Page MenuHomePhabricator

BotPasswords right selection form shows plain-text html
Closed, ResolvedPublic

Description

How to reproduce:

  • Go to [[Special:BotPasswords]]
  • Fill the requested login-confirmation form
  • Create a new pass or edit an existing one

Actual result
The checkbox legends are shown as a plain-text html, aka <a href="/wiki/Special:ListGrants#basic" title="Special:ListGrants">Basic rights</a>

Excepted result
Links should be formatted using html, here this one should have the Basic rights label

aka. botpassword form is broken :)

Event Timeline

Framawiki created this task.

[offtopic] How many minutes does MediaWiki let you see that page without having to fully reauthenticate again and again (password + TOTP)?

Change 457542 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/core@master] HTMLCheckMatrix: Treat row/column labels as HTML in OOUI mode

https://gerrit.wikimedia.org/r/457542

Change 457542 merged by jenkins-bot:
[mediawiki/core@master] HTMLCheckMatrix: Treat row/column labels as HTML in OOUI mode

https://gerrit.wikimedia.org/r/457542

Change 460398 had a related patch set uploaded (by Krinkle; owner: Bartosz Dziewoński):
[mediawiki/core@wmf/1.32.0-wmf.20] HTMLCheckMatrix: Treat row/column labels as HTML in OOUI mode

https://gerrit.wikimedia.org/r/460398

Change 460398 merged by jenkins-bot:
[mediawiki/core@wmf/1.32.0-wmf.20] HTMLCheckMatrix: Treat row/column labels as HTML in OOUI mode

https://gerrit.wikimedia.org/r/460398

Mentioned in SAL (#wikimedia-operations) [2018-09-13T17:40:05Z] <krinkle@deploy1001> Synchronized php-1.32.0-wmf.20/includes/htmlform/fields/HTMLCheckMatrix.php: I1f92479bf1, T203325 (duration: 00m 51s)

Mentioned in SAL (#wikimedia-operations) [2018-09-13T17:41:16Z] <krinkle@deploy1001> Synchronized php-1.32.0-wmf.20/includes/widget/CheckMatrixWidget.php: I1f92479bf1, T203325 (duration: 00m 49s)

Mentioned in SAL (#wikimedia-operations) [2018-09-13T17:42:18Z] <krinkle@deploy1001> Synchronized php-1.32.0-wmf.20/resources/src/mediawiki.widgets/mw.widgets.CheckMatrixWidget.js: I1f92479bf1, T203325 (duration: 00m 50s)

[offtopic] How many minutes does MediaWiki let you see that page without having to fully reauthenticate again and again (password + TOTP)?

$wgReauthenticateTime['BotPasswords'] seconds (or failing that $wgReauthenticateTime['default']). On Wikimedia servers that's 5 minutes.

[offtopic] How many minutes does MediaWiki let you see that page without having to fully reauthenticate again and again (password + TOTP)?

$wgReauthenticateTime['BotPasswords'] seconds (or failing that $wgReauthenticateTime['default']). On Wikimedia servers that's 5 minutes.

I don't know what heuristics or algorithms led to this number. But as a user, I've found it quite a negative experience to have to re-authenticate many times while performing a single task using BotPasswords. For example, I'm tweaking the grants and using the tokens with a bot process that is under active development, and every time after running the tests and trying something out, getting back, I have to pull out my phone again because it expired already.

Perhaps a value closer to 30 minutes would still be sufficient in addressing the concerns behind it? It might also be useful to inform the user about this ticking clock with a message on top of the page in question. For example, if I had known this limitation, I might've remembered to reload the page a few times for no reason to keep the timer (assuming it resets if the user interacts with the page before it expired, I don't know if that's the case).

But it seems like there should be "a way" for the user to interact with BotPasswords for longer than 5 minutes without re-authenticating. Either by letting them know what they need to do to keep the session active, or by asking them to do something (e.g. an alert after 4 minutes like some bank sites do), or by making making the time longer (eg. closer to 30 minutes). Is there a task about this?

Reauthentication time is since last authentication, other activity has no effect. I don't think much thought was given to the exact value of the default (and at the time it only applied to less common stuff like email or password change).

The only related tasks AFAIK is T197153: Make some providers optional for reauthentication (about not asking 2FA again). There's also T197160: All security-sensitive MediaWiki functionality should require elevated security (which would make this problem more common).