Page MenuHomePhabricator

User right missing from AbuseFilter's user_rights variable
Closed, InvalidPublic3 Estimated Story Points

Description

See https://en.wikipedia.org/wiki/Special:AbuseLog/18317981

According to Special:ListGroupRights bots should have the extendedconfirmed user right, but it does not show up as a value in the AbuseFilter variable user_rights. I do see all the other expected rights, so perhaps there was some config change we overlooked when deploying the new user group (T126607 and maybe T131976)?

Event Timeline

I see that suppressredirect is also missing. That might have been added to the bot user group with T133981. Presumably they are not showing up in AbuseFilter for other user groups with these rights as well.

I suspect the list is hardcoded somewhere and just needs updating, but I couldn't find anything in the AbuseFilter codebase.

TBolliger set the point value for this task to 3.Aug 2 2017, 7:37 PM

The log is private. Can you add a screenshot?

@MusikAnimal

How do bots authenticate? Do they use Session or is Basic Auth or OAuth (or any of the above)?

The log is private. Can you add a screenshot?

I am not sure I can share a screenshot with you without violating this user's privacy. I defer to @TBolliger

@MusikAnimal

How do bots authenticate? Do they use Session or is Basic Auth or OAuth (or any of the above)?

OAuth or BotPasswords, the former being the preferred route.

The log is private. Can you add a screenshot?

I am not sure I can share a screenshot with you without violating this user's privacy. I defer to @TBolliger

It's more the details of the filter itself that are sensitive, but here it's a false-positive of an edit that was successfully saved, so we've nothing to hide :) Basically have a look at HostBot's filter log. They keep getting tripped because extendedconfirmed isn't being returned when checking user_rights.

This also should be in user_groups, by the way. Special:ListGroupRights shows all the user groups and their permissions, if that is of any help.

@MusikAnimal

Is there a list of the extensions that are running on Wikipedia somewhere?

@MusikAnimal

Is there a list of the extensions that are running on Wikipedia somewhere?

Special:Version :)

It's more the details of the filter itself that are sensitive, but here it's a false-positive of an edit that was successfully saved, so we've nothing to hide :) Basically have a look at HostBot's filter log. They keep getting tripped because extendedconfirmed isn't being returned when checking user_rights.

This also should be in user_groups, by the way. Special:ListGroupRights shows all the user groups and their permissions, if that is of any help.

But when I look at https://en.wikipedia.org/wiki/Special:AbuseFilter/examine/969832337 I see that extendedconfirmed actually *is* in the user_groups. Are we sure that is the problem?

But when I look at https://en.wikipedia.org/wiki/Special:AbuseFilter/examine/969832337 I see that extendedconfirmed actually *is* in the user_groups. Are we sure that is the problem?

I guess not! Here's a screenshot of the above examined edit:

Screen Shot 2017-08-04 at 6.16.02 PM.png (368×778 px, 53 KB)

The user_rights values actually scrolls but I can promise you extendedconfirmed is not in there :)

@MusikAnimal

So do we need to investigate why this wasn't working? Or can we close this issue since it works now?

@MusikAnimal

So do we need to investigate why this wasn't working? Or can we close this issue since it works now?

Yeah I guess we can close! I see now that they last entry in the bot's abuse log was on 19 April. I also see that suppressredirect is also now showing. Perhaps someone beat us to it? Who knows... Anyway thanks for looking into it! :)