Page MenuHomePhabricator

Offer a hook manipulating the need for solving captchas
Open, MediumPublic


Extension:ThrottleOverrides will allow authorized users to set exemptions to throttles, for a given ip range and for a limited time. This is useful especially for editor events, where a lot new users register (account creation throttle) and edit (edit throttle for non-autoconfirmed users).

It was requested that it should be able to exempt ip ranges not only from throttles, but also from the need to bypass captchas, especially the one that comes up when a non-autoconfirmed user adds external links. Event organizers said it's frustrating for new users to follow the rules (add external proof for statements made inside an wp article) while fighting with an anti-spam measure trying to stop them from adding external links.

In order to implement this feature for ThrottleOverride, ConfirmEdit needs to offer a hook that is run inside the logic deciding whether a user needs to solve a captcha, so that ThrottleOverride can prevent an captcha from being enforced where it normally would have been. As grepping for "Hooks::run" in the ConfirmEdit repo doesn't give any results, it seems ConfirmEdit isn't offering any hooks at all.

This task is finished when such a hook has been implemented into ConfirmEdit. Implementing the feature to use that hook into ThrottleOverride is out of focus for this task and belongs to T174225.

Event Timeline

EddieGP raised the priority of this task from High to Needs Triage.Sep 24 2017, 11:59 PM
EddieGP created this task.

Reset priority, which was inherited from the parent task.

Change 433774 had a related patch set uploaded (by EddieGP; owner: EddieGP):
[mediawiki/extensions/ConfirmEdit@master] Move "can user skip captchas" check to own function

EddieGP triaged this task as Medium priority.

Change 433774 merged by jenkins-bot:
[mediawiki/extensions/ConfirmEdit@master] Move "can user skip captchas" check to own function

Change 434043 had a related patch set uploaded (by EddieGP; owner: EddieGP):
[mediawiki/extensions/ConfirmEdit@master] Add hook CanUserSkipCaptcha

It would be great to do this in a more general way - instead of / alongside skipping, it should be able to change captcha configuration from the hook. See T189546: Add a hook for altering captcha strength in FancyCaptcha. (Of course, there could be two different hooks...)

Where/how does the ConfirmEdit extension currently set how "strong" a captcha should be?

FancyCaptcha is the only captcha implementation which has a concept of strength, but it's used for captcha generation, which is done as a build step. So in practice this would currently mean changing $wgCaptchaDirectory. I guess there is no sane way to expose that in a hook :( So this is moot, at least until T177133: Turn ConfirmEdit captcha implementations into a family of services gets done. Sorry for the noise.

I'm not actively working on this any more, but still willing to rebase and correct the patches in case anyone cares to review them.

FWIW ReCaptcha v3 (T208829: Implement support for new Google ReCaptcha v3) also has a concept of strength, in a somewhat reversed fashion (Google returns a score between 0 and 1 and you can decide what threshold to use to accept users).

rECOE607452ef0568: Add new ConfirmEditTriggersCaptchaHook added a similar hook, but it does not include the user (who I guess is in practice always the context user, but it does not seem healthy to depend on that).