Go to file
Kosta Harlan 3b195090fe SimpleCaptcha: Allow invoking CAPTCHA display from other extensions
Why:

- In the production WMF deployment of AbuseFilter and ConfirmEdit, we
  load ConfirmEdit first, then AbuseFilter. That means that
  ConfirmEdit's onEditFilterMergedContent hook fires before
  AbuseFilter's. The problem is that AbuseFilter uses
  onEditFilterMergedContent to evaluate its rules and consequences, so
  an AbuseFilter rule that defines a "showcaptcha" consequence becomes a
  no-op, as it fires after ConfirmEdit has already decided to show or
  not show a CAPTCHA to a user.
 - All of that is to say: we need a way to tell ConfirmEdit to show a
   CAPTCHA at the time that AbuseFilter's consequences are invoked,
   which could be before or after ConfirmEdit's EditFilterMergedContent
   hook invocation, depending on how the wiki has decided to load the
   extensions

What:

- Define a flag for "shouldForceShowCaptcha", that other extensions can
  set on the SimpleCaptcha base class to indicate that ConfirmEdit must
  show a CAPTCHA (users with "skipcaptcha" right are still exempt)
- Check the isCaptchaSolved() and shouldForShowCaptcha() flags in
  ::triggersCaptcha, and also check if ConfirmEdit's
  EditFilterMergedContent hook already ran
- In CaptchaConsequence, set the forceShowCaptcha property on the
  SimpleCaptcha base class
- [misc] Add getter/setter for the captchaSolved property and the other
  new class properties

Depends-On: I7dd3a7c41606dcf5123518c2d3d0f4355f5edfd3
Bug: T20110
Change-Id: Idc47bdae8007da938f31e1c0f33e9be4813f41d7
2024-06-26 16:07:44 +00:00
.phan phan: Load AbuseFilter in phan config 2024-05-05 11:46:45 +03:00
FancyCaptcha Localisation updates from https://translatewiki.net. 2024-06-25 09:29:58 +02:00
hCaptcha build: Updating npm dependencies 2024-06-20 05:31:04 +00:00
i18n Localisation updates from https://translatewiki.net. 2024-06-17 09:30:29 +02:00
includes SimpleCaptcha: Allow invoking CAPTCHA display from other extensions 2024-06-26 16:07:44 +00:00
maintenance GenerateFancyCaptchas: Include stderr result if captcha.py returns an error code 2024-03-21 16:40:49 +00:00
QuestyCaptcha QuestyCaptcha: trim trailing spaces from the user-submitted CAPTCHA answer 2024-06-23 11:17:23 +03:00
ReCaptchaNoCaptcha build: Updating npm dependencies 2024-06-20 05:31:04 +00:00
resources build: Updating npm dependencies 2024-06-07 15:07:52 +00:00
SimpleCaptcha SimpleCaptcha: Allow invoking CAPTCHA display from other extensions 2024-06-26 16:07:44 +00:00
tests/phpunit SimpleCaptcha: Allow invoking CAPTCHA display from other extensions 2024-06-26 16:07:44 +00:00
Turnstile build: Updating npm dependencies 2024-06-20 05:31:04 +00:00
.eslintrc.json build: Switch eslint to ES6 mode, and make pass 2023-09-20 09:27:51 +01:00
.gitignore build: Upgrade eslint-config-wikimedia from 0.10.1 to 0.11.0 2019-04-03 15:54:28 -07:00
.gitreview Whoops, track not trace 2016-10-24 17:02:20 -07:00
.mailmap Update Legoktm's mailmap entry 2021-04-11 19:15:29 -07:00
.phpcs.xml tests: Replace assertEmpty with assertSame 2022-11-24 23:02:46 +01:00
.stylelintrc.json Use json extension for .stylelintrc 2017-08-19 09:42:18 +02:00
AUTHORS.txt Update AUTHORS.txt 2016-08-17 23:08:41 +02:00
badwordlist Make badwordlist optional 2023-07-28 15:03:04 -07:00
captcha-old.py Deprecate use of captcha-old.py 2024-02-19 19:11:43 +00:00
captcha.py Merge "captca.py: Fix PIL 10 support again" 2024-01-29 19:36:50 +00:00
CODE_OF_CONDUCT.md build: Updating mediawiki/phan-taint-check-plugin to 1.3.0 2018-08-19 12:06:19 -07:00
composer.json build: Updating composer dependencies 2024-05-06 05:15:53 +00:00
ConfirmEdit.alias.php Remove LEFT-TO-RIGHT MARK (U+200E) from comments 2022-08-27 08:49:20 +00:00
COPYING
extension.json AbuseFilterHooks: Provide feature flags for AF custom actions 2024-05-15 08:42:44 +02:00
Gruntfile.js build: Updating npm dependencies 2024-06-07 15:07:52 +00:00
package-lock.json build: Updating npm dependencies 2024-06-20 05:31:04 +00:00
package.json build: Updating npm dependencies 2024-06-20 05:31:04 +00:00
README.md Remove MathCaptcha 2024-04-01 18:24:00 +02:00
tox.ini *.py: Fixup a couple more linting issues 2024-01-16 22:25:27 +00:00

ConfirmEdit

ConfirmEdit extension for MediaWiki

This extension provides various CAPTCHA tools for MediaWiki, to allow for protection against spambots and other automated tools.

For more information, see the extension homepage at: https://www.mediawiki.org/wiki/Extension:ConfirmEdit

Overview

The following modules are included in ConfirmEdit:

  • SimpleCaptcha - users have to solve an arithmetic math problem
  • FancyCaptcha - users have to identify a series of characters, displayed in a stylized way
  • QuestyCaptcha - users have to answer a question, out of a series of questions defined by the administrator(s)
  • ReCaptchaNoCaptcha - users have to solve different types of visually or audially tasks.
  • hCaptcha - users have to solve visual tasks
  • Turnstile - users check a box, which runs some client-side JS heuristics

License

ConfirmEdit is published under the GPL license.

Authors

The main framework, and the SimpleCaptcha and FancyCaptcha modules, were written by Brooke Vibber.

The QuestyCaptcha module was written by Benjamin Lees.

Additional maintenance work was done by Yaron Koren.

Configuration comments

/**
 * List of IP ranges to allow to skip the captcha, similar to the group setting:
 * "$wgGroupPermission[...]['skipcaptcha'] = true"
 *
 * Specific IP addresses or CIDR-style ranges may be used,
 * for instance:
 * $wgCaptchaWhitelistIP = array('192.168.1.0/24', '10.1.0.0/16');
 */
$wgCaptchaWhitelistIP = false;

/**
 * Actions which can trigger a captcha
 *
 * If the 'edit' trigger is on, *every* edit will trigger the captcha.
 * This may be useful for protecting against vandalbot attacks.
 *
 * If using the default 'addurl' trigger, the captcha will trigger on
 * edits that include URLs that aren't in the current version of the page.
 * This should catch automated linkspammers without annoying people when
 * they make more typical edits.
 *
 * The captcha code should not use $wgCaptchaTriggers, but CaptchaTriggers()
 * which also takes into account per namespace triggering.
 */
$wgCaptchaTriggers = [];
$wgCaptchaTriggers['edit']          = false; // Would check on every edit
$wgCaptchaTriggers['create']        = false; // Check on page creation.
$wgCaptchaTriggers['sendemail']     = false; // Special:Emailuser
$wgCaptchaTriggers['addurl']        = true;  // Check on edits that add URLs
$wgCaptchaTriggers['createaccount'] = true;  // Special:Userlogin&type=signup
$wgCaptchaTriggers['badlogin']      = true;  // Special:Userlogin after failure

/**
 * You may wish to apply special rules for captcha triggering on some namespaces.
 * $wgCaptchaTriggersOnNamespace[<namespace id>][<trigger>] forces an always on /
 * always off configuration with that trigger for the given namespace.
 * Leave unset to use the global options ($wgCaptchaTriggers).
 *
 * Shall not be used with 'createaccount' (it is not checked).
 */
$wgCaptchaTriggersOnNamespace = [];

# Example:
# $wgCaptchaTriggersOnNamespace[NS_TALK]['create'] = false; //Allow creation of talk pages without captchas.
# $wgCaptchaTriggersOnNamespace[NS_PROJECT]['edit'] = true; //Show captcha whenever editing Project pages.

/**
 * Indicate how to store per-session data required to match up the
 * internal captcha data with the editor.
 *
 * 'CaptchaSessionStore' uses PHP's session storage, which is cookie-based
 * and may fail for anons with cookies disabled.
 *
 * 'CaptchaCacheStore' uses MediaWiki core's MicroStash,
 * for storing captch data with a TTL eviction strategy.
 */
$wgCaptchaStorageClass = 'CaptchaSessionStore';

/**
 * Number of seconds a captcha session should last in the data cache
 * before expiring when managing through CaptchaCacheStore class.
 *
 * Default is a half hour.
 */
$wgCaptchaSessionExpiration = 30 * 60;

/**
 * Number of seconds after a bad login that a captcha will be shown to
 * that client on the login form to slow down password-guessing bots.
 *
 * Has no effect if 'badlogin' is disabled in $wgCaptchaTriggers or
 * if there is not a caching engine enabled.
 *
 * Default is five minutes.
 */
$wgCaptchaBadLoginExpiration = 5 * 60;

/**
 * Allow users who have confirmed their email addresses to post
 * URL links without being harassed by the captcha.
 *
 * @deprecated since 1.36
 * $wgGroupPermissions['emailconfirmed']['skipcaptcha'] = true; should be used instead.
 */
$wgAllowConfirmedEmail = false;

/**
 * Number of bad login attempts before triggering the captcha.  0 means the
 * captcha is presented on the first login.
 */
$wgCaptchaBadLoginAttempts = 3;

/**
 * Regex to whitelist URLs to known-good sites...
 * For instance:
 * $wgCaptchaWhitelist = '#^https?://([a-z0-9-]+\\.)?(wikimedia|wikipedia)\.org/#i';
 * Local admins can define a whitelist under [[MediaWiki:captcha-addurl-whitelist]]
 */
$wgCaptchaWhitelist = false;

/**
 * Additional regexes to check for. Use full regexes; can match things
 * other than URLs such as junk edits.
 *
 * If the new version matches one and the old version doesn't,
 * toss up the captcha screen.
 *
 * @fixme Add a message for local admins to add items as well.
 */
$wgCaptchaRegexes = [];