wikimedia/mediawiki-extensions-ConfirmEdit

Fork 0

mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/ConfirmEdit synced 2024-11-12 01:11:15 +00:00

Commit graph

Author	SHA1	Message	Date
Kosta Harlan	3b195090fe	SimpleCaptcha: Allow invoking CAPTCHA display from other extensions Why: - In the production WMF deployment of AbuseFilter and ConfirmEdit, we load ConfirmEdit first, then AbuseFilter. That means that ConfirmEdit's onEditFilterMergedContent hook fires before AbuseFilter's. The problem is that AbuseFilter uses onEditFilterMergedContent to evaluate its rules and consequences, so an AbuseFilter rule that defines a "showcaptcha" consequence becomes a no-op, as it fires after ConfirmEdit has already decided to show or not show a CAPTCHA to a user. - All of that is to say: we need a way to tell ConfirmEdit to show a CAPTCHA at the time that AbuseFilter's consequences are invoked, which could be before or after ConfirmEdit's EditFilterMergedContent hook invocation, depending on how the wiki has decided to load the extensions What: - Define a flag for "shouldForceShowCaptcha", that other extensions can set on the SimpleCaptcha base class to indicate that ConfirmEdit must show a CAPTCHA (users with "skipcaptcha" right are still exempt) - Check the isCaptchaSolved() and shouldForShowCaptcha() flags in ::triggersCaptcha, and also check if ConfirmEdit's EditFilterMergedContent hook already ran - In CaptchaConsequence, set the forceShowCaptcha property on the SimpleCaptcha base class - [misc] Add getter/setter for the captchaSolved property and the other new class properties Depends-On: I7dd3a7c41606dcf5123518c2d3d0f4355f5edfd3 Bug: T20110 Change-Id: Idc47bdae8007da938f31e1c0f33e9be4813f41d7	2024-06-26 16:07:44 +00:00
Kosta Harlan	10b9276855	Allow showing a CAPTCHA in response to AbuseFilter consequence Why: - We want to allow administrators to invoke a CAPTCHA if an AbuseFilter is configured to do so. What: - Implement the AbuseFilterCustomActions hook and define CaptchaConsequence, which will inform AbuseFilter's implementation of onConfirmEditTriggersCaptcha that it should show a CAPTCHA - Deliberately do not register the "showcaptcha" action as a "dangerous action", because filters that use this action are aimed at bot traffic, and we don't want a bot to be able to get past the "showcaptcha" action just by making repeat requests Soft depends on I110a5f5321649dcf85993a0c209ab70b9886057c Bug: T20110 Change-Id: Ie87e3d850541c7dc44aaeb6b30489a32a0c8cc60	2024-05-12 16:16:11 +02:00

Author

SHA1

Message

Date

Kosta Harlan

3b195090fe

SimpleCaptcha: Allow invoking CAPTCHA display from other extensions

Why:

- In the production WMF deployment of AbuseFilter and ConfirmEdit, we
  load ConfirmEdit first, then AbuseFilter. That means that
  ConfirmEdit's onEditFilterMergedContent hook fires before
  AbuseFilter's. The problem is that AbuseFilter uses
  onEditFilterMergedContent to evaluate its rules and consequences, so
  an AbuseFilter rule that defines a "showcaptcha" consequence becomes a
  no-op, as it fires after ConfirmEdit has already decided to show or
  not show a CAPTCHA to a user.
 - All of that is to say: we need a way to tell ConfirmEdit to show a
   CAPTCHA at the time that AbuseFilter's consequences are invoked,
   which could be before or after ConfirmEdit's EditFilterMergedContent
   hook invocation, depending on how the wiki has decided to load the
   extensions

What:

- Define a flag for "shouldForceShowCaptcha", that other extensions can
  set on the SimpleCaptcha base class to indicate that ConfirmEdit must
  show a CAPTCHA (users with "skipcaptcha" right are still exempt)
- Check the isCaptchaSolved() and shouldForShowCaptcha() flags in
  ::triggersCaptcha, and also check if ConfirmEdit's
  EditFilterMergedContent hook already ran
- In CaptchaConsequence, set the forceShowCaptcha property on the
  SimpleCaptcha base class
- [misc] Add getter/setter for the captchaSolved property and the other
  new class properties

Depends-On: I7dd3a7c41606dcf5123518c2d3d0f4355f5edfd3
Bug: T20110
Change-Id: Idc47bdae8007da938f31e1c0f33e9be4813f41d7

2024-06-26 16:07:44 +00:00

Kosta Harlan

10b9276855

Allow showing a CAPTCHA in response to AbuseFilter consequence

Why:

- We want to allow administrators to invoke a CAPTCHA
  if an AbuseFilter is configured to do so.

What:

- Implement the AbuseFilterCustomActions hook and define
  CaptchaConsequence, which will inform AbuseFilter's implementation
  of onConfirmEditTriggersCaptcha that it should show a CAPTCHA
- Deliberately do not register the "showcaptcha" action as a "dangerous
  action", because filters that use this action are aimed at bot
  traffic, and we don't want a bot to be able to get past the
  "showcaptcha" action just by making repeat requests

Soft depends on I110a5f5321649dcf85993a0c209ab70b9886057c

Bug: T20110
Change-Id: Ie87e3d850541c7dc44aaeb6b30489a32a0c8cc60

2024-05-12 16:16:11 +02:00

2 commits