Page MenuHomePhabricator
Create Task
Maniphest T163466

User right missing from AbuseFilter's user_rights variable
Closed, InvalidPublic3 Estimated Story Points
Actions

Description

See https://en.wikipedia.org/wiki/Special:AbuseLog/18317981

According to Special:ListGroupRights bots should have the extendedconfirmed user right, but it does not show up as a value in the AbuseFilter variable user_rights. I do see all the other expected rights, so perhaps there was some config change we overlooked when deploying the new user group (T126607 and maybe T131976)?

Related Objects

Event Timeline

MusikAnimal created this task.Apr 20 2017, 5:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 20 2017, 5:07 PM
Samwalton9 updated the task description. (Show Details)Apr 20 2017, 5:50 PM
DMacks added a subscriber: DMacks.Apr 20 2017, 6:15 PM
MusikAnimal added a comment.Apr 20 2017, 6:35 PM

I see that suppressredirect is also missing. That might have been added to the bot user group with T133981. Presumably they are not showing up in AbuseFilter for other user groups with these rights as well.

I suspect the list is hardcoded somewhere and just needs updating, but I couldn't find anything in the AbuseFilter codebase.

MusikAnimal added a project: Anti-Harassment.Apr 20 2017, 11:14 PM
TBolliger added a subscriber: TBolliger.Apr 20 2017, 11:24 PM
TBolliger moved this task from Untriaged to Snackbox on the Anti-Harassment board.Jun 1 2017, 4:56 PM
TBolliger moved this task from Snackbox to AHT Sprint 2 on the Anti-Harassment board.Aug 2 2017, 7:11 PM
TBolliger edited projects, added Anti-Harassment (AHT Sprint 2); removed Anti-Harassment.
TBolliger set the point value for this task to 3.Aug 2 2017, 7:37 PM
Huji added a subscriber: Huji.Aug 2 2017, 10:21 PM

The log is private. Can you add a screenshot?

dbarratt claimed this task.Aug 3 2017, 10:53 PM
dbarratt moved this task from Ready to In progress on the Anti-Harassment (AHT Sprint 2) board.
dbarratt added a comment.Aug 4 2017, 9:15 PM

@MusikAnimal

How do bots authenticate? Do they use Session or is Basic Auth or OAuth (or any of the above)?

dbarratt added a comment.EditedAug 4 2017, 9:23 PM
In T163466#3495322, @Huji wrote:

The log is private. Can you add a screenshot?

I am not sure I can share a screenshot with you without violating this user's privacy. I defer to @TBolliger

MusikAnimal added a comment.Aug 4 2017, 9:46 PM
In T163466#3502362, @dbarratt wrote:

@MusikAnimal

How do bots authenticate? Do they use Session or is Basic Auth or OAuth (or any of the above)?

OAuth or BotPasswords, the former being the preferred route.

In T163466#3502386, @dbarratt wrote:
In T163466#3495322, @Huji wrote:

The log is private. Can you add a screenshot?

I am not sure I can share a screenshot with you without violating this user's privacy. I defer to @TBolliger

It's more the details of the filter itself that are sensitive, but here it's a false-positive of an edit that was successfully saved, so we've nothing to hide :) Basically have a look at HostBot's filter log. They keep getting tripped because extendedconfirmed isn't being returned when checking user_rights.

This also should be in user_groups, by the way. Special:ListGroupRights shows all the user groups and their permissions, if that is of any help.

dbarratt added a comment.Aug 4 2017, 10:08 PM

@MusikAnimal

Is there a list of the extensions that are running on Wikipedia somewhere?

MusikAnimal added a comment.Aug 4 2017, 10:10 PM
In T163466#3502582, @dbarratt wrote:

@MusikAnimal

Is there a list of the extensions that are running on Wikipedia somewhere?

Special:Version :)

Huji added a comment.EditedAug 4 2017, 10:13 PM
In T163466#3502500, @MusikAnimal wrote:

It's more the details of the filter itself that are sensitive, but here it's a false-positive of an edit that was successfully saved, so we've nothing to hide :) Basically have a look at HostBot's filter log. They keep getting tripped because extendedconfirmed isn't being returned when checking user_rights.

This also should be in user_groups, by the way. Special:ListGroupRights shows all the user groups and their permissions, if that is of any help.

But when I look at https://en.wikipedia.org/wiki/Special:AbuseFilter/examine/969832337 I see that extendedconfirmed actually *is* in the user_groups. Are we sure that is the problem?

MusikAnimal added a comment.Aug 4 2017, 10:17 PM
In T163466#3502587, @Huji wrote:

But when I look at https://en.wikipedia.org/wiki/Special:AbuseFilter/examine/969832337 I see that extendedconfirmed actually *is* in the user_groups. Are we sure that is the problem?

I guess not! Here's a screenshot of the above examined edit:

Screen Shot 2017-08-04 at 6.16.02 PM.png (368×778 px, 53 KB)

The user_rights values actually scrolls but I can promise you extendedconfirmed is not in there :)

dbarratt added a comment.Aug 4 2017, 10:31 PM

@MusikAnimal

So do we need to investigate why this wasn't working? Or can we close this issue since it works now?

MusikAnimal closed this task as Invalid.Aug 4 2017, 10:38 PM
In T163466#3502611, @dbarratt wrote:

@MusikAnimal

So do we need to investigate why this wasn't working? Or can we close this issue since it works now?

Yeah I guess we can close! I see now that they last entry in the bot's abuse log was on 19 April. I also see that suppressredirect is also now showing. Perhaps someone beat us to it? Who knows... Anyway thanks for looking into it! :)

dbarratt moved this task from In progress to Done on the Anti-Harassment (AHT Sprint 2) board.Aug 4 2017, 10:39 PM

Of course!

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL