Page MenuHomePhabricator
Create Task
Maniphest T140472

Flow: Update to stop using buildCssLinks and for related ConfirmEdit change
Closed, ResolvedPublic
Actions

Assigned To
Mattflaschen-WMF
Authored By
Krinkle
Jul 15 2016, 2:26 PM
Tags
Referenced Files
F4358197: spam_filter2.png
Aug 12 2016, 11:32 PM
F4346293: Screen Shot 2016-08-08 at 12.46.05 PM.png
Aug 9 2016, 1:42 AM
F4306623: Flow ConfirmEdit FancyCaptcha addurl trigger just remove.png
Jul 25 2016, 7:24 PM
F4306613: Flow ConfirmEdit FancyCaptcha addurl trigger current.png
Jul 25 2016, 7:24 PM
F4306614: Flow ConfirmEdit FancyCaptcha addurl trigger current DOM.png
Jul 25 2016, 7:24 PM
Subscribers
Aklapper
Catrope
Etonkovidova
gerritbot
Krinkle
Mattflaschen-WMF
ori
Zppix
Tokens
"Orange Medal" token, awarded by Krinkle.

Description

Per T87871#2464320, it's no longer practical to expose partial html snippets for <head>. Anything related to module loading should be loaded as a whole because we want to manage state across it. And this breaks if callers call them in the wrong order or if not all of them are called.

In order to ensure dependencies are not loaded twice, we also need to know which style modules are loaded before loading script modules, as such, there is basically no way to expose a partial like buildCssLinks. I want to deprecate and remove these methods. None of the four partials are called anywhere, except buildCssLinks and getScriptsForBottomQueue, these have one external caller: Flow.

https://github.com/wikimedia/mediawiki-extensions-Flow/blob/3df503188c/includes/SpamFilter/ConfirmEdit.php#L44-L45

			$html = $wgOut->buildCssLinks() .
				$wgOut->getScriptsForBottomQueue( true ) .
				$html;

Can someone figure out whether this is still used, whether it still works, and how it can be done instead? It's seems unlikely to me that this is working properly. Where does this HTML end up being sent to? How can the client render that partial in a meaningful way?

Details

SubjectRepoBranchLines +/-
ConfirmEdit: Stop using buildCssLinks, adapt to ConfirmEdit refactormediawiki/extensions/Flowmaster+199 -67
Customize query in gerrit

Related Objects
Search...

Event Timeline

Krinkle created this task.Jul 15 2016, 2:26 PM
Restricted Application added a subscriber: Zppix. · View Herald TranscriptJul 15 2016, 2:26 PM
Mattflaschen-WMF added a project: Collab-Team-Q1-July-Sep-2016.Jul 15 2016, 11:46 PM
jmatazzoni moved this task from Untriaged to Ready for Pickup on the Collab-Team-Q1-July-Sep-2016 board.Jul 18 2016, 10:12 PM
Krinkle added a comment.Jul 20 2016, 12:07 AM

This currently blocks https://gerrit.wikimedia.org/r/299148 and completion of T87871.

Mattflaschen-WMF added a comment.Jul 25 2016, 7:24 PM

To reproduce the current state:

  1. Set up Flow and ConfirmEdit, with ConfirmEdit configured to use FancyCaptcha (or you can do the "current state" test in production at https://www.mediawiki.org/wiki/Talk:Sandbox). For MediaWiki-Vagrant, you can enable the 'flow' and 'confirmedit' roles (I don't think wikimediaflow is required).
  2. Go to a Flow page logged out.
  3. Post a new topic with any title, and a body containing a URL, e.g. http://example.com .
  4. It will show a CAPTCHA message, with associated JS and CSS. Both are added to the <body> and the CSS does apply. The CAPTCHA also works.

The JS line is:

<script>(window.RLQ=window.RLQ||[]).push(function(){mw.loader.state({"user":"ready"});mw.loader.load(["ext.confirmEdit.fancyCaptcha"]);});</script>

Flow ConfirmEdit FancyCaptcha addurl trigger current.png (451×1 px, 49 KB)

Flow ConfirmEdit FancyCaptcha addurl trigger current DOM.png (343×1 px, 67 KB)

If I just remove the buildCssLinks and getScriptsForBottomQueue calls (leaving only the getForm HTML itself), the JS and CSS don't load and there is a visible difference:

Flow ConfirmEdit FancyCaptcha addurl trigger just remove.png (430×1 px, 48 KB)

Mattflaschen-WMF mentioned this in T141300: Clean up how ConfirmEdit tracks modules associated with CAPTCHA.Jul 25 2016, 8:08 PM
Mattflaschen-WMF created subtask T141300: Clean up how ConfirmEdit tracks modules associated with CAPTCHA.
Krinkle added a comment.Jul 25 2016, 8:12 PM

As shown by @Mattflaschen-WMF, SpamFilter::validate() is used when saving content through the API. E.g. when creating a new topic. This is essentially the same as what EditPage and VisualEditor do when saving an edit.

The underlying ConfirmEdit extension expects access to an OutputPage. It outputs a Form (which takes OutputPage as argument). The form serialises to some amount of HTML, and it also uses OutputPage to load a JavaScript module (otherwise the Refresh button and potentially more wouldn't work).

Current code:

$html = $captcha->getForm( $context->getOutput() );
return $wgOut->buildCssLinks()
	. $wgOut->getScriptsForBottomQueue( true )
	 . $html;

This HTML is transferred as the message of a Status object, and inserted by JavaScript. Example:

"Please confirm you are a human by solving the below captcha:
 <script>(window.RLQ=window.RLQ||[]).push(function(){
  mw.loader.state({"ext.confirmEdit.fancyCaptcha.styles":"ready","mediawiki.legacy.commonPrint":"ready","mediawiki.legacy.shared":"ready","mediawiki.sectionAnchor":"ready","mediawiki.skinning.interface":"ready","skins.vector.styles":"ready","site.styles":"ready","noscript":"ready","user.cssprefs":"ready"});});</script>
<link rel="stylesheet" href="/w/load.php?debug=false&amp;lang=en&amp;modules=ext.confirmEdit.fancyCaptcha.styles%7Cmediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.sectionAnchor%7Cmediawiki.skinning.interface%7Cskins.vector.styles&amp;only=styles&amp;skin=vector"/>
<meta name="ResourceLoaderDynamicStyles" content=""/>
<link rel="stylesheet" href="/w/load.php?debug=false&amp;lang=en&amp;modules=site.styles&amp;only=styles&amp;skin=vector"/>
<script>(window.RLQ=window.RLQ||[]).push(function(){
  mw.loader.state({"user":"ready"});mw.loader.load(["ext.confirmEdit.fancyCaptcha"]);});</script>
<div><label for="wpCaptchaWord">CAPTCHA Security check</label><div class="fancycaptcha-captcha-container"><div class="fancycaptcha-captcha-and-reload"><div class="fancycaptcha-image-container"><img class="fancycaptcha-image" src="/w/index.php?title=Special:Captcha/image&amp;wpCaptchaId=991107306" alt=""/><small class="confirmedit-captcha-reload fancycaptcha-reload">Refresh</small></div></div>
<input name="wpCaptchaWord" class="mw-ui-input" id="wpCaptchaWord" size="12" autocomplete="off" autocorrect="off" autocapitalize="off" tabindex="1" placeholder="Enter the text you see on the image"/><input type="hidden" name="wpCaptchaId" id="wpCaptchaId" value="991107306"/></div></div>
"

OutputPage::buildCssLinks() and getScriptsForBottomQueue() return both too much and too little for this to be reliable. These methods also contain a lot of default stuff for the current Skin and MediaWiki in general which are loaded a second time. Potentially damaging the cascading order or causing unrelated code to execute in an unexpected way. It loads the Vector stylesheet a second time, and produces meta ResourceLoaderDynamicStyles of which there is only supposed to be one on any page.

This presumably causes issues if you are on a page with a different skin (e.g. useskin=monobook) and get another Vector stylesheet.

For VisualEditor, handling was hardcoded in ve.init.mw.ArticleTarget.js. This would probably be a good fit for Flow as well.

Mattflaschen-WMF renamed this task from Figure out Flow's use of OutputPage::buildCssLinks() to Flow: Update to stop using buildCssLinks and for related ConfirmEdit change.Jul 27 2016, 2:28 AM
Mattflaschen-WMF claimed this task.
Mattflaschen-WMF moved this task from Ready for Pickup to In Development on the Collab-Team-Q1-July-Sep-2016 board.Jul 27 2016, 9:33 PM
gerritbot subscribed.Jul 29 2016, 10:18 PM

Change 301897 had a related patch set uploaded (by Mattflaschen):
ConfirmEdit: Stop using buildCssLinks, adapt to ConfirmEdit refactor

https://gerrit.wikimedia.org/r/301897

Mattflaschen-WMF moved this task from In Development to Needs Review on the Collab-Team-Q1-July-Sep-2016 board.Jul 29 2016, 10:18 PM
Mattflaschen-WMF edited projects, added Collaboration-Team-Triage; removed Collab-Team-Q1-July-Sep-2016.Aug 2 2016, 1:53 AM
Mattflaschen-WMF edited projects, added Collab-Team-Q1-July-Sep-2016; removed Collaboration-Team-Triage.
Mattflaschen-WMF removed a project: Collab-Team-Q1-July-Sep-2016.Aug 2 2016, 2:05 AM
Restricted Application added a project: Collaboration-Team-Triage. · View Herald TranscriptAug 2 2016, 2:05 AM
Mattflaschen-WMF edited projects, added Collab-Team-Q1-July-Sep-2016; removed Collaboration-Team-Triage.Aug 2 2016, 2:05 AM
Krinkle awarded a token.Aug 2 2016, 2:57 AM
Mattflaschen-WMF mentioned this in T142067: Reply renders the CAPTCHA error multiple times on no-JS.Aug 4 2016, 1:17 AM
gerritbot added a comment.Aug 4 2016, 2:16 AM

Change 301897 merged by jenkins-bot:
ConfirmEdit: Stop using buildCssLinks, adapt to ConfirmEdit refactor

https://gerrit.wikimedia.org/r/301897

ReleaseTaggerBot added a project: MW-1.28-release (WMF-deploy-2016-08-09_(1.28.0-wmf.14)).Aug 4 2016, 3:00 AM
Mattflaschen-WMF moved this task from Needs Review to QA Review on the Collab-Team-Q1-July-Sep-2016 board.Aug 5 2016, 5:25 PM
jmatazzoni closed subtask T141300: Clean up how ConfirmEdit tracks modules associated with CAPTCHA as Resolved.Aug 8 2016, 7:38 PM
Etonkovidova subscribed.Aug 9 2016, 1:42 AM

Re-check after 1.28.0-wmf.14 deployment.

In 1.28.0-wmf.13 (https://www.mediawiki.org/wiki/Talk:Sandbox), the captcha is not dismissed after 'Cancel' - needs to be rechecked in wmf.14

Screen Shot 2016-08-08 at 12.46.05 PM.png (632×805 px, 93 KB)

Etonkovidova added a comment.Aug 12 2016, 11:32 PM

Re-checked in 1.28.0-wmf.14 (ba1c692)- Flow spam filter warning is displayed. instead of captcha.

spam_filter2.png (614×965 px, 103 KB)

Etonkovidova moved this task from QA Review to Product Review on the Collab-Team-Q1-July-Sep-2016 board.Aug 12 2016, 11:45 PM
Mattflaschen-WMF added a comment.Aug 13 2016, 1:35 AM
In T140472#2549890, @Etonkovidova wrote:

Re-checked in 1.28.0-wmf.14 (ba1c692)- Flow spam filter warning is displayed. instead of captcha.

spam_filter2.png (614×965 px, 103 KB)

For future reference: You have to use a longer message (try making it sound like a real sentence) to bypass that error (unrelated error, from an AbuseFilter anti-spam rule).

jmatazzoni closed this task as Resolved.Aug 19 2016, 12:10 AM
Mattflaschen-WMF mentioned this in T143516: Flow not displaying Captcha of Extension:ConfirmEdit-ReCaptchaNoCaptcha.Aug 22 2016, 1:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits