Page MenuHomePhabricator

Do not put "verified" template on UploadWizard Flicker uploads if user isn't trusted
Closed, ResolvedPublic

Description

UploadWizard can directly upload images from Flickr (using an in-app selection dialog and server-side upload), with a license check, but license checking happens in Javascript and a malicious user could easily fake it. Because of that the Flickr upload feature has been limited to some privileged user groups on Commons (and now apparently they broke it even for those people with an abuse filter). It would be nice to do the check on the server side (see T89131: Server side flickr review) but as a temporary workaround at least stop it from claiming the image is verified (use the flickrreview template instead of FlickrVerifiedByUploadWizard) which would unbreak the upload process and make it possible to enable the upload UI to everyone. It should still be fine to add FlickrVerifiedByUploadWizard if the account is trusted, however (for example administrators).

Event Timeline

MarkTraceur raised the priority of this task from to Medium.
MarkTraceur updated the task description. (Show Details)
MarkTraceur added subscribers: Tgr, TheDJ, Bawolff and 3 others.

Change 212948 had a related patch set uploaded (by Brian Wolff):
[WIP] Add flickr checking to backend

https://gerrit.wikimedia.org/r/212948

Change 213234 had a related patch set uploaded (by MarkTraceur):
Use new Flickr API instead of old hacky JS

https://gerrit.wikimedia.org/r/213234

MarkTraceur lowered the priority of this task from Medium to Low.Dec 3 2015, 8:03 PM
MarkTraceur added a project: Technical-Debt.

Change 212948 abandoned by MarkTraceur:
[WIP] Add flickr checking to backend

Reason:
No progress, not a priority, can revive later

https://gerrit.wikimedia.org/r/212948

Change 213234 abandoned by MarkTraceur:
Use new Flickr API instead of old hacky JS

Reason:
No progress on parent patch, not a priority, can be revived later

https://gerrit.wikimedia.org/r/213234

Could someone write a description for this task? What is the goal here?

@kaldari no problem, here it is, with free patch!! T210339

no problem, here it is, with free patch!! T210339

@AlexisJazz: You are very welcome to use developer access to submit your proposed code changes as a Git branch directly into Gerrit. If you don't want to set up Git/Gerrit, you can also use the Gerrit Patch Uploader. Thanks.

Tgr renamed this task from Remove Flickr checking from client side to Do not put "verified" template on UploadWizard Flicker uploads.Dec 6 2018, 8:02 AM
Tgr updated the task description. (Show Details)
Tgr updated the task description. (Show Details)

Rewrote the description to be a little more helpful.

kaldari claimed this task.

I fixed the AbuseFilter, so this should no longer be an issue. Extended-uploaders are trusted regarding licensing, so I just exempted them from the filter. Agree that moving the check to the server-side is the best long-term solution, but that's covered in T89131.

I think there is still value in changing the template (at least for non-extended-uploaders) as that way everyone could use the Flickr upload interface, which is a much more convenient way of uploading those files. That was the original reason for filing this task - that the Flickr upload button is now disabled for most users, even though the tool doesn't do anything you couldn't do by hand, because the use of the verified temlate disrupted workflows.
(Granted, the Commons community might well decide to not widen access to the tool even if that happens, as they tend to be concerned with making uploading too easy. So maybe that should be checked first.)

@Tgr - Good point, I'll tweak the working...

kaldari renamed this task from Do not put "verified" template on UploadWizard Flicker uploads to Do not put "verified" template on UploadWizard Flicker uploads if user isn't trusted.Dec 10 2018, 6:35 PM
kaldari updated the task description. (Show Details)

"It should still be fine to add FlickrVerifiedByUploadWizard if the account is trusted, however (for example administrators)."

@kaldari actually even that isn't really great. UploadWizard doesn't look at https://commons.wikimedia.org/wiki/Commons:Questionable_Flickr_images but the Flickr review bot does. Correction, it does. Why did I think it doesn't?

Change 485141 had a related patch set uploaded (by Zhuyifei1999; owner: Alexis Jazz):
[mediawiki/extensions/UploadWizard@master] mw.FlickrChecker: Use {{flickrreview}}

https://gerrit.wikimedia.org/r/485141

Change 485141 merged by jenkins-bot:
[mediawiki/extensions/UploadWizard@master] mw.FlickrChecker: Use {{flickrreview}}

https://gerrit.wikimedia.org/r/485141

@kaldari errr I think so. I hope FlickreviewR 2 isn't going to break anytime soon as Zhuyifei1999 has left the building, but that's an unrelated matter.