Commit graph

109 commits

Author SHA1 Message Date
Gergő Tisza 42d4f55cf6
Fix unescaped i18n message use in captcha label
Bug: T373732
Change-Id: Ib9079feead4bfe0f1fd2c832c6cabb6eb7149534
2024-11-13 11:47:44 +01:00
Reedy 106a63e3b4 hCaptcha: Variablise api and verify urls
Bug: T378207
Change-Id: I62b7a418be4cb3a4a51937ae331a4aad22dc5732
2024-11-06 19:24:04 +00:00
Reedy cd607319c2 hCaptcha: Extra logging for captcha solve
Bug: T377341
Change-Id: I53934a3a0756878e18de336fd644b54f542ee9e5
2024-11-06 19:19:24 +00:00
Reedy 48a60aa762 Various minor code cleanup
Change-Id: I75f34c66f1c1968cfb9a3e1932068ec2420e0fa6
2024-10-30 01:48:33 +00:00
Reedy a801949300 Remove class_alias calls and cleanup Autoloads
Existed since 1.39 in I3fa9747e0ea970c5de39e2da8603e1bba9388a69

Change-Id: I17a648aaf7644d00cd82966a88dab8f33d2e317f
2024-10-30 01:48:14 +00:00
Reedy 9f2e976f10 Attempt to flatten out PHP files in sub extensions
In an attempt to be able to have easier code coverage...

Bug: T377750
Change-Id: I556f5f2753fae77df4f34b64bccdb7d68f2825b0
2024-10-30 01:48:14 +00:00
Umherirrender 1cfba87b23 Use namespaced classes
Changes to the use statements done automatically via script
Addition of missing use statement done manually

Change-Id: I60968f9b735b27eaef20e5d42af322a8c2ecd257
2024-10-19 23:34:41 +02:00
Umherirrender 29103eecde Add missing documentation to class properties
Change-Id: Ic7872cd2539dc79f88c70548cbd82d9de98f66b0
2024-08-19 21:36:23 +02:00
Bartosz Dziewoński 8ee87bf121 Use namespaced MessageSpecifier
Depends-On: I9ff4ff7beb098b60c92f564591937c7d789c6684
Change-Id: I45481710477a3b9bda86670e10fb2fdf75f63260
2024-07-28 21:59:31 +02:00
Kosta Harlan 3b195090fe SimpleCaptcha: Allow invoking CAPTCHA display from other extensions
Why:

- In the production WMF deployment of AbuseFilter and ConfirmEdit, we
  load ConfirmEdit first, then AbuseFilter. That means that
  ConfirmEdit's onEditFilterMergedContent hook fires before
  AbuseFilter's. The problem is that AbuseFilter uses
  onEditFilterMergedContent to evaluate its rules and consequences, so
  an AbuseFilter rule that defines a "showcaptcha" consequence becomes a
  no-op, as it fires after ConfirmEdit has already decided to show or
  not show a CAPTCHA to a user.
 - All of that is to say: we need a way to tell ConfirmEdit to show a
   CAPTCHA at the time that AbuseFilter's consequences are invoked,
   which could be before or after ConfirmEdit's EditFilterMergedContent
   hook invocation, depending on how the wiki has decided to load the
   extensions

What:

- Define a flag for "shouldForceShowCaptcha", that other extensions can
  set on the SimpleCaptcha base class to indicate that ConfirmEdit must
  show a CAPTCHA (users with "skipcaptcha" right are still exempt)
- Check the isCaptchaSolved() and shouldForShowCaptcha() flags in
  ::triggersCaptcha, and also check if ConfirmEdit's
  EditFilterMergedContent hook already ran
- In CaptchaConsequence, set the forceShowCaptcha property on the
  SimpleCaptcha base class
- [misc] Add getter/setter for the captchaSolved property and the other
  new class properties

Depends-On: I7dd3a7c41606dcf5123518c2d3d0f4355f5edfd3
Bug: T20110
Change-Id: Idc47bdae8007da938f31e1c0f33e9be4813f41d7
2024-06-26 16:07:44 +00:00
Wandji69 4e0570e5cf Use ObjectCacheFactory methods
Bug: T363770
Change-Id: I66ffd2d559a22c72a72b1f664a9332900704d503
2024-06-10 02:37:01 +01:00
Umherirrender 81d0c7bcd4 Use namespaced classes
Changes to the use statements done automatically via script
Addition of missing use statement done manually

Change-Id: I325f5bab163cddf76dbf8d5a6eca35a7ed7b6df7
2024-06-08 23:46:45 +02:00
Kosta Harlan 81e9cb99c0
AbuseFilterHooks: Provide feature flags for AF custom actions
Why:

- There are issues with the current "showcaptcha" action, and we need to
  disable it until the problems are fixed

What:

- Define a feature flag to enable custom actions. For now, nothing is
  enabled.

Bug: T20110
Change-Id: I3484d66298bc9f49dfbe003a0605e2ac1a092e10
2024-05-15 08:42:44 +02:00
Kosta Harlan 10b9276855
Allow showing a CAPTCHA in response to AbuseFilter consequence
Why:

- We want to allow administrators to invoke a CAPTCHA
  if an AbuseFilter is configured to do so.

What:

- Implement the AbuseFilterCustomActions hook and define
  CaptchaConsequence, which will inform AbuseFilter's implementation
  of onConfirmEditTriggersCaptcha that it should show a CAPTCHA
- Deliberately do not register the "showcaptcha" action as a "dangerous
  action", because filters that use this action are aimed at bot
  traffic, and we don't want a bot to be able to get past the
  "showcaptcha" action just by making repeat requests

Soft depends on I110a5f5321649dcf85993a0c209ab70b9886057c

Bug: T20110
Change-Id: Ie87e3d850541c7dc44aaeb6b30489a32a0c8cc60
2024-05-12 16:16:11 +02:00
Fomafix efe5dd0cfb Inject service MainWANObjectCache into Hooks
Change-Id: Ib6561efa67e61b5a5cf93b284e36fcf3f49c603b
2024-04-26 20:49:06 +00:00
Umherirrender bcdde67ebd Add explicit parentheses around mixed boolean operator
Mixing different binary boolean operators within an expression
without using parentheses to clarify precedence is not allowed (T358966)

Change-Id: I908691348d259d868f39a7737614be82c9ce0c75
2024-03-23 00:52:19 +01:00
jenkins-bot 9625c91e18 Merge "FancyCaptcha: Allow configuration of the actual directory captchas are stored in" 2024-01-26 16:18:10 +00:00
Umherirrender 56ffbcc0ce Drop RL targets definitions from module definition, no longer honoured
Bug: T328497
Change-Id: Iba720a37e81af7b4f462b3dee0596e7133c3bb63
2024-01-23 21:52:48 +01:00
Gergő Tisza b52d63ee9d Revert "Drop various class aliases"
This reverts commit 3798d424e2.

Bug: T355198
Change-Id: I99ecee703cdfa06198eeede96e6c3bdda2d457e0
2024-01-17 04:46:58 +00:00
Reedy 3798d424e2 Drop various class aliases
Move manual wgAutoloadClasses entries into TestAutoloadClasses

Change-Id: I4c85a2042ae591732b48bbf872277909a90675b4
2024-01-16 10:49:21 +00:00
Reedy 36bd54e4ec FancyCaptcha: Allow configuration of the actual directory captchas are stored in
Change-Id: Iecc48db5237adc5b89c99019faac0af425e4eb5d
2024-01-15 15:43:46 +00:00
Derick Alangi 6f2fbd1d00 Store: Use the MicroStash store only and drop dead code
In this patch, we can now make use of MicroStash only and
drop dead code.

At this point, we're sure that there are no captchas in the
main stash, freeing up this memory for other requests to use.

Bug: T336004
Change-Id: I6aa69636f2f94e3bd18afc66eac37146d00771d1
2023-12-19 14:45:50 +00:00
Bartosz Dziewoński 2c6fe24521
Move login attempt counting to a separate class
This has nothing to do with CAPTCHA generation, and the only thing it
needs from the SimpleCaptcha class is checking whether a CAPTCHA on
bad login is enabled at all.

Also improve comments in CaptchaPreAuthenticationProvider. I found the
session flag business really difficult to understand.

Change-Id: I8200531718aaa11effcb07539204e1a05ed432e0
2023-12-13 15:18:39 -08:00
Umherirrender 92bc1f3d2f Use namespaced classes
Changes to the use statements done automatically via script
Addition of missing use statements done manually

Change-Id: Id44f211320e56bc83e4c8f243369dc4eb562cf37
2023-12-11 00:07:55 +01:00
Derick Alangi bb201b86e4
Store: Enable ConfirmEdit to use MicroStash for captcha storage
ConfirmEdit uses MainStash as the backend to write its captchas. We
are migrating this extension to use the MicroStash store instead which
is more suitable.

This patch will store the captcha in MicroStash, read it from there
or fallback to MainStash if lookup was not successful. The code will
then clear both stores once after processing.

Migration plan
==============

step .1: Write to microstash store only, read from it or
         fallback to mainstash store. Then delete from
         both backends.

step .2: Read from microstash store only, delete from the
         microstash store, and remove dead code afterward.

Bug: T336004
Change-Id: Ie7c50a6efe7a0aefc97a712b2ad961e7837cc4cf
2023-11-29 11:35:45 +01:00
jenkins-bot c7c261841a Merge "Migrate from wgWikimediaJenkinsCI to MW_QUIBBLE_CI constant" 2023-09-11 10:13:21 +00:00
Timo Tijhof becb9038ca Migrate from wgWikimediaJenkinsCI to MW_QUIBBLE_CI constant
Details in Ia4df6350f849ca27.

The global variable will still work in most cases, but the way it was
used here (as wgExtensionFunctions callback) will stop working to
allow MW core to run plain `phpunit` (T90875).

Migrate to the MW_QUIBBLE_CI constant instead, which is set in all
the same circumstances

Change-Id: I25acee1e6e88ca745435cbfa0b398041f04c94d6
2023-09-07 20:19:58 +00:00
Bartosz Dziewoński 2dfc290c57 Remove incorrect documentation comment
isBadLoginPerUserTriggered() can never return null. This comment was
added in 2016 in 31c59374a4 and it was
already incorrect then. I don't know where this idea came from.

Change-Id: Ib919999fe83562cb4fa80246ae7c6b4707da775c
2023-08-24 00:12:19 +02:00
gerritbot 4bc5e7ed8f Replace some moved Title class uses, now MediaWiki\Title\Title
Bug: T321681
Change-Id: I639a03a5f828d7036e29a11a8a45d8d1e8923590
2023-08-19 04:14:21 +00:00
Umherirrender 0b0f9e37af Use HookHandlers for core hooks
Bug: T269882
Change-Id: I91df459f696e99bb5cce597739b48cbebbf4a88e
2023-08-15 12:21:21 +02:00
Umherirrender 5740fcf8c4 docs: Use IContextSource for EditFilterMergedContent hook handler
Use narrow interface IContextSource instead of class RequestContext

Change-Id: Ibe2c9101f40ac28a0c65eade35af896f9a54c285
2023-08-15 12:20:42 +02:00
Daimona Eaytoy 364b71f3ec Replace deprecated MWException
Also avoid throwing Exception directly and use RuntimeException instead,
not documenting it with @throws as it's unchecked, as per
https://www.mediawiki.org/wiki/Manual:Coding_conventions/PHP#Exception_handling.

Bug: T328220
Change-Id: I19df0e7e66d1e421d038109b9d2db9c0b63c709c
2023-06-07 17:44:23 +02:00
Aaron Schulz 61d8028d69 Use WRITE_BACKGROUND in CaptchaCacheStore and rename "cache" to "store"
This lays some groundwork for migrating from the main stash to a future
stash that resides in the primary datacenter.

Bug: T336004
Change-Id: I70ee88e9371af19890cb9e3da612d2bb7dc335e8
2023-06-06 12:59:42 -07:00
James D. Forrester b2629c909b Hooks: Fix EmailUserHook call documentation to match new signature
Change-Id: I917534c6b1b613793893e514a9116ba0468e272a
2023-05-19 14:14:54 +03:00
gerritbot b8c790cd14 Update moved class EditPage
See T321882. Moved in Ibefc44eb64aed

Bug: T321681
Change-Id: Ifa1c20cd4e6ef6856194d4228dd542a9e2fda43f
2023-05-07 01:08:19 +02:00
Gergő Tisza d0e1c811c7 Restore auth request ID from before namespacing
Bug: T316410
Change-Id: I144af55c368d93326d0ae78a85790e81bc3d9c7f
2022-08-27 00:29:16 +00:00
jenkins-bot 00470e1388 Merge "Run ConfirmEditTriggersCaptchaHook under correct name" 2022-08-04 20:05:44 +00:00
Alexander Vorwerk 16fcb03340 Run ConfirmEditTriggersCaptchaHook under correct name
also fix the var name to match the one in the interface

Bug: T303433
Follow-Up: If48689fe068aa3ec56e51e01b84cf25c63bcbf0b
Change-Id: Ie47b98d08cba5217f8661aa44f6331447575d7ae
2022-08-04 21:45:01 +02:00
Reedy 30cd1d8a23 Namespace base classes
Change-Id: I3fa9747e0ea970c5de39e2da8603e1bba9388a69
2022-07-30 18:13:03 +00:00
Kosta Harlan aca8deafb1
phpunit: Check for MW_PHPUNIT_TEST constant
$wgWikimediaJenkinsCI may not be enabled in LocalSettings.php.

tests/phpunit/phpunit.php reads this global, but vendor/bin/phpunit does
not.

Bug: T90875
Change-Id: I91628f0e63d4f67d1d3060cca3a17b95e0faf826
2022-07-12 18:44:01 +02:00
Alexander Vorwerk 607452ef05 Add new ConfirmEditTriggersCaptchaHook
This allows the dynamic activation of CAPTCHAS triggering without the
need to change the configuration.

This lays the foundation for stewards to later be able to activate
'emergency captchas' via an on-wiki interface.

Bug: T303433
Change-Id: If48689fe068aa3ec56e51e01b84cf25c63bcbf0b
2022-06-30 18:59:45 +00:00
Alexander Vorwerk 54d07d494e Add missing use statement in ConfirmEditHooks
Change-Id: I9f4e1fd82ee569ffb00de334a2ec02df5e166b31
2022-06-13 09:29:56 +02:00
Jon Robson 8b36b3be43 Use Html::warningBox instead of hardcoded class
Bug: T304272
Change-Id: Ic77910718d329401b25f178b50172d1fe7d5c8a3
2022-03-24 11:03:48 -07:00
Reedy bc400cc07e Update documentation for ConfirmEditHooks::onEditPageBeforeEditButtons
Fixes phan issue

Follow-Up: If41d16b473baddd92cc4261cdc2bfbe65fedcb19
Change-Id: I05f1ba79fb557a12c4ffb5709430849847273679
2022-03-11 21:13:18 +00:00
Umherirrender 0beb466cf7 build: Remove unneeded phan suppression
Bug: T290624
Change-Id: Ib7e9801977e6f27189952d23f96eb644a4e289d8
2022-02-12 00:35:22 +01:00
Reedy b24721bb96 Suppress SecurityCheck-DoubleEscaped in ConfirmEditHooks::onAlternateEditPreview
Bug: T295708
Change-Id: If9018f4bc5c2df11a7ac48c3f26a6e0f1b6835e3
2021-11-16 14:51:35 +00:00
libraryupgrader 5a256ffa65 build: Updating composer dependencies
* mediawiki/mediawiki-phan-config: 0.10.6 → 0.11.0
* php-parallel-lint/php-parallel-lint: 1.3.0 → 1.3.1

Change-Id: If86cb3cf74e27abd544aefc15a7579dd554fe419
2021-09-08 23:10:31 +00:00
libraryupgrader 81a524e2e9 build: Updating dependencies
composer:
* mediawiki/mediawiki-codesniffer: 36.0.0 → 37.0.0

npm:
* postcss: 7.0.35 → 7.0.36
  * https://npmjs.com/advisories/1693 (CVE-2021-23368)
* glob-parent: 5.1.0 → 5.1.2
  * https://npmjs.com/advisories/1751 (CVE-2020-28469)
* trim-newlines: 3.0.0 → 3.0.1
  * https://npmjs.com/advisories/1753 (CVE-2021-33623)

Change-Id: I57837ebf8054a2e968d207fecb3f12397c18e2a2
2021-07-22 14:24:25 +00:00
James D. Forrester 4e62a8f53e Update ConfirmEdit hook running to use HookContainer, partially
I've left alone the pass-through hooks into the sub-extensions for now.
That'll be the next patch

Bug: T269882
Change-Id: I62eedd4afc36b4610a138b84b02d2cc48ce0ae2f
2020-12-13 08:52:18 -08:00
libraryupgrader a38c96140e build: Updating mediawiki/mediawiki-phan-config to 0.10.4
Change-Id: Id88999106d58d86395b6d60635c7005a28d16f0b
2020-11-20 03:04:10 +00:00