Page MenuHomePhabricator
Create Task
Maniphest T222014

Edits using Help pane can bypass sysop-issued blocks
Closed, ResolvedPublic
Actions

Assigned To
kostajh
Authored By
Urbanecm
Apr 27 2019, 10:37 AM
Tags
Referenced Files
F28870890: Screen Shot 2019-04-29 at 4.10.05 PM.png
Apr 30 2019, 4:17 PM
F28869949: image.png
Apr 30 2019, 2:28 PM
F28855574: 0001-QuestionPoster-Check-permissions-and-EditFilterMerge.patch
Apr 29 2019, 7:52 PM
F28854642: 0001-Check-permissions-before-making-edit-via-Question-Po.patch
Apr 29 2019, 4:33 PM
F28854291: 0001-Check-permissions-before-making-edit-via-Question-Po.patch
Apr 29 2019, 2:55 PM
Subscribers
Aklapper
Catrope
Etonkovidova
kostajh
Krenair
MMiller_WMF
SBisson
Urbanecm_WMF

Description

Hi,

I've found edits made using Help pane (and possibly other Growth-made products) can bypass sysop-issued blocks, see https://cs.wikipedia.org/w/index.php?title=Wikipedie:Pot%C5%99ebuji_pomoc&diff=prev&oldid=17175968, made by Daniel Hut. This user was blocked on 16 April 12:33 CEST by sysop OJJ. This question was posted on 26 April, which is _after_ this block was issued.

I don't think users should be able to use this module when blocked. Theoretically, we can amend the block interface to allow sysops to block all edits but questions, or simply ban edits by this interface.

Martin

Details

SubjectRepoBranchLines +/-
QuestionPoster: Check permissions and EditFilterMergedContent hookmediawiki/extensions/GrowthExperimentswmf/1.34.0-wmf.1+106 -1
QuestionPoster: Check permissions and EditFilterMergedContent hookmediawiki/extensions/GrowthExperimentsmaster+105 -1
Customize query in gerrit

Related Objects

Event Timeline

Urbanecm created this task.Apr 27 2019, 10:37 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 27 2019, 10:37 AM
Urbanecm triaged this task as High priority.Apr 27 2019, 10:38 AM

Boldly triaging the task, bypassing blocks is rather urgent issue I think.

Urbanecm renamed this task from Edits using Help pane bypass sysop-issued blocks to Edits using Help pane can bypass sysop-issued blocks.Apr 27 2019, 10:38 AM
SBisson subscribed.Apr 27 2019, 1:15 PM
Krenair set Security to Software security bug.Apr 27 2019, 4:43 PM
Krenair added a project: acl*security.
Krenair changed the visibility from "Public (No Login Required)" to "Custom Policy".
Krenair subscribed.
SBisson added subscribers: kostajh, Catrope.Apr 29 2019, 12:57 PM
kostajh edited projects, added Growth-Team (Sprint 0 (Growth Team)); removed Growth-Team.Apr 29 2019, 1:31 PM
kostajh claimed this task.Apr 29 2019, 1:33 PM
kostajh moved this task from Incoming to In Progress on the Growth-Team (Sprint 0 (Growth Team)) board.
kostajh moved this task from In Progress to Code Review on the Growth-Team (Sprint 0 (Growth Team)) board.Apr 29 2019, 2:55 PM

0001-Check-permissions-before-making-edit-via-Question-Po.patch3 KBDownload

kostajh added a comment.Apr 29 2019, 4:33 PM

0001-Check-permissions-before-making-edit-via-Question-Po.patch2 KBDownload

Krenair added a comment.Apr 29 2019, 4:55 PM

Catching any exception like that and replacing it with a generic permission denied seems like a bad idea.

SBisson added a subscriber: MMiller_WMF.Apr 29 2019, 4:59 PM
Catrope added a comment.Apr 29 2019, 5:06 PM

I wish there was a better way to make an edit on behalf of a user with all the permission checks etc. This checks permissions, but I don't think it would check AbuseFilter for example. The only way that I'm aware of that does everything correctly is making an internal API call to ApiEditPage.

kostajh added a comment.Apr 29 2019, 5:38 PM

Catching any exception like that and replacing it with a generic permission denied seems like a bad idea.

That's fair. It looks like the exception is only thrown for an invalid rigor parameter in getPermissionErrorsInternal so I'm removing that try/catch.

Looking into ApiEditPage now.

kostajh added a comment.Apr 29 2019, 7:52 PM

0001-QuestionPoster-Check-permissions-and-EditFilterMerge.patch4 KBDownload

This version runs EditFilterMergedContent hook; the same awkward implementation pattern from ApiEditPage and SpecialChangeContentModel is used. I've tested this patch with AbuseFilter, site-wide block, and partial block for a specific title.

kostajh mentioned this in rEGREd7f158ce0418: QuestionPoster: Check permissions and EditFilterMergedContent hook.Apr 29 2019, 8:07 PM
Catrope changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 29 2019, 8:40 PM

Patch was deployed to production at 20:36 UTC; now in Gerrit as https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/507201

gerritbot added a comment.Apr 29 2019, 8:50 PM

Change 507201 merged by jenkins-bot:
[mediawiki/extensions/GrowthExperiments@master] QuestionPoster: Check permissions and EditFilterMergedContent hook

https://gerrit.wikimedia.org/r/507201

gerritbot added a comment.Apr 29 2019, 8:53 PM

Change 507203 had a related patch set uploaded (by Catrope; owner: Kosta Harlan):
[mediawiki/extensions/GrowthExperiments@wmf/1.34.0-wmf.1] QuestionPoster: Check permissions and EditFilterMergedContent hook

https://gerrit.wikimedia.org/r/507203

gerritbot added a project: Patch-For-Review.Apr 29 2019, 8:53 PM
Catrope mentioned this in rEGRE22c6762150e1: QuestionPoster: Check permissions and EditFilterMergedContent hook.Apr 29 2019, 8:54 PM
ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.3; 2019-04-30).Apr 29 2019, 9:01 PM
kostajh moved this task from Code Review to QA on the Growth-Team (Sprint 0 (Growth Team)) board.Apr 30 2019, 12:26 AM
kostajh added a subscriber: Etonkovidova.
gerritbot added a comment.Apr 30 2019, 12:22 PM

Change 507203 merged by jenkins-bot:
[mediawiki/extensions/GrowthExperiments@wmf/1.34.0-wmf.1] QuestionPoster: Check permissions and EditFilterMergedContent hook

https://gerrit.wikimedia.org/r/507203

ReleaseTaggerBot edited projects, added MW-1.34-notes (1.34.0-wmf.1; 2019-04-16); removed MW-1.34-notes (1.34.0-wmf.3; 2019-04-30).Apr 30 2019, 1:00 PM
Urbanecm added a comment.Apr 30 2019, 2:28 PM

Technically, it works. I can't post a question. Do we want users to get such nothing-telling error message?

image.png (408×617 px, 52 KB)

Maybe we should display help pane without "ask a question" capability for blocked users? So they can search help on-wiki, but not edit by asking questions?

kostajh added a comment.Apr 30 2019, 2:30 PM

Right, improved error handling would be nice, but not in scope of yesterday's quick fix. @Urbanecm could you please file a new issue for improved error handling and tag with GrowthExperiments-Help panel ? Thanks!

Etonkovidova added a comment.Apr 30 2019, 4:17 PM

In case when an edit hits Abuse filter there will be the same message as in @Urbanecm comment. For an edit that hit Abuse filter on a normal page, the message is much more specific:

Screen Shot 2019-04-29 at 4.10.05 PM.png (488×781 px, 87 KB)

Urbanecm mentioned this in T222201: Improve error handling and instrumentation logging for blocked users.Apr 30 2019, 4:27 PM
In T222014#5147165, @kostajh wrote:

Right, improved error handling would be nice, but not in scope of yesterday's quick fix. @Urbanecm could you please file a new issue for improved error handling and tag with GrowthExperiments-Help panel ? Thanks!

Certainly, filled as T222201.

Urbanecm added a comment.Apr 30 2019, 4:35 PM
In T222014#5147635, @Etonkovidova wrote:

In case when an edit hits Abuse filter there will be the same message as in @Urbanecm comment. For an edit that hit Abuse filter on a normal page, the message is much more specific:

Screen Shot 2019-04-29 at 4.10.05 PM.png (488×781 px, 87 KB)

Filled that part as T222204. Note the error message is (can be) filter-specific.

Jdforrester-WMF moved this task from Backlog / Other to Other WMF team on the acl*security board.Apr 30 2019, 10:34 PM
Etonkovidova closed this task as Resolved.May 2 2019, 4:52 PM
Etonkovidova moved this task from QA to Needs PM Review on the Growth-Team (Sprint 0 (Growth Team)) board.

Checked for site-wide blocked users and users blocked from specific namespaces (Wikipedia, User talk, Help).

Anomie subscribed.May 24 2019, 2:38 PM
In T222014#5144326, @Catrope wrote:

The only way that I'm aware of that does everything correctly is making an internal API call to ApiEditPage.

Note that making internal calls like that is a "code smell", though. I started trying to abstract the business logic of it from the API "front-end" in gerrit:460436, but priorities and team assignments changed and I haven't had time to work on it for a while.

MMiller_WMF moved this task from Needs PM Review to Epics In Progress on the Growth-Team (Sprint 0 (Growth Team)) board.May 30 2019, 11:10 PM
Catrope added a comment.Jun 5 2019, 12:20 AM
In T222014#5210597, @Anomie wrote:

Note that making internal calls like that is a "code smell", though. I started trying to abstract the business logic of it from the API "front-end" in gerrit:460436, but priorities and team assignments changed and I haven't had time to work on it for a while.

Completely agreed. It'd be great to have something that isn't as code-smelly as doing an internal API call and also doesn't skip half the steps we need, and it looks like your EditController class would be that.

Urbanecm mentioned this in T226527: Help panel: make maximum question length more clear.Jul 3 2019, 11:20 PM
Urbanecm mentioned this in T231734: Add custom policy to access denied message.Sep 2 2019, 1:00 PM
chasemp added a project: Security.Feb 10 2020, 10:54 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Urbanecm mentioned this in T260483: Edits using Help pane can bypass sysop-issued blocks (2).Aug 15 2020, 8:42 PM
sbassett removed a project: Patch-For-Review.Aug 17 2020, 3:27 PM
Urbanecm edited subscribers, added: Urbanecm_WMF; removed: Urbanecm.Aug 26 2020, 2:10 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits