Page MenuHomePhabricator

Content of unaccepted pending revisions show up in RESTBase APIs
Open, Needs TriagePublic


The page preview function shows an unaccepted revision when logged out and viewing pending-protected pages. Very important since some vandalism was briefly visible from the main page due to this bug.

Event Timeline

Username_Needed triaged this task as Unbreak Now! priority.Nov 20 2018, 11:44 AM
Jdlrobson lowered the priority of this task from Unbreak Now! to Needs Triage.Nov 20 2018, 7:19 PM
Jdlrobson added a project: Readers-Web-Backlog.
Jdlrobson added a subscriber: Jdlrobson.

We are going to need a lot more information here to identify the problem here.

In particular:

  • What is the URL you are viewing pending protected changes?
  • What page were you on when you saw this bug?
  • What link were you hovering over?
  • What did you see (screenshot welcomed)

Thanks in advance for your answers.
I've dropped "unbreak now!" as we reserve that for issues that make the site inaccessible/unusable and given the limited information we can't make that call just yet.

Viewing the main page while logged out, on enwiki.
No screenshot since the error was reverted, testing is possible though. Hovering over Connie Talbot, vandalism was a change to the image. The image shown was the changed one, not the last accepted one, which I logged in to confirm. For reference, when I clicked on the article, it showed the unedited image until I logged in. Diff of vandalised revision was 869792136 on mobile. Original was viewed on PC (Windows).

@Username_Needed is this the vandalism you are talking about? (tallest man)?
The summary is generated from the page
The page image is the one that's listed in

FlaggedRevisions doesn't actually lock down a page, so the content is still accessible to our APIs and will propagate to various places (page previews being the most visible), hence why it's showing up in page previews/images. The only way this kind of vandalism can get fixed is through an edit to the page and the only way it can be prevented is through protecting the page. This is a fundamental flaw in how FlaggedRevs is implemented.

I'm not sure what to suggest here, other than a change in FlaggedRevs, but even that's likely to be extremely complicated, but this has little to do with Page previews itself. Alternatively, if FlaggedRevs surfaced some kind of page property the REST apis I've listed above could be updated to check the status of whether a page has been flagged and hide them.

Jdlrobson renamed this task from Page preview shows unaccepted pending revision to Content of unaccepted pending revisions show up in RESTBase APIs.Nov 20 2018, 11:10 PM

It's at least high priority if not higher.

@Username_Needed: Do you plan to work on fixing this issue, as you prioritized this task?

Username_Needed raised the priority of this task from High to Needs Triage.Nov 22 2018, 6:27 PM

No, I don't know MediaWiki and hadn't read that page.

Username_Needed: Do you plan to work on fixing this issue, as you prioritized this task?

He can't, but per T185664 this group may plan it.