Page MenuHomePhabricator
Create Task
Maniphest T209936

Content of unaccepted pending revisions show up in RESTBase APIs
Open, Needs TriagePublic
Actions

Description

The page preview function shows an unaccepted revision when logged out and viewing pending-protected pages. Very important since some vandalism was briefly visible from the main page due to this bug.

Related Objects
Search...

Event Timeline

Username_Needed created this task.Nov 20 2018, 11:44 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 20 2018, 11:44 AM
Username_Needed triaged this task as Unbreak Now! priority.Nov 20 2018, 11:44 AM
Restricted Application added subscribers: Liuxinyu970226, TerraCodes. · View Herald TranscriptNov 20 2018, 11:44 AM
Username_Needed updated the task description. (Show Details)Nov 20 2018, 12:18 PM
Jdlrobson lowered the priority of this task from Unbreak Now! to Needs Triage.Nov 20 2018, 7:19 PM
Jdlrobson added a project: Web-Team-Backlog.
Jdlrobson subscribed.

We are going to need a lot more information here to identify the problem here.

In particular:

  • What is the URL you are viewing pending protected changes?
  • What page were you on when you saw this bug?
  • What link were you hovering over?
  • What did you see (screenshot welcomed)

Thanks in advance for your answers.
I've dropped "unbreak now!" as we reserve that for issues that make the site inaccessible/unusable and given the limited information we can't make that call just yet.

Jdlrobson moved this task from Incoming to Needs Prioritization on the Web-Team-Backlog board.Nov 20 2018, 7:51 PM
Username_Needed added a comment.EditedNov 20 2018, 9:58 PM

Viewing the main page while logged out, on enwiki.
No screenshot since the error was reverted, testing is possible though. Hovering over Connie Talbot, vandalism was a change to the image. The image shown was the changed one, not the last accepted one, which I logged in to confirm. For reference, when I clicked on the article, it showed the unedited image until I logged in. Diff of vandalised revision was 869792136 on mobile. Original was viewed on PC (Windows).

Jdlrobson edited projects, added MediaWiki-extensions-FlaggedRevs, Web-Team-Backlog (Tracking); removed Web-Team-Backlog, Page-Previews.Nov 20 2018, 11:09 PM

@Username_Needed is this the vandalism you are talking about? https://en.wikipedia.org/api/rest_v1/page/html/Connie_Talbot/869792136 (tallest man)?
The summary is generated from the page https://en.wikipedia.org/api/rest_v1/page/summary/Connie_Talbot
The page image is the one that's listed in https://en.wikipedia.org/wiki/Connie%20Talbot?action=info

FlaggedRevisions doesn't actually lock down a page, so the content is still accessible to our APIs and will propagate to various places (page previews being the most visible), hence why it's showing up in page previews/images. The only way this kind of vandalism can get fixed is through an edit to the page and the only way it can be prevented is through protecting the page. This is a fundamental flaw in how FlaggedRevs is implemented.

I'm not sure what to suggest here, other than a change in FlaggedRevs, but even that's likely to be extremely complicated, but this has little to do with Page previews itself. Alternatively, if FlaggedRevs surfaced some kind of page property the REST apis I've listed above could be updated to check the status of whether a page has been flagged and hide them.

Jdlrobson renamed this task from Page preview shows unaccepted pending revision to Content of unaccepted pending revisions show up in RESTBase APIs.Nov 20 2018, 11:10 PM
Username_Needed added a comment.Nov 21 2018, 10:57 AM

Yes, that is.

Username_Needed triaged this task as High priority.Nov 22 2018, 11:54 AM

It's at least high priority if not higher.

Aklapper added a comment.Nov 22 2018, 12:22 PM

@Username_Needed: Do you plan to work on fixing this issue, as you prioritized this task?

Username_Needed raised the priority of this task from High to Needs Triage.Nov 22 2018, 6:27 PM

No, I don't know MediaWiki and hadn't read that page.

Liuxinyu970226 added a project: Growth-Team.Nov 23 2018, 12:17 PM

Username_Needed: Do you plan to work on fixing this issue, as you prioritized this task?

He can't, but per T185664 this group may plan it.

Username_Needed added a project: RESTBase.Jan 24 2019, 9:55 AM
Username_Needed added a parent task: T169116: Support flagged revisions in RESTBase.Jan 30 2019, 7:58 PM
Jdlrobson removed a project: Web-Team-Backlog (Tracking).Oct 29 2019, 5:45 PM
Wugapodes subscribed.Mar 16 2021, 10:17 PM

Seems related to the request at T218090

MBinder_WMF added a project: Growth-Team-Filtering.Apr 15 2021, 6:51 PM
cscott mentioned this in T301372: Core Page REST API should follow redirects.Jun 17 2022, 1:47 PM
cscott mentioned this in T214000: Evaluate difficulty of porting PCS summary logic to PHP.Oct 6 2022, 1:04 PM
Krinkle mentioned this in T319365: PCS caching and pregeneration when restbase is decommissioned.Oct 27 2022, 11:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL