Split from https://phabricator.wikimedia.org/T110181
This might refer to the API but this should be checked everywhere
Description
Description
Details
Details
Customize query in gerrit
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Duplicate | Qgil | T125545 Phabricator Q&A session for Community Liaisons | |||
| Resolved | Qgil | T116025 Goal: Align Community Liaison and Developer Relations project management practices | |||
| Resolved | Qgil | T119387 Community Liaison and Developer Relation quarterly goals for January - March 2016 | |||
| Declined | None | T104131 Exporting existing newsletter to the Newsletter extension | |||
| Resolved | Addshore | T110170 Goal: Deploy Newsletter extension in Wikimedia | |||
| Resolved | Qgil | T110642 Implement all the features required for running the Newsletter extension in Wikimedia | |||
| Duplicate | None | T115098 Deploy Newsletter extension in beta cluster | |||
| Resolved | ori | T127297 Add the Newsletter extension to the Beta Cluster | |||
| Resolved | Bawolff | T115095 Security review of Newsletter extension | |||
| Resolved | Tinaj1234 | T110491 Newsletter extension should have validation |
Event Timeline
Comment Actions
<tinajohnson> This refers to input validation ^ mainly ?
<Glaisher> yes
<Glaisher> check all the input points and make sure that people are not able to enter anything that doesn't make sense
<tinajohnson> and requires live valiation ?
<Glaisher> what do you mean by live validation?
<tinajohnson> hm, the kind you see in bootstrap form.. you get a tick icon right away after the text is entered
<Glaisher> oh, you mean ajax
<tinajohnson> yup
<Glaisher> No, this is about actually validating real input on the forms
<Glaisher> but I guess we could ajax validation for the forms later
<Glaisher> but that's not a must
<tinajohnson> the kind in https://junior.inctf.in/register/user/
<tinajohnson> okay, noted
<Glaisher> For example, in the the form which lets you add publishers, make you sure you can add only real users
<Glaisher> not an IP or a user that doesn't exist
<tinajohnson> okay
<qgil> I guess we need to document every form in the description of that task, and assue that we are applying the right validation?
<qgil> or types of input
<tinajohnson> right, that would be good
<Glaisher> we could do the [X] check thing
<Glaisher> List all the input points
<tinajohnson> okay, great!
<qgil> In fact...
<qgil> Isn't http://newsletter-test.wmflabs.org/wiki/Special:CreateNewsletter all the input we have?
<qgil> 3 fields
<qgil> ah no
<Glaisher> no, there's some other forms as well
<Glaisher> and the API
<qgil> announce newsletter
<tinajohnson> yeah, add publishers
<Glaisher> You could go through all of them and make sure someone wouldn't be able to add random stuff there
<qgil> but do checkboxes and buttons need validation?
<tinajohnson> just text input boxes, right ?
<Glaisher> I think HTMLForm does validation for checkboxes and dropdowns
<Glaisher> (not sure)
<tinajohnson> checking..
Comment Actions
I think it would be better to decide what all kinds of inputs are allowed for the form fields that needs validation. Two pages have forms and thus require validation, Special:ManageNewsletter and Special:CreateNewsletter.
Special:ManageNewsletter
- Publisher name - Does not take IP addresses or invalid usernames as of now.
Special:CreateNewsletter
- Name of newsletter - we allow numbers, so right now IP addresses are possible. Is that okay ?
- Descripton - Should have a minimum length of 20 maybe ? (can prevent one word descriptions)
- Title of Main page - Only takes those pages which exist. Anything else to be done here ?
And in the announce newsletter section we have,
- Summary of this issue - Would require the same validation as description of newsletter.
- Page title of issue - only takes valid existing pages.
Comment Actions
Change 266049 had a related patch set uploaded (by Tinaj1234):
Add minimum length for description field
Comment Actions
Change 267666 had a related patch set uploaded (by Tinaj1234):
Validating parameter passed to database from API
Comment Actions
Change 267666 merged by jenkins-bot:
Validating parameter passed to database from API
Comment Actions
anything more to be done on this patch @Glaisher, @Addshore, @Tinaj1234 ? We still have this open, and blocking deployment !
Comment Actions
Anything else needed will be caught by the security review, this can likely be closed.
Comment Actions
I'm not happy with the validation on Special:CreateNewsletter yet. I'll try to work on something...
Comment Actions
Change 270496 had a related patch set uploaded (by Glaisher):
Add NewsletterValidator and changes to Special:CreateNewsletter
Comment Actions
Change 270496 merged by jenkins-bot:
Add NewsletterValidator and changes to Special:CreateNewsletter
Comment Actions
Deployed in http://newsletter-test.wmflabs.org/wiki/Special:CreateNewsletter.
Should be safe to close now.