Page MenuHomePhabricator

Bundle AbuseFilter extension with MediaWiki
Open, NormalPublic

Description

  • Passed security review or already Wikimedia deployed
  • Voting CI structure tests
  • Runs MediaWiki-CodeSniffer
  • Runs phan
  • Supports MySQL, SQLite, and Postgres (if there are schema changes)
  • GPL v2 or later compatible license
  • Extension's default configuration provides optimal experience
  • Tested with web installer

Details

Related Gerrit Patches:
mediawiki/extensions/AbuseFilter : masterRearrange config to provide better experience
mediawiki/extensions/AbuseFilter : wmf/1.34.0-wmf.17Rearrange config to provide better experience
mediawiki/extensions/AbuseFilter : masterAdd default rights config

Related Objects

StatusAssignedTask
OpenNone
OpenNone
OpenNone
OpenNone
ResolvedDaimona
OpenNone
Resolvedmatej_suchanek
ResolvedDaimona
ResolvedDaimona
Resolvedmatej_suchanek
Resolvedmatej_suchanek
ResolvedDaimona
OpenDaimona
OpenNone
StalledNone
OpenDaimona
OpenDaimona
OpenDaimona
OpenDaimona
OpenDaimona
StalledDaimona

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 8 2018, 6:25 PM
Tgr added a subscriber: Tgr.Apr 8 2018, 8:56 PM
Legoktm updated the task description. (Show Details)Apr 9 2018, 2:24 AM

Change 424867 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/AbuseFilter@master] Add default rights config

https://gerrit.wikimedia.org/r/424867

Change 424867 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Add default rights config

https://gerrit.wikimedia.org/r/424867

Daimona updated the task description. (Show Details)Apr 24 2018, 4:24 PM
Daimona added a subscriber: Daimona.

SQLite and Postgre support is not full, see subtasks for missing stuff.

Legoktm updated the task description. (Show Details)
Daimona updated the task description. (Show Details)Jul 16 2018, 12:17 PM

I guess "Extension's default configuration provides optimal experience" is satisfied, but is there a specific requirement list for it? Also, same question for "Tested with web installer".

Legoktm added a subscriber: Legoktm.Sep 2 2018, 8:04 PM

I guess "Extension's default configuration provides optimal experience" is satisfied, but is there a specific requirement list for it?

Just that the majority of wiki sysadmins will not need to change any of the defaults after installing.

Also, same question for "Tested with web installer".

Run through the web installer, installing MediaWiki+AbuseFilter, and then do a basic test that everything works as expected.

Looking at WMF config, these are my thoughts about default configuration:

  1. Regarding available actions (AbuseFilterActions), I think we should remove blockautopromote (unused), while 'block' can probably be left in place.
  2. We need to decide whether AF major rights (modify, viewprivate, log-detail ...) should be assigned to sysops or to a dedicated group. I think for WMF wiki the preferred option is to give all these rights to sysops only.
  3. We need to decide who to assign basic rights (abusefilter-view, abusefilter-log). I think the most used configs are to give them either to everyone ('*') or autoconfirmed.
  4. Profiling should be enabled by default, as soon as https://gerrit.wikimedia.org/r/#/c/201104/ is merged
  5. Maybe a default should be specified for AbuseFilterNotifications (rc?), while AbuseFilterNotificationsPrivate should probably be left false

Discussing the points above should be enough to make the default configuration optimal.

Daimona moved this task from Backlog to Future on the User-Daimona board.
Daimona updated the task description. (Show Details)Oct 20 2018, 10:07 AM

Works with web installer. The DB part is dependent on several tasks, so it won't probably be completed too soon. As for the user rights, I'm adding to my comment above the fact that "abusefilter-modify-restricted" has to be assigned by default: the default config has "dangerous" actions enabled and categorized as restricted, but the right is unassigned, so no-one can edit filters with such actions. Giving it to sysop would be the natural solution.

Change 468696 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] Rearrange config to provide better experience

https://gerrit.wikimedia.org/r/468696

CCicalese_WMF renamed this task from Bundle AbuseFilter extension with MW 1.32 to Bundle AbuseFilter extension with MediaWiki.Nov 10 2018, 6:49 PM
Daimona moved this task from Future to Under review on the User-Daimona board.Jan 25 2019, 2:39 PM

Change 468696 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] Rearrange config to provide better experience

https://gerrit.wikimedia.org/r/468696

Change 530349 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@wmf/1.34.0-wmf.17] Rearrange config to provide better experience

https://gerrit.wikimedia.org/r/530349

Change 530349 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@wmf/1.34.0-wmf.17] Rearrange config to provide better experience

https://gerrit.wikimedia.org/r/530349

Mentioned in SAL (#wikimedia-operations) [2019-08-15T12:14:47Z] <urbanecm@deploy1001> Synchronized wmf-config/: SWAT: 7e95f6d: Update AbuseFilter config to keep the status quo (T191740, T200032, T226987) (duration: 00m 49s)

Mentioned in SAL (#wikimedia-operations) [2019-08-15T12:16:18Z] <urbanecm@deploy1001> Synchronized php-1.34.0-wmf.17/extensions/AbuseFilter/extension.json: SWAT: e9422c5: Rearrange config to provide better experience (T191740, T200032, T226987) (duration: 00m 47s)

Daimona updated the task description. (Show Details)Aug 15 2019, 12:27 PM

Change 468696 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Rearrange config to provide better experience

https://gerrit.wikimedia.org/r/468696

Works with web installer. The DB part is dependent on several tasks, so it won't probably be completed too soon.

@Daimona, what is the status of the DB work? Will this be ready for 1.34? The release branch is being cut on September 30.

CCicalese_WMF triaged this task as Normal priority.Sep 13 2019, 4:48 PM

@CCicalese_WMF It depends... Right now we only have two known incompatibilities with Postgres.

For the first one (T193068), there's https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/AbuseFilter/+/503562/. That patch (and its two depends-on) are something that maybe CPT could review?

As for the second (T42757): I had tried to fix it by using string casts. While the incompatibility was fixed, casting a primary key slowed down the affected queries a lot (T221357), hence we had to revert. There's a proper fix at https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/AbuseFilter/+/459818/ (which would also pay some tech debt), but it requires a schema change, so I don't think that's doable before the branch cut. We could try to get it done before the 1.35. It would need some review as well.

Works with web installer. The DB part is dependent on several tasks, so it won't probably be completed too soon.

@Daimona, what is the status of the DB work? Will this be ready for 1.34? The release branch is being cut on September 30.

Not addressed to me, but I suggest holding of until 1.35. There are a few security tickets that I have permission to view that are still open (and probably some that I cannot see) including T224203 and T223654, as well as (the less urgent) T230320 (which will be more relevant if bundled)

Thank you, @Daimona and @DannyS712! I will bump to 1.35 and have requested CPT review for the patches related to T193068.

CCicalese_WMF added subtasks: Restricted Task, Restricted Task, Restricted Task.Sep 13 2019, 4:58 PM

@CCicalese_WMF Thanks! I'd also appreciate a lot some review for T220791, which is a bit more delicate...

As for the security issues: yes, of course there are others, with varying severities. I don't know how strict the requirements should be for bundling an extension in the tarball, but of the three above I'd say that T230320 is not so urgent. T152394 is IMHO more important (and a bit harder to fix).

I'd also like to fix T213006 first, so that people will start with a sane version. That one is blocked on T34478 and T213478, for which I'd also like some input from CPT. Resolving that task would mean paying a lot of tech debt, a decent cleanup, and the disappearing of several issues like T187731 (security).

As a side note, waiting for 1.35 would also give us time to make some progresses in T156095, which is good.

@Daimona would you be willing to add me to T152394 and/or T187731?

@Daimona would you be willing to add me to T152394 and/or T187731?

Those task contain personal info leaks, so I'm unsure about the policy to add people to them (specifically regarding NDA). For me it's fine to add you, but I don't want to make anything wrong. I can definitely say that T187731 is not too bad, and it's not exploitable by normal users.

Daimona added a subtask: Restricted Task.Sep 16 2019, 2:19 PM
Daimona added a subtask: Restricted Task.Sep 18 2019, 12:32 PM
Daimona closed subtask Restricted Task as Resolved.Sep 19 2019, 2:24 PM
Daimona removed a subtask: Restricted Task.Sep 22 2019, 5:25 PM
Krinkle moved this task from Blocker to Bundling on the MW-1.35-release board.Oct 11 2019, 10:45 PM