If Flow is replacing an existing page, Special:EnableFlow does not attribute the creation
Closed, ResolvedPublic

Description

If you create a Flow board at an unused location, Special:EnableFlow attributes it as you'd expect (the board is created by creating a description, that description is attributed to the real user).

However, if you create it where a page already exists:

  1. The page is archived.
  2. It is converted from the archived location to the Flow board (using the Converter infrastructure).
  3. It is attributed to 'Flow talk page manager'.

It should be possible to attribute it to the real user. The only groups FTPM has are 'bot' (not really relevant, since this doesn't need to be marked as a bot edit) and 'flow-bot) (which by default only has 'flow-create-board'). To use Special:EnableFlow, you need to have 'flow-create-board' anyway, so it should work out.

This will require refactoring Converter somewhat.

People have been intentionally exploiting this in production, including on high-impact pages.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 22 2016, 9:39 PM
Restricted Application added a project: Collaboration-Team-Triage. · View Herald TranscriptSep 22 2016, 9:40 PM

Mattflaschen-WMF triaged this task as High priority.

The patch is ready. To test, you can create a normal wikitext talk page, then use Special:EnableFlow to convert it. Both the Flow history and the wikitext history will show the actual initiating user.

Looks good to me. One thing worth testing is if the opt-in beta feature still works for users who don't have move rights.

Looks good to me. One thing worth testing is if the opt-in beta feature still works for users who don't have move rights.

Confirmed that it does.

Sorry, there's a minor typo in that patch. PHPLint caught it earlier, and I test the script after I fixed it, but I forgot to commit the fix. Added _v2 to clarify.

Verified in production.

Are we still posting Flow security patches to Gerrit immediately after deploying?

Catrope added a subscriber: demon.Sep 23 2016, 11:07 PM

Are we still posting Flow security patches to Gerrit immediately after deploying?

Not sure if we post immediately or coordinate with security releases. @demon ?

demon added a comment.Oct 25 2016, 5:48 PM

Are we still posting Flow security patches to Gerrit immediately after deploying?

Not sure if we post immediately or coordinate with security releases. @demon ?

Non-bundled extensions can be announced and released immediately. Go ahead. (sorry I missed this update)

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 20 2017, 10:41 PM
demon closed this task as Resolved.

Change 333301 merged by jenkins-bot:
SECURITY: Attribute Special:EnableFlow to initiating user

https://gerrit.wikimedia.org/r/333301

Change 334744 had a related patch set uploaded (by Mattflaschen):
SECURITY: Attribute Special:EnableFlow to initiating user

https://gerrit.wikimedia.org/r/334744

Change 334747 had a related patch set uploaded (by Mattflaschen):
SECURITY: Attribute Special:EnableFlow to initiating user

https://gerrit.wikimedia.org/r/334747

Change 334748 had a related patch set uploaded (by Mattflaschen):
SECURITY: Attribute Special:EnableFlow to initiating user

https://gerrit.wikimedia.org/r/334748

Change 334744 merged by jenkins-bot:
SECURITY: Attribute Special:EnableFlow to initiating user

https://gerrit.wikimedia.org/r/334744

Change 334748 merged by jenkins-bot:
SECURITY: Attribute Special:EnableFlow to initiating user

https://gerrit.wikimedia.org/r/334748

Change 334747 merged by Mattflaschen:
SECURITY: Attribute Special:EnableFlow to initiating user

https://gerrit.wikimedia.org/r/334747