Page MenuHomePhabricator
Create Task
Maniphest T151116

After passing the CAPTCHA page after warning, user is sent back to the Abuse Filter warning page
Closed, ResolvedPublic
Actions

Description

If a user tries to make an edit which is caught by an abuse filter, and the user also needs to fill out a Captcha, they are continually bounced between the captcha and the warning. This is probably (tests to come) causing some 'warn' filters to effectively act as 'disallow' filters.

Related Objects

Event Timeline

Samwalton9-WMF created this task.Nov 19 2016, 4:10 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 19 2016, 4:10 PM
Xaosflux subscribed.Nov 19 2016, 4:27 PM
TheresNoTime subscribed.Nov 19 2016, 4:38 PM
Samwalton9-WMF added a comment.Nov 19 2016, 5:20 PM

Ok so I did some testing. Expected behaviour is that the user only needs to enter the captcha once and acknowledge the warning once.

What actually happens is the user is asked to enter a captcha, enters it correctly and clicks save, gets the warning with no captcha present, then is asked to enter a 2nd captcha, and then clicking save will save the edit.

Samwalton9-WMF renamed this task from Abuse filters set to warn users can't be made at all if a captcha is required to Abuse filters set to warn users require two captchas.Nov 19 2016, 5:20 PM
Daimona moved this task from Backlog to Internal bugs on the AbuseFilter board.Apr 3 2018, 12:14 PM
Pginer-WMF mentioned this in T193114: CX2: Add ConfirmEdit to the test environment.May 2 2018, 10:17 AM
Pginer-WMF mentioned this in T193619: CX2: Avoid captcha to fail due to interferences from abuse filters.May 2 2018, 10:55 AM
KartikMistry added a project: MediaWiki-Platform-Team-Archived.May 10 2018, 8:09 AM
KartikMistry added a subscriber: Etonkovidova.
KartikMistry subscribed.

@Etonkovidova Can you please check this bug also affecting VisualEditor along with CX?

Etonkovidova added a comment.May 10 2018, 8:56 PM

Checking in betalabs - @Samwalton9 described the current behavior correctly:

[...] the user is asked to enter a captcha, enters it correctly and clicks save, gets the warning with no captcha present, then is asked to enter a 2nd captcha, and then clicking save will save the edit.

The steps in betalabs may be as following:

  • a new user (belonging to Users group only), logs in and makes an action that triggers one of the Abuse filters - e.g. blank the page
  • on the blanked page a user enters an external link to trigger Captcha.
  • Click 'Publish' - when the captcha will be present, enter it and click 'Publish' again
  • Another captcha will be present (no warning if you entered the previous captcha incorrectly). After entering the captcha second time, the edits are saved and AbuseLog will correctly record that the edit triggered one of the Abuse filters.

Specific to CX
@KartikMistry
(1) it seems that I cannot pass the captcha in CX (cx2-testing) with Abuse filter #1 (Youtube links) - which has 'Disallow' action . Attempting to publish a translated article with the text "trigger Abuse filter www.youtube.com", will make the captcha appear again and again. 'Disallow' warning never appears.

(2) Publishing an article that has only warning action Abuse filter #12 (Word filter with the text "Hello World,") is possible with two captchas appear as it described in the ticket and my steps above.

(3) Abuse Log records too many entries for hitting Abuse filter ( e.g. Special:AbuseLog for User: ET1) - something that's probably worth investigating.

(4) It'd be great to have the exact specs on how the Abuse filters warnings should work in CX (is there a phab task already?) and to address the long-standing issue of two captchas.

CCicalese_WMF added a project: ConfirmEdit (CAPTCHA extension).May 15 2018, 1:56 AM
CCicalese_WMF moved this task from Inbox to Backlog on the MediaWiki-Platform-Team-Archived board.
Nemo_bis subscribed.EditedMay 18 2018, 11:43 PM

This was previously reported as T22661, and later as T179789.

Nemo_bis renamed this task from Abuse filters set to warn users require two captchas to After passing the CAPTCHA page after warning, user is sent back to the Abuse Filter warning page.May 18 2018, 11:43 PM
Nemo_bis triaged this task as Medium priority.
Nemo_bis merged a task: T179789: After passing the CAPTCHA page after warning, user is sent back to the Abuse Filter warning page.
Nemo_bis mentioned this in T22661: Conflict between the Abuse Filter and the Captcha.
Nemo_bis added a subscriber: OdMishehu.
CCicalese_WMF edited projects, added Core-Platform-Team-Old; removed MediaWiki-Platform-Team-Archived.Jul 12 2018, 12:51 AM
CCicalese_WMF moved this task from Inbox to Backlog on the Core-Platform-Team-Old board.Jul 12 2018, 12:58 AM
CCicalese_WMF added a project: Platform Team Legacy (Later).Oct 1 2018, 11:35 PM
CCicalese_WMF edited projects, added Core Platform Team Goals (MCR: Uncategorized); removed Core-Platform-Team-Old.Oct 2 2018, 12:31 AM
CCicalese_WMF edited projects, added Platform Engineering; removed Core Platform Team Goals (MCR: Uncategorized).Oct 2 2018, 2:34 AM
CCicalese_WMF moved this task from Inbox to Triage Meeting Inbox on the Platform Engineering board.Oct 2 2018, 2:39 AM
CCicalese_WMF moved this task from Triage Meeting Inbox to Needs Cleaning - Security, stability, performance, and scalability (TEC1) on the Platform Engineering board.Oct 3 2018, 3:52 PM
CCicalese_WMF edited projects, added Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1)); removed Platform Engineering.
WDoranWMF moved this task from Later to Mop Column on the Platform Team Legacy board.Jul 5 2019, 3:45 PM
WDoranWMF removed a project: Platform Team Legacy (Later).
CCicalese_WMF edited projects, added Contributors-Team, Platform Engineering; removed Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1)).Nov 6 2019, 7:31 PM
CCicalese_WMF subscribed.

Marking as "watching" since this does not appear to require work by Platform Engineering . Rather it is interaction between AbuseFilter and ConfirmEdit (CAPTCHA extension).

CCicalese_WMF moved this task from Inbox to Tracking/Watching on the Platform Engineering board.Nov 6 2019, 7:32 PM
suffusion_of_yellow mentioned this in T20110: Define AbuseFilter consequence to display a CAPTCHA.May 14 2024, 7:15 PM
kostajh subscribed.May 14 2024, 7:52 PM
suffusion_of_yellow subscribed.May 15 2024, 10:21 PM

What actually happens is the user is asked to enter a captcha, enters it correctly and clicks save, gets the warning with no captcha present, then is asked to enter a 2nd captcha, and then clicking save will save the edit.

Only if ConfirmEdit is loaded before AbuseFilter (as is done on WMF wikis). I tried reversing the order on a local wiki, and could reproduce the original problem described here: At least in the 2010 editor, I was just bounced back and forth with no way to save the edit.

Johannnes89 subscribed.Aug 16 2024, 1:19 PM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)); removed Platform Engineering, Contributors-Team.Sep 13 2024, 10:54 AM

I think this is no longer an issue, but moving to TSP's QA to confirm.

kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)) board.Sep 13 2024, 10:54 AM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)); removed Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)).Sep 16 2024, 10:17 AM
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)) board.Sep 16 2024, 10:21 AM
dom_walden subscribed.Oct 2 2024, 2:20 PM

I have been banging my head against this for a while. All I can say for now is that there are circumstances where this bug can be reproduced (or something like it).

For example, if you trigger a filter which has both the captcha and warning consequences you will bounce between the warning page and the captcha page. Note that if ConfirmEdit is enabled, this won't happen, however you will have to enter the captcha twice (once when first submitting the edit, once after seeing the warning).

Perhaps not strictly part of this task, but I can reproduce an endless loop of warnings as well. Make an edit which triggers one filter with a warning. Then modify your edit to trigger a second filter which also shows a warning. You are bounced back and forth between the two warnings.

The number of different factors that affect the behaviour here is too many to test effectively:

  • Abuse Filters can have any combination of 7 consequences (127 combinations in total) (8 if you include degroup which I see in the code but it isn't on my wiki)
  • Need to test global filters as well as local?
  • Multiple filters can be triggered at once
  • Different filters can be triggered in a chain (like the warning bug described above)
  • We need to test with and without ConfirmEdit enabled? If T151116#9802313 is true, I will cry (I could not reproduce thankfully, but I didn't test for very long).
  • Test all the above but this time getting the captcha wrong
  • Do we need to test each editor (I know that the API and 2010 Wikitech editors behave differently)?

AbuseFilter doesn't have anything like an API or CLI which could help test these combinations. I tried doing it via unit testing but I could not get captchas to work. Even if I did, that doesn't test that the editors are handling what the get from AbuseFilter correctly. I had to do so first via the API and then (when I realised that behaves differently to the wikitext editor) by POST HTTP requests and parsing the response. This has left me with a huge amount of data which I am unsure how to analyse.

Also, triggering a filter with both the blockautopromote and disallow consequences will not trigger the disallow and will instead allow the user to successfully edit. I don't know if this is a known bug.

Dreamy_Jazz moved this task from Sprint Beatboxing (Sept 16-27) to Sprint Cello (Oct 7 - 18) on the Trust and Safety Product Sprint board.Oct 8 2024, 10:14 AM
Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)); removed Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)).
Dreamy_Jazz moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)) board.
dom_walden mentioned this in T371798: Add preference to enable viewing `user_unnamed_ip` IPs.Oct 15 2024, 12:54 PM
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)) board.Oct 18 2024, 2:22 PM
In T151116#10196141, @dom_walden wrote:

...by POST HTTP requests and parsing the response. This has left me with a huge amount of data which I am unsure how to analyse.

I have worked more on this and I think I have a reasonable solution. What I say above still applies and I would approach these results with some skepticism.

I tested randomly triggering multiple different filters in a chain while editing and recording the response. I then checked that I was getting the appropriate response depending on which filters I triggered when submitting the editing form.

I tested local and global filters. I also tested with ConfirmEdit enabled. I only tested editing.

As well as I what I mention above (which I repeat below for clarity) I found a few issues but nothing major.

If I trigger a filter with both disallow and warn consequences I will be bounced back and forth between the disallow and the warn error message. This might be bad user experience but at least they should be prevented from performing the action in this circumstance.

If I trigger a captcha for one filter and, on resubmitting the form, I enter the correct captcha but trigger a different filter with a captcha consequence, the edit will go through (unless it also has a block or disallow consequence). Should I instead be taken back to the edit form to fill out a second captcha?

In T151116#10196141, @dom_walden wrote:

For example, if you trigger a filter which has both the captcha and warning consequences you will bounce between the warning page and the captcha page. Note that if ConfirmEdit is enabled, this won't happen, however you will have to enter the captcha twice (once when first submitting the edit, once after seeing the warning).

Perhaps not strictly part of this task, but I can reproduce an endless loop of warnings as well. Make an edit which triggers one filter with a warning. Then modify your edit to trigger a second filter which also shows a warning. You are bounced back and forth between the two warnings.

I also raised T377579.

Reedy moved this task from Backlog to Bugs on the ConfirmEdit (CAPTCHA extension) board.Oct 24 2024, 1:26 AM
kostajh closed this task as Resolved.Oct 28 2024, 11:17 AM
kostajh claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits