words "Back to" are not really necessary there. It's clear enough
to simply write "Filter editor" and "Filter history", without showing
"Back to" next to each other.

Change-Id: I44672ffd49ba6c24dbf49f9c7de3bbd72f154dbf
2023-10-01 07:38:07 -04:00
Matěj Suchánek c2a40fb0ff Clean up AbuseFilterViewTestBatch
Inject dependencies, use implicit form validation.

Change-Id: I74afeeceb39ada93cf3c20d5d3fc417ab4e3bf4b
2023-06-27 10:53:45 +02:00
Amir Sarabadani da53cfe9dd BlockedDomains: Add logging in case of hit
This is basically copy paste of SpamBlacklist logging with the added
extra bit of what triggered the hit.

Bug: T337431
Change-Id: Ieb9e3ca615af88ab56735b56e24c80c42a68d478
2023-06-14 22:23:50 +02:00
Amir Sarabadani 9ca20e7749 Make edit summary of blocked domain changes use i18n
It shouldn't be all in English.

Bug: T337431
Change-Id: I57c6b08b652e83baaef41ab0b74af7a4668698a2
2023-06-08 22:06:19 +02:00
Amir Sarabadani 0acfe05251 Add abusefilter-bypass-blocked-external-domains right
This is similar to sboverride right in SpamBlacklist. Defaults are also
the same

Bug: T337431
Change-Id: Iaff91c1f9f7aece0787348dd071701ef99e0291d
2023-06-08 22:06:19 +02:00
Siddharth VP 8a22007034 BlockedExternalDomains: validate JSON structure before save
This makes raw page editing safer, and potentially enables opening up
access to less restricted user groups.

Bug: T337431
Change-Id: I14f21003a551f34b6e524e9b229613e79b0e5a70
2023-06-06 23:31:28 +02:00
jenkins-bot 1298c9243b Merge "Update block expiry message in AbuseFilter edit view" 2023-06-06 15:58:27 +00:00
jenkins-bot 3feb7d5af0 Merge "BlockedDomains: Put a cache behind parsing of notes of blocked domains" 2023-06-04 15:33:00 +00:00
Amir Sarabadani be928818a4 BlockedDomains: Put a cache behind parsing of notes of blocked domains
It'll be 6K rows in enwiki, parsing 6000 wikitext notes is going to be
expensive.

Bug: T337431
Change-Id: I010d773a7b096c783f5da0d6997d946b3bfd6b6e
2023-06-02 20:13:33 +02:00
James D. Forrester fb50c1f019 BlockedExternalDomains: Make this a special right, prohibit direct editing
Bug: T337431
Bug: T279275
Change-Id: I96d1e2c8d8728c26e38515032ef773770e26dda4
2023-06-01 09:20:44 -04:00
Amir Sarabadani 53eb27f086 Introduce Special:BlockedExternalDomains
It is behind a feature flag. Improvements on it can happen in follow
ups. The patch is already quite massive.

Bug: T337431
Bug: T279275
Change-Id: I3df949c4d41ce65bb4afa013da9c691ac05fc760
2023-05-30 20:48:42 +02:00
Thalia 3343acf63f Update block expiry message in AbuseFilter edit view
Temporary users get the same block expiry as anonymous  (IP) users,
since d42b7335d5.

Update the checkbox label to reflect this.

Change-Id: Ibf60936d9c746d857fc4354552d71e1efdd52066
2023-05-26 12:45:04 +03:00
jenkins-bot bb94c0914c Merge "Add support for regex string replacements." 2022-05-31 14:54:33 +00:00
fossifer b1739a588f Add ip_in_ranges function
Added support for ip_in_ranges which allow multiple ranges to be
checked at the same time. If the IP is in any of the ranges, the
function returns true.

Bug: T305017
Change-Id: Ic75c87ecd4cacf47ce2ff1b04173405230ff81d0
2022-05-11 12:27:16 +08:00
proc 1d1215bafb
Add support for regex string replacements.
Bug: T285468
Change-Id: I25f8ad1b58cc10f4c6f6ef5ebab99fe58ec71b1e
2022-04-20 18:38:24 +01:00
Daimona Eaytoy a0fd0bae01 Overhaul throttle identifiers
- Use a /64 range for IPv6 instead of /16.
- Fix a curious and serious bug for IPv6, where grouping by range
  would only use the first (!) number of the IP address, due to the
  'v6-' prefix returned by IP::toHex.
- Fail hard if the identifier is unknown -- it's not something that's
  supposed to happen.
- Include the type name in each identifier, instead of prefixing all
  type names to all identifiers. This makes it easier to understand the
  parts of the key.
- Test the whole lot.

Bug: T211101
Change-Id: I54c4209f2f0d5a4c5e7b81bed240ca3e28a2ded7
2022-03-06 13:31:06 +00:00
Daimona Eaytoy 900915eeb2 Remove unused messages
Added in [1] which didn't use them.

[1] - https://phabricator.wikimedia.org/rEABFf9c9c07ccf3dcd6fffbb30923411687029259f4d

Change-Id: Iddd777d2dc84fddaee01f9ee9b4002224c386e6e
2022-03-02 16:59:59 +01:00
Daimona Eaytoy b5c22f2b77 Improve wording for throttled filter warnings
List which actions were disabled, or explicitly say that no actions were
disabled if that's the case. Also avoid the word "throttle" in messages
as it may be hard to translate. Also don't suggest optimizations to the
filter conditions -- unoptimized rules have nothing to do with a filter
being throttled.

Bug: T200036
Change-Id: Id989fb185453d068b7685241ee49189a2df67b5f
2022-02-22 11:10:19 +00:00
Amir E. Aharoni 9e333b38f0 Hyphenating "case-insensitive"
This makes it consistent with core and
other extensions.

Change-Id: I03ba0f2dce754655fc5de6fe28402d2bde1523c5
2021-12-11 09:27:34 +00:00
Sorawee Porncharoenwase 320e3d696f Add a static analyzer for the filter language
This commit adds a class AFPSyntaxChecker which can statically analyze
a filter code to detect the following errors:

- unbound variables (which comes in two modes: conservative and liberal,
  default to conservative)
- unused variables (disabled by default for compatibilty)
- assignment on built-in identifiers
- function application's arity mismatch
- function application's invalid function name
- non-string literal in the first argument of set / set_var

The existing parser and evaluator are modified as follows:

- The new (caching) evaluator no longer needs to perform variable
  hoisting at runtime.
  - Note that for array assignment, this changes the semantics.
- The new parser is more lenient, reducing parsing errors.
  The static analyzer will catch these errors instead, allowing us
  to give a much better error message and reduces the complexity of
  the parser.
  * The parser now allows function name to be any identifier.
  * The parser now allows arity mismatch to occur.
  * The parser now allows the first argument of set to be any expression.

Concretely, obvious changes that users will see are:

1. a := [1]; false & (a[] := 2); a[0] === 1

   would evaluate to true, while it used to evaluate to the undefined value
   due to hoisting

2. f(1)

   will now error with 'f is not a valid function' as opposed to
   'Unexpected "T_BRACE"'

3. length

   will now error with 'Illegal use of built-in identifier "length"'
   as opposed to 'Expected a ('

Appendix: conservative and liberal mode

The conservative mode is completely compatible with the current evaluator.
That is,

false & (a := 1); a

will not deem `a` as unbound, though this is actually undesirable because
`a` would then be bound to the troublesome undefined value.

The liberal mode rejects the above pattern by deeming `a` as unbound.
However, it also rejects

true & (a := 1); a

even though (a := 1) is always executed. Since there are several filters
in Wikimedia projects that rely on this behavior, we default the mode
to conservative for now.

Note that even the liberal mode doesn't really respect lexical scope
appeared in some other programming languages (see also T234690).
For instance:

(if true then (a := 1) else (a := 2) end); a

would be accepted by the liberal checker, even though under lexical scope,
`a` would be unbound. However, it is unlikely that lexical scope
will be suitable for the filter language, as most filters in
Wikimedia projects that have user-defined variable do violate lexical scope.

Bug: T260903
Bug: T238709
Bug: T237610
Bug: T234690
Bug: T231536
Change-Id: Ic6d030503e554933f8d220c6f87b680505918ae2
2021-08-31 03:28:24 +02:00
Amir Aharoni e03467102c Remove two unused messages
It looks like they were removed in 2008:
6c7b701cc2

Change-Id: I5d91d846523307d8a3adb104503d255d8c726ed8
2021-08-19 22:29:53 +03:00
jenkins-bot 50334c27ce Merge "Use a different message for unprivileged users" 2021-02-28 14:05:08 +00:00
Daimona Eaytoy 3365a648f2 Reject filters with invalid groups
It is currently possible to save a filter with an invalid group, if you
manually change the form data. So prevent this by validating the group
before saving.

Change-Id: I03f80b8c6ab583a357273f7b2679a424ac784db7
2021-02-27 16:01:09 +00:00
Matěj Suchánek 4f1a63107d Use a different message for unprivileged users
Everyone can examine generated variables but not everyone
can test filters. Concerns Special:AbuseFilter/examine.

Change-Id: I9c205a0f1d9a7fdf15c4998d43983b9fa37f4694
2021-02-20 17:55:09 +01:00
Daimona Eaytoy 4dbde4dcf0 Use a different message prefix for parser warnings
The abusefilter-warning prefix is reserved for filter warnings. Pointed
out by Matěj.

Change-Id: I169e4c3d29b08c7f5af2136a683fc4427f8e93f5
2021-02-06 15:42:33 +00:00
jenkins-bot 38772b193d Merge "Partial integration of EditBoxBuilder with HTMLForm" 2021-02-04 17:41:29 +00:00
Daimona Eaytoy bf9142a644 Partial integration of EditBoxBuilder with HTMLForm
This patch adds a transparent HTMLForm field that can be used to insert
the edit box inside an HTMLForm, and updates /test and /tools to use
that. The field class, together with the other editbox-related classes,
is now in a dedicated namespace. A future TODO is making it a real
HTMLForm field.

Also improve a bit the form in /test: add section labels and
avoid reusing the same label message used on Special:AbuseFilter.

Bug: T261584
Change-Id: Ib74bb5fdba4f8476169b754030fce6d4f72ce65a
2021-02-01 16:23:42 +00:00
Daimona Eaytoy a4a0503174 Mixed improvements for AbuseFilter pages and forms
- Clarify the label of the search form on Special:AbuseFilter
- Move introductory paragraphs to the very beginning of the page:
-- Before the profiling data on Special:AbuseFilter
-- Before the search form on Special:AbuseLog
- Make the search form on Special:AbuseFilter collapsible, and collapsed
  by default
- Make a few buttons primary+progressive, specifically those that take
  the user to a different page or act as submit-like buttons

Bug: T261584
Change-Id: I54517b01a9ea81d276283140e5cfafef575c3e2b
2021-02-01 15:51:43 +01:00
Daimona Eaytoy bfbdd13c2e Restore hide link when viewing single AbuseLog entries
Partial revert of I13f476d8126f81b0417e7509784c83d4f21cf348

Bug: T271667
Change-Id: I58f162c7ed72c42b24b214d3857590bfd66e8f82
2021-01-12 11:56:19 +01:00
Matěj Suchánek dc7509811a Notify of a throttled filter
Use Echo for delivering the notification to the last
user who edited the filter.

Much boilerplate.

Change-Id: I7a46a03b4f15de20902ec70c62fb4fe750096842
Depends-On: If585b14a6dd6fb8c7d2c3bee1f20d9d08eaac706
2020-12-19 10:31:29 +01:00
Daimona Eaytoy 7c1d1c6d7d Return warnings from the parser, add warning for catch-all regexps
This commit introduces some boilerplate for emitting warnings from the
AbuseFilter parser, and also code for showing these warnings in the ace
editor. Adding new warnings should be as simple as appending to
AbuseFilterParser::warnings (and adding the relevant i18n).

Bug: T264768
Bug: T269770
Change-Id: Ic11021b379f997a89f59c8c0572338d957e089a6
2020-12-18 18:22:41 +01:00
Amir Aharoni 2e70051b61 Remove unnecessary word from abusefilter-log-hide-done
"Successfully" is usually not necessary in messages. See:
https://www.mediawiki.org/wiki/Localisation#Avoid_jargon_and_slang

Change-Id: I6a19fba8aebbb4c9cc09d448abbbfa67c2761c8d
2020-12-15 16:15:14 +02:00
Daimona Eaytoy 21d7c08aa7 Overhaul the interface for hiding AbuseLog entries
The main change is the addition of checkboxes to hide/show multiple
entries at the same time. Also, tweaked some i18n and made the process
return more useful success/error messages.

This patch introduces some technical debt, caused by SpecialAbuseLog and
AbuseLogPager being tightly coupled (which is a pre-existing problem,
but it got worse here).

Bug: T260904
Bug: T144096
Bug: T206945
Bug: T206938
Change-Id: I13f476d8126f81b0417e7509784c83d4f21cf348
2020-12-11 20:55:08 +00:00
Daimona Eaytoy b5ae7360bc AbuseLog: Use a radio button not checkbox for suppressing entries
Add a radio to select between "hide" and "show" instead of a single,
cryptic checkbox which doesn't really explain what it does.
Also wrap the list in a form which will later be used to mass-delete
entries.

Depends-On: I1bb45e47c3b42c01388b99778ce833e4e44419e1
Change-Id: Ie2d019fad5af7c626d722dc348f40eb0db21e527
2020-11-18 20:57:39 +00:00
Matěj Suchánek 8955c55dc7 Don't show form for reverting filter actions when no actions were found
Change-Id: I779a318a9daaf6d3a17335914a7fd85877765625
2020-11-18 01:42:38 +00:00
Matěj Suchánek adbe9bcbce Improve display of log entries when global filters are not enabled
Don't create <a> tags without a href. Show a placeholder
message instead of nothing (alternatively, we could create
a new message for each existing one).

Bug: T174000
Change-Id: Id55b90881aacc620ff3c519ad6eedf212f36c4ed
2020-10-15 15:05:16 +02:00
Daimona Eaytoy f8c9b8fa36 Move link to /import in a button on ViewList
We have many topnav links, and future patches may add others (e.g.
Ia5fd4f0b35fcabf045a7b49fa40fa85b72c92544). The "import" feature is
probably the less used, and is also pretty similar to creating a new
filter.
Thus, remove its link from the topbar and move it to a button next to
the "Create a new filter" button.
Note that the old message is reusable, and thus it should be moved on
translatewiki after merge.

Change-Id: I52042d62b2bab7e4a1e9bbc027e7de5addec8157
2020-09-18 14:59:00 +00:00
DannyS712 a75e01dcb6 Add separate abusefilter-log-search-filter-help-central message
On the central abuse filter wiki, show a different help message

Bug: T238510
Change-Id: I7f60e279f0301b1636e19a31535cb3bac87c241a
2020-09-17 23:50:35 +00:00
Huji Lee b523b71fc3 Standardize the order of options in dropdown filters for search
Any should always be the first choice. Other/None should always be
the last choice. The rest of the choices come in between and should
be sorted alphabetically.

Also capitalize the first letter of "None" for filtering logs down
to those in which no action taken. This makes the options uniform.

Bug: T255533
Change-Id: Id106bbc352531437af95a303b7dcf32e44383f95
2020-06-25 19:01:16 +00:00
jenkins-bot b118fd50dc Merge "Improve var dumping in /details, /examine and /tools" 2020-04-29 20:00:54 +00:00
Zppix 0bb82023a7 Update Right-abusefilter-modify to: "Create or modify abuse filters"
Bug: T250592
Change-Id: I2567ad06eeec7d605064f74dff28ba44304660f9
2020-04-19 01:04:48 +00:00
Daimona Eaytoy 4c98aecf4d Improve var dumping in /details, /examine and /tools
Using var_export for better visual effect, especially for arrays.
The result from /tools is much clearer and the 'wrong syntax' message is
a bit more explicative than before.

Bug: T190653
Bug: T239972
Change-Id: I79a17305c7f19f7900f896f895e9365bb5f2fd58
2020-03-28 17:35:43 +01:00
jenkins-bot 76a1be97a4 Merge "Add site name and language variables" 2020-02-10 19:06:01 +00:00
Daimona Eaytoy 0d2cab0deb Validate imported data
At the moment there's no validation for import data, so it's totally
possible to insert rubbish in the field, and the code will produce other
rubbish. For instance, it's not so uncommon to see lots of PHP notices
on logstash for ViewEdit code trying to access members of the imported
data as if it were an object.

Change-Id: If9d783f0f9242d3d1bc297572471e62f51ee0e40
2020-02-10 18:41:36 +00:00
Daimona Eaytoy d9ae71f578 Add site name and language variables
In T43172 it was told that adding the site name could increase the risk of
attracting more spam, but I don't see how this variable could cause that.

Bug: T240948
Bug: T97933
Change-Id: I1d2aeabaf008ac06798b8d7e4af7d61ae1702776
2020-02-09 14:32:02 +01:00
jenkins-bot d43756a7f4 Merge "i18n: Rename msg key for abusefilter-view-oldwarning" 2019-12-23 12:16:57 +00:00
jenkins-bot 7fab4d3092 Merge "Clarify error message for non-literals passed to set/set_var" 2019-12-23 12:12:49 +00:00