Page MenuHomePhabricator
Create Task
Maniphest T203353

Correctly validate action parameters server-side when saving a filter
Closed, ResolvedPublic
Actions

Description

Copying my comment from T203336:

In T203336#4551532, @Daimona wrote:
  1. As specified in the patch commit message, we still need a follow-up to enforce validation on other fields, both client- and server-side. Currently, this includes:
    1. Warning (server-side and client-side): select "Other message" and leave the second field blank. This also produces a PHP notice for undefined offset 0 in ViewEdit (look for $warnMsg = $parameters[0];)
    2. Throttle (client-side): the same as we do server-side in the patch above
    3. Tag (client-side): mostly needs to clearly show that at least one tag is needed. Also, when saving a filter with tag enabled but without touching the tag input field correctly returns an error but an empty tag is added in the field topbar; this shouldn't probably happen, but it's a minor problem.

In short, we need to properly validate (both server- and client-side) action parameters to avoid errors like that. Client-side validation has its own task, T196984.

Details

SubjectRepoBranchLines +/-
Overhaul tag selectormediawiki/extensions/AbuseFiltermaster+30 -0
Reject empty warning and disallow messages when validating a filtermediawiki/extensions/AbuseFiltermaster+51 -0
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.Sep 2 2018, 12:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 2 2018, 12:35 PM
gerritbot subscribed.Sep 3 2018, 9:28 AM

Change 457394 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] Reject empty warning messages when validating a filter

https://gerrit.wikimedia.org/r/457394

gerritbot added a project: Patch-For-Review.Sep 3 2018, 9:28 AM
Daimona claimed this task.Sep 3 2018, 9:33 AM

The "warning" part is the only one to do in this task. However, as I was saying in the commit message, this opens a new follow-up: currently, when executing the "warn" action, we check if the specified message is a string with length > 0. If it isn't, then the "abusefilter-warning" is used. The patch above prevents empty messages, so as soon as every invalid filter will be modified adding a message, above check won't be necessary. This means that, as for T203359, the code could be simplified, but it can't be done right now. Again, should we add a wfDeprecated for those cases?

gerritbot added a comment.Sep 3 2018, 12:05 PM

Change 457424 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] Overhaul tag selector

https://gerrit.wikimedia.org/r/457424

Daimona mentioned this in T203584: Throttle groups may be empty or include unknown stuff.Sep 5 2018, 5:09 PM
gerritbot added a comment.Jan 31 2019, 9:28 PM

Change 457394 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Reject empty warning and disallow messages when validating a filter

https://gerrit.wikimedia.org/r/457394

ReleaseTaggerBot added a project: MW-1.33-notes (1.33.0-wmf.16; 2019-02-05).Jan 31 2019, 10:00 PM
gerritbot added a comment.Apr 6 2019, 12:35 PM

Change 457424 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Overhaul tag selector

https://gerrit.wikimedia.org/r/457424

Daimona closed this task as Resolved.Apr 6 2019, 12:36 PM
Daimona removed a project: Patch-For-Review.
ReleaseTaggerBot edited projects, added MW-1.33-notes (1.33.0-wmf.25; 2019-04-09); removed MW-1.33-notes (1.33.0-wmf.16; 2019-02-05).Apr 6 2019, 1:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits