Do not put "verified" template on UploadWizard Flicker uploads if user isn't trusted
Open, LowPublic

Description

UploadWizard can directly upload images from Flickr (using an in-app selection dialog and server-side upload), with a license check, but license checking happens in Javascript and a malicious user could easily fake it. Because of that the Flickr upload feature has been limited to some privileged user groups on Commons (and now apparently they broke it even for those people with an abuse filter). It would be nice to do the check on the server side (see T89131: Server side flickr review) but as a temporary workaround at least stop it from claiming the image is verified (use the flickrreview template instead of FlickrVerifiedByUploadWizard) which would unbreak the upload process and make it possible to enable the upload UI to everyone. It should still be fine to add FlickrVerifiedByUploadWizard if the account is trusted, however (for example administrators).

MarkTraceur updated the task description. (Show Details)
MarkTraceur raised the priority of this task from to Normal.
MarkTraceur added subscribers: Tgr, TheDJ, Bawolff and 3 others.

Change 212948 had a related patch set uploaded (by Brian Wolff):
[WIP] Add flickr checking to backend

https://gerrit.wikimedia.org/r/212948

Change 213234 had a related patch set uploaded (by MarkTraceur):
Use new Flickr API instead of old hacky JS

https://gerrit.wikimedia.org/r/213234

Steinsplitter moved this task from Incoming to Uploading on the Commons board.Jun 1 2015, 2:15 PM
Bawolff set Security to None.
Restricted Application added a project: Notice. · View Herald TranscriptJun 4 2015, 10:07 PM
Bawolff moved this task from Unscheduled to June 2015 on the Roadmap board.Jun 4 2015, 10:07 PM
gpaumier moved this task from Backlog to Triaged on the Notice board.Jun 11 2015, 4:52 PM
Jdforrester-WMF moved this task from June 2015 to July 2015 on the Roadmap board.Jun 18 2015, 4:07 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJun 29 2015, 10:38 PM
gpaumier moved this task from Triaged to Archive on the Notice board.Jul 2 2015, 8:19 PM
Jdforrester-WMF moved this task from Untriaged to Backlog on the Multimedia board.Sep 4 2015, 6:23 PM
MarkTraceur lowered the priority of this task from Normal to Low.

Change 212948 abandoned by MarkTraceur:
[WIP] Add flickr checking to backend

Reason:
No progress, not a priority, can revive later

https://gerrit.wikimedia.org/r/212948

Change 213234 abandoned by MarkTraceur:
Use new Flickr API instead of old hacky JS

Reason:
No progress on parent patch, not a priority, can be revived later

https://gerrit.wikimedia.org/r/213234

Rillke added a subscriber: Rillke.Mar 15 2016, 12:09 AM
Jeff_G added a subscriber: Jeff_G.
kaldari added a subscriber: kaldari.Wed, Dec 5, 6:38 PM

Could someone write a description for this task? What is the goal here?

@kaldari no problem, here it is, with free patch!! T210339

AlexisJazz updated the task description. (Show Details)Thu, Dec 6, 3:40 AM

no problem, here it is, with free patch!! T210339

@AlexisJazz: You are very welcome to use developer access to submit your proposed code changes as a Git branch directly into Gerrit. If you don't want to set up Git/Gerrit, you can also use the Gerrit Patch Uploader. Thanks.

Tgr renamed this task from Remove Flickr checking from client side to Do not put "verified" template on UploadWizard Flicker uploads.Thu, Dec 6, 8:02 AM
Tgr updated the task description. (Show Details)
Tgr updated the task description. (Show Details)
Tgr removed a parent task: T89131: Server side flickr review.
Tgr added a comment.Thu, Dec 6, 8:05 AM

Rewrote the description to be a little more helpful.

kaldari closed this task as Resolved.Thu, Dec 6, 11:04 PM
kaldari claimed this task.

I fixed the AbuseFilter, so this should no longer be an issue. Extended-uploaders are trusted regarding licensing, so I just exempted them from the filter. Agree that moving the check to the server-side is the best long-term solution, but that's covered in T89131.

Tgr added a comment.Thu, Dec 6, 11:22 PM

I think there is still value in changing the template (at least for non-extended-uploaders) as that way everyone could use the Flickr upload interface, which is a much more convenient way of uploading those files. That was the original reason for filing this task - that the Flickr upload button is now disabled for most users, even though the tool doesn't do anything you couldn't do by hand, because the use of the verified temlate disrupted workflows.
(Granted, the Commons community might well decide to not widen access to the tool even if that happens, as they tend to be concerned with making uploading too easy. So maybe that should be checked first.)

kaldari reopened this task as Open.Mon, Dec 10, 6:31 PM

@Tgr - Good point, I'll tweak the working...

kaldari renamed this task from Do not put "verified" template on UploadWizard Flicker uploads to Do not put "verified" template on UploadWizard Flicker uploads if user isn't trusted.Mon, Dec 10, 6:35 PM
kaldari updated the task description. (Show Details)

"It should still be fine to add FlickrVerifiedByUploadWizard if the account is trusted, however (for example administrators)."

@kaldari actually even that isn't really great. UploadWizard doesn't look at https://commons.wikimedia.org/wiki/Commons:Questionable_Flickr_images but the Flickr review bot does.