Commit graph

1841 commits

Author SHA1 Message Date
STran bd819b98a2 Add preference for viewing protected variables in AbuseFilter
Users need to enable a preference before gaining access to the IPs
from `user_unnamed_ip`, a protected variable.

- Add a preference that the user can check to toggle their access
- Check for the preference and the view right for logs that reveal
  protected variables on:
  + AbuseFilterViewExamine
  + SpecialAbuseLog
  + QueryAbuseLog

Bug: T371798
Change-Id: I5363380d999118982b216585ea73ee4274a6eac1
2024-09-12 07:59:24 -07:00
jenkins-bot de16ec7509 Merge "ConsequencesExecutor: Use Message objects in the Status" 2024-07-30 00:21:19 +00:00
jenkins-bot 0c51fbd3e6 Merge "Use namespaced MessageSpecifier" 2024-07-28 21:30:01 +00:00
Bartosz Dziewoński 80f56e599b ConsequencesExecutor: Use Message objects in the Status
In my recent change c458651370, which used Status::getMessages()
in FilteredActionsHandler, I overlooked the fact that it returns
MessageSpecifier objects instead of Message objects, and the return
value of MessageSpecifier::getParams() is not exactly specified
(the docs only promise that it's an array).

Now I'm working on a MediaWiki core change (I625a48a6ec) that
causes a different MessageSpecifier to be used, which stores
parameters in a different format, and would break that code.

To avoid problems, ConsequencesExecutor now stores Message objects
in the Status, which guarantees that FilteredActionsHandler will
get the same objects back.

Change-Id: I2c1bc8dde9a078d03badecf6d89443b65eeb92c5
2024-07-28 20:08:56 +00:00
Bartosz Dziewoński 517beb3c0d Use namespaced MessageSpecifier
Depends-On: I9ff4ff7beb098b60c92f564591937c7d789c6684
Change-Id: I7097b4d80df790ef14a5bc053306dc2f1fd195da
2024-07-28 21:59:35 +02:00
Umherirrender e88494212e Use expression builder to avoid IDatabase::makeList
Bug: T350968
Change-Id: Iacb407a9aef293f401e0dbf754bb1f51f6b390c5
2024-07-22 21:42:28 +00:00
Umherirrender 91b369b7af Use expression builder instead of raw sql
Bug: T350968
Change-Id: Ibad11ea11e7955172d35d4499372d0fcd726bf74
2024-07-21 22:07:58 +02:00
Bartosz Dziewoński 3df92fcbe4 Use stable andExpr() / orExpr() methods
Change-Id: I0010a7c9d273e63acbed78190f0c23283a192ef2
2024-07-11 18:36:04 +02:00
STran 30227231f6 Disallow protected variable access on AbuseFilterViewTestBatch
A filter using a protected variable can be loaded via filter id
using testing tools even though the user might not have the right
to view protected variables. This can potentially leak PII and as
such, testing tools should check for the right before allowing
protected filters to be seen.

- Unload a filter asap if it uses protected variables and the
  requestor doesn't have viewing rights. This:
    + disallows loading of existing protected filters on page load
    + disallows testing against rules that use protected variables
    + disallows subsequent requests for protected filters (via API)

There is a known bug (see T369620) where no user feedback is
provided if an API request for a filter returns no result (typically
when no filter matches the requested id). This commit adds another
pathway to that bug (the filter exists but is protected and not
returned by the API) but does not update this UI/UX.

Bug: T364834
Change-Id: I6a572790edd743596d70c9c4a2ee52b4561e25f3
2024-07-10 05:31:03 -07:00
jenkins-bot 218627233b Merge "Only return filters visible to user in search" 2024-07-09 09:45:55 +00:00
jenkins-bot 98eab47d9b Merge "Simplify FilterEvaluator::getUsedVars using ::checkSyntax" 2024-07-08 12:42:18 +00:00
STran ceaedb8b95 Only return filters visible to user in search
Search is restricted to users with the right to view private variables
but not necessarily the right to view protected variables. Users who
don't have the right to view protected variables shouldn't be able to
search against protected variables, as this might leak the PII.

- Filter out filters using protected variables in search results
  if the user doesn't have the right to view protected variables

Bug: T367390
Change-Id: I7412112c9cc676f29d706b116b779bc17183a952
2024-07-08 02:47:57 -07:00
jenkins-bot 69508bf153 Merge "Add missing permission check to canSeeLogDetailsForFilter" 2024-07-05 10:09:47 +00:00
Matěj Suchánek bf180e0490 Simplify FilterEvaluator::getUsedVars using ::checkSyntax
Alternative approach to fixing the regression proposed by
Daimona in I78d3a2cd7bada962d7ef9b0f2c39d898bf8987ce.

Bug: T368203
Change-Id: I637367c3b3850f7988d890379fef7f4753159953
2024-07-05 11:32:09 +02:00
Daimona Eaytoy 99bb44beb4 Miscellaneous minor fixes
- Rename `$hidden` to `$privacyLevel` in Flags::__construct for
  consistency with other places.
- Rename `shouldProtectFilter` and simplify its return value to always
  be an array, since that's how it's currently used. Rename a variable
  that is assigned the return value of this method.
- Add a missing message key to a list of dynamic message keys.
- Rename a property from 'hidden' to 'privacy' in FilterStoreTest for
  consistency. Add a test for removing the protected flag.
- Update old comment referencing `filterHidden`; the method was removed
  in I40b8c8452d9df.
- Use ISQLPlatform::bitAnd() instead of manual SQL in
  AbuseFilterHistoryPager.
- Update mysterious reference to "formatRow" in SpecialAbuseLog.
- Update other references to the very same method in two other places,
  this time credited as "SpecialAbuseLog".
- Add type hints to a few methods; this not only helps with type safety,
  but it also allows PHPUnit to automatically use the proper type in
  mocks.

Change-Id: Ib0167d993b761271c1e5311808435a616b6576fe
2024-07-03 02:31:38 +02:00
Daimona Eaytoy 6ac574dada Add missing permission check to canSeeLogDetailsForFilter
`canSeeLogDetails` should also be checked when a filter is protected, as
it is the base right for being able to see abuselog entries. With this
in mind, check that immediately at the beginning of the method, instead
of repeating calls. Also merge the conditionals, and return early when a
permission check fails.

Move a test up so that it comes immediately after its data provider, and
add test cases for a few combinations of rights.

Change-Id: Ic3cf58f43803bef8bf2d65566434baff145b3fd5
2024-07-02 22:43:09 +02:00
jenkins-bot bc0ab54e2d Merge "Support more log actions in testing interface" 2024-06-29 21:43:59 +00:00
jenkins-bot 7cca085e24 Merge "Remove modification of wgCheckUserLogAdditionalRights" 2024-06-28 17:05:35 +00:00
Jakob Warkotsch 0bd53dfeb1 Remove unused phan suppressions
Change-Id: Ib42f9b00948506ae2c053f51cb7dfddb0f7eb480
2024-06-28 12:15:49 +02:00
Dreamy Jazz 7254e65665 Remove modification of wgCheckUserLogAdditionalRights
Why:
* The wgCheckUserLogAdditionalRights global is shortly being
  removed as no-longer necessary after T324907 removed the need to
  generate the action text on insert time. As such, the action
  text can be generated on view and therefore respect the rights
  that the viewing user has.
* This means that the config can be removed, as users with the
  'abusefilter-view' right will be able to see the action text
  associated with the entry because the log formatter will check
  for the right on view.

What:
* Remove the modification of wgCheckUserLogAdditionalRights in
  AbuseLogger::insertLocalLogEntries.

Bug: T346022
Change-Id: I7504e4729fde5e51f6a795fc3e60d735152b2eea
2024-06-27 16:43:25 +00:00
Kosta Harlan b93543ef00 ConfirmEditHandler: Use SimpleCaptcha API to invoke CAPTCHA display
Why:

- The previous attempt to integrate AbuseFilter with ConfirmEdit set
  a flag on the request object
  (I110a5f5321649dcf85993a0c209ab70b9886057c) didn't work in WMF
  production because in WMF, we load ConfirmEdit first, followed by
  AbuseFilter. Therefore any flag set in an AbuseFilter hook is ignored
  by ConfirmEdit

What:

- Remove implementation of ConfirmEditTriggersCaptchaHook, as this does
  not work when AbuseFilter is loaded after ConfirmEdit.
- Repurpose onConfirmEditTriggersCaptcha to handle non-edit actions only
- Implement the EditFilterMergedContent hook and call SimpleCaptcha's
  public confirmEditMerged method if CaptchaConsequence has specified
  that a CAPTCHA should be displayed, and if the CAPTCHA has not already
  been solved

Soft-Depends-On: Idc47bdae8007da938f31e1c0f33e9be4813f41d7
Bug: T20110
Change-Id: I7dd3a7c41606dcf5123518c2d3d0f4355f5edfd3
2024-06-26 16:07:40 +00:00
jenkins-bot 788571fb3a Merge "LoadExtensionSchemaUpdates: Remove unused path from 'runMaintenance' action" 2024-06-20 16:29:16 +00:00
jenkins-bot 8dd15bac76 Merge "Fix variable descriptions showing raw "($1)"" 2024-06-20 15:46:12 +00:00
jenkins-bot 72ab79dcd1 Merge "Remove AbuseFilterActorMigration" 2024-06-20 15:44:49 +00:00
Bartosz Dziewoński 29e8b6e13b LoadExtensionSchemaUpdates: Remove unused path from 'runMaintenance' action
MediaWiki has never used this path for running the maintenance
scripts, only the class name provided in the other parameter.
Providing the parameter is no longer needed in MediaWiki 1.43.

Bug: T367918
Change-Id: Ie098fa124039cc1122135cae72c74579d43dc04f
2024-06-19 19:58:17 +02:00
Matěj Suchánek 92334b698b Support more log actions in testing interface
- Allow testing "move_redir" page moves.
- Allow testing "create2" and "byemail" account creations.
- Add remarks in the code that "autocreate" account creations
  cannot be tested since they are not in the recent changes.

Change-Id: Idd38327df1477e1cba4396003a6c0f23cb75d276
2024-06-19 17:35:43 +02:00
jenkins-bot c1961b9d99 Merge "Use expression builder in AbuseFilterView::buildTestConditions" 2024-06-17 19:55:35 +00:00
jenkins-bot bb026443dd Merge "Drop af_user(_text) and afh_user(_text) fields" 2024-06-17 12:25:54 +00:00
Matěj Suchánek 1373bf8d11 Fix variable descriptions showing raw "($1)"
In 1904cf8, "($1)" were appended to the messages, but
the argument was not substituted in the var dump table,
showing literal ($1). Substitute <code>var_name</code>
to keep previous experience.

However, many translations have not been updated yet.
If the variable name was indicated by the message
argument, it would often be missing. Therefore, make
sure the placeholder is always present.

Bug: T360909
Change-Id: I1e4a97210c891c375b0f14c0891c2d25a0a389d1
2024-06-16 22:11:08 +02:00
Matěj Suchánek cb08d684d5 Remove AbuseFilterActorMigration
Bug: T188180
Change-Id: Idcacc9f63075b621bbc858a461dc6fb7ab7a9a39
Depends-On: I7dd5fc0f9d80636b0cdf3d995fe22c1f43a5b68d
Depends-On: Ibdb2b4096f26fc6752456a05f8d70a9a6d9609ad
2024-06-15 09:42:27 +02:00
jenkins-bot 92e1335cc8 Merge "Use ObjectCacheFactory" 2024-06-13 13:45:45 +00:00
jenkins-bot 4e919e4338 Merge "Add protected variable view permission checks" 2024-06-13 13:18:14 +00:00
Wandji69 5336a5ea41 Use ObjectCacheFactory
Bug: T363770
Change-Id: I465e251d4bbccd4ce98eb34ff05d749d3de84c43
2024-06-13 12:34:16 +01:00
STran abe6f1f4ee Add protected variable view permission checks
Some features restrict access when filters are private. These features
should treat protected filters similarly.

If the user doesn't have view rights for protected filters:
  - Disallow viewing of logs generated by protected filters
  - Disallow querying of matches against protected filters

Bug: T363906
Change-Id: Id84bd4ca7c8e0419fccc3ad83afff35067c9bf70
2024-06-13 03:15:04 -07:00
Umherirrender bd52ef6263 Use expression builder in AbuseFilterView::buildTestConditions
Bug: T350968
Change-Id: I2b91a7e5b18ac9bb4f79018014ed60e2f0830487
2024-06-12 20:43:46 +00:00
Umherirrender c3af3157b4 Use namespaced classes
Changes to the use statements done automatically via script
Addition of missing use statement done manually

Change-Id: I48fcc02c61d423c9c5111ae545634fdc5c5cc710
2024-06-12 20:01:35 +02:00
STran f5d7b68908 Force full evaluation of filter in FilterEvaluator->getUsedVars()
In some cases, evaluation short-circuits when getting a list of
used variables resulting in an incomplete array of variables. This
subsequently causes issues when using those arrays for validation
checks (eg. if protected variables are used).

- Force full evaluation by setting `mAllowShort` to false

Bug: T364485
Change-Id: Idf2112d9ebf63846cde3ce9b8a8ade0ed909505d
2024-06-11 02:43:47 -07:00
Matěj Suchánek 469d643530 Drop af_user(_text) and afh_user(_text) fields
They have been migrated to their respective _actor counterparts.

Bug: T188180
Change-Id: I76ab3a4eeaf93bf009ba3a5d4a0315443b6839ef
2024-06-10 18:48:21 +02:00
jenkins-bot a5afeff49c Merge "Drop $wgAbuseFilterActorTableSchemaMigrationStage" 2024-06-10 13:27:07 +00:00
Matěj Suchánek c2da0d4857 Drop $wgAbuseFilterActorTableSchemaMigrationStage
First patch in a series of dropping the old columns.
Wikis now need to run the maintenance script (e.g., via
update.php) prior to serving this commit.

Wikimedia wikis are already on SCHEMA_COMPAT_NEW stage.

Bug: T188180
Change-Id: I86ec2b816eed17b62bf02bfd085570f132011b3e
2024-06-10 12:08:30 +00:00
jenkins-bot 056bcafe08 Merge "Use expression builder to build where conditions" 2024-06-09 03:45:36 +00:00
jenkins-bot 7bbf55935c Merge "Hide the checkbox for protecting a filter from users without the right" 2024-06-07 10:39:43 +00:00
jenkins-bot 4b9c2e612c Merge "Clarify protected status in filter checkboxes" 2024-06-06 18:00:27 +00:00
Thalia 6428ff9232 Hide the checkbox for protecting a filter from users without the right
Any filter using protected variables must be marked as protected via
the a checkbox on the filter edit form. This checkbox should not be
visible to users without the right to use protected variables.

Bug: T364485
Change-Id: If2c4b8f50f447e951d820798f181839d10501aa3
2024-06-06 17:49:46 +01:00
STran 1c96981117 Clarify protected status in filter checkboxes
The UI/UX for acknowledging a filter will be protected/is protected
could be clearer. The checkbox implemented currently doesn't make
it clear that the acknowledgement is mandatory and filters that are
already protected allow for the checkbox to be unchecked even though
that doesn't reflect that the filter cannot be unprotected.

- Update copy for the protected filter acknowledgement to make it clear
  that it's a mandatory acknowledgement, not an optional one
- Update copy for the error that shows when a filter that should be
  protected doesn't have the acknowledgement checked
- When a filter is already protected, disable the acknowledgement
  checkbox to indicate this is not mutable

Bug: T364485
Change-Id: I667fcca4511dff1ac3ca69930c5b5e5eb5001787
2024-06-06 00:23:39 -07:00
Thalia 8f39ef3b8a Fix permission error shown on history page for protected filter
When a user without the right to see protected filters visits
Special:AbuseFilter/history/<ID>, show the permission error
message for protected filters.

Before this commit, the error message for hidden filters is
used instead, even if the filter is not hidden.

Bug: T364465
Change-Id: If2573fe256a7e29e8184feaf2f0622659706fd56
2024-06-05 15:53:04 +01:00
jenkins-bot 3897096fd7 Merge "Implement 'protected' filter acknowledgement checkbox" 2024-06-05 13:42:33 +00:00
STran 69a28f7f03 Implement 'protected' filter acknowledgement checkbox
- Add a basic checkbox on the filter edit page that must be checked if a
  filter uses a protected variable to ensure that the user is aware that
  their filter will also become protected

Bug: T364485
Change-Id: I7c7652f7d1a81223229b839ff7eee5da4af74c8a
2024-06-05 05:43:25 -07:00
jenkins-bot 4e14afa6fb Merge "Allow variables to be restricted by user right" 2024-06-04 17:20:17 +00:00
STran bf28dbce0e Allow variables to be restricted by user right
Some exposed variables (eg. `user_ip`) used in filters are sensitive
and need to only be available to restricted groups of users.

Back-end changes:
- Add `AbuseFilterProtectedVariables` which defines what variables are
  protected by the new right `abusefilter-access-protected-vars`
- Add the concept of a `protected` variable, the use of which will
  denote the entire filter as protected via a flag on `af_hidden`

New UX features:
- Display changes to the protected status of filters on history and diff
  pages
- Check for protected variables and the right to see them in filter
  validation and don't allow a filter to be saved if it uses a variable
  that the user doesn't have access to
- Check for the right to view protected variables before allowing access
  and edits to existing filters that use them

Bug: T364465
Bug: T363906
Change-Id: I828bbb4015e87040f69a8e10c7888273c4f24dd3
2024-06-04 06:54:53 -07:00