Page MenuHomePhabricator
Create Task
Maniphest T232620

Trying to create entities via wbeditentity when blocked should not assign a fresh entity ID
Closed, ResolvedPublic
Actions

Description

As an admin I want to be able to block users and not have them be able to assign new entity ids in order to avoid large gaps in entity id assignments

Problem: When a user is blocked, using wbeditentity in an attempt to create a new item / property will still end up with that item / property ID being assigned by Wikibase (though it is never used)

Screenshot & Example:

image.png (149×1 px, 33 KB)

In the screenshot (from test.wikidata.org) when testing the green line is where the issue occurs:

  • Item ending in 29 was created by Addshore
  • Lydia was blocked
  • Lydia tried creating an item using wbedtientity API
  • Lydia was unblocked
  • Lydia tried creating another item (succeeded ending in 31)
  • the item ending in 30 was skipped.

The API call used to attempt the creation was:

https://test.wikidata.org/wiki/Special:ApiSandbox#action=wbeditentity&format=json&new=item&data=%7B%7D

BDD
GIVEN a user is blocked
WHEN that user tries to create an entity via wbeditentity
THEN no entity ID should be assigned

Acceptance criteria:

  • When a user tries to create a new entity via wbeditentity (item or property) and they are blocked, then a new ID should not be assigned.

Original report

When somebody is blocked and they try to create a new item, save is not possible but wb_id_counters table is updated, therefore a Qid is lost permanently. This may be an abuse potential (creating higher database load) for malicious users with no way either to detect or to stop on wiki. Ideally no Qid should be assigned if the save is not possible (also when label/description conflict, invalid entity data, etc).

Details

SubjectRepoBranchLines +/-
Don't allocate entity ids for users that can't editmediawiki/extensions/WikibaseREL1_35+50 -7
Don't allocate entity ids for users that can't editmediawiki/extensions/Wikibasemaster+50 -7
Customize query in gerrit

Related Objects

Event Timeline

Bugreporter created this task.Sep 11 2019, 2:40 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 11 2019, 2:40 PM
Bugreporter updated the task description. (Show Details)Sep 11 2019, 2:41 PM
Bugreporter merged a task: T44362: skipped item IDs.Dec 3 2019, 5:03 PM
Bugreporter added subscribers: Lydia_Pintscher, StudiesWorld, ChongDae and 8 others.
Lea_Lacroix_WMDE subscribed.Sep 10 2020, 1:21 PM
Epidosis subscribed.EditedSep 12 2020, 12:44 PM

The problem seems to be worse in recent weeks: see https://www.wikidata.org/wiki/Wikidata:Project_chat#Missing_increments_for_new_creates_Items +https://www.wikidata.org/wiki/Wikidata:Contact_the_development_team#Missing_QIDs + https://www.wikidata.org/wiki/Wikidata:Contact_the_development_team#phab:T232620.

M2k_dewiki subscribed.Sep 12 2020, 1:37 PM

A cause for this problem might be, that in the last few days some indexes are updated not immediately, but with a delay of some days.

For example the result of this

https://petscan.wmflabs.org/?language=de&project=wikipedia&categories=Wikipedia:Artikel%20ohne%20Wikidata-Datenobjekt%0D%0A&negcats=Wikipedia%3AL%C3%B6schkandidat&combination=union&ns%5B0%5D=1&show_redirects=no&wikidata_item=without&interface_language=en&&doit=

Petscan Query should show only articles without wikidata objects.

In the last days, also entries are shown, where the articles already have been connected to a (new or existing) wikidata object.

Bugreporter added a comment.EditedSep 12 2020, 2:08 PM
In T44362#440341, @daniel wrote:

It's true that IDs may be "swallowed" by unsuccessful attempts to create an item. But I don't see this as a problem. The IDs have no significance, they could just as well be chosen randomly instead of sequentially. The ID system may well be changed to something else entirely at some point, e.g. GUIDs.

I want to thank you for reporting this anyway, because it *might* have been an indication for Something Bad happening, like items just vanishing without a trace. But I don't see any evidence of that. So, closing WONTFIX.

This is already posted on wiki, but also post here for reference:
Allocating one ID requires one read and write of wb_id_counters table. It is possible that some malicious users doing a large number of failed creation, which may significantly increase the database load. What's worse are 1. There are no ways on wiki to find out users who are doing failed item creation and 2. Blocking the user does not solve the issue as IDs will still be allocated.

Before T213817: Use separate DB connection for (Sql/UpsertSql)IdGenerator in Wikibase is fixed, things are even much worse, as there was a DoS potential: malicious users can produce many database errors (logspam), or even impede others creating new entities.

Lydia_Pintscher added a project: Wikidata-Campsite.Sep 22 2020, 10:06 AM
Lydia_Pintscher moved this task from Incoming to Unconnected Stories on the Wikidata-Campsite board.
Addshore renamed this task from Checking whether save is possible before assigning Qids to Trying to create entities via wbeditentity when blocked should not assigned a fresh entity ID.Sep 22 2020, 10:24 AM
Addshore updated the task description. (Show Details)
WMDE-leszek updated the task description. (Show Details)Sep 22 2020, 12:11 PM
WMDE-leszek edited projects, added Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)); removed Wikidata-Campsite.Sep 22 2020, 12:16 PM
Lucas_Werkmeister_WMDE subscribed.Sep 22 2020, 12:19 PM

Possibly related: T138227: Move ID assignment out of EntityStore

Bugreporter added a comment.Sep 22 2020, 2:20 PM

Not only for blocked, but also for label/description conflict, AbuseFilter and rate limit.

hoo renamed this task from Trying to create entities via wbeditentity when blocked should not assigned a fresh entity ID to Trying to create entities via wbeditentity when blocked should not assign a fresh entity ID.Sep 23 2020, 2:02 AM
hoo claimed this task.
hoo moved this task from To Do (prioritised from top to bottom) to Doing on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.
gerritbot added a comment.Sep 30 2020, 2:28 AM

Change 630979 had a related patch set uploaded (by Hoo man; owner: Hoo man):
[mediawiki/extensions/Wikibase@master] Don't allocate entity ids for users that can't edit

https://gerrit.wikimedia.org/r/630979

gerritbot added a project: Patch-For-Review.Sep 30 2020, 2:28 AM
hoo moved this task from Doing to Peer Review on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.Sep 30 2020, 2:29 AM
Bugreporter added a comment.Sep 30 2020, 3:25 AM

The scope of this task is a bit wider than the patch. If an item can not be created because of an label/description conflict, the ID is still allocated. Therefore the issue described in T232620#6456047 still exists and there are no way to detect this.

Other circumstances that item creation will fail may include rate limit, abusefilter and malformed entity content.

hoo added a comment.Sep 30 2020, 3:05 PM
In T232620#6503844, @Bugreporter wrote:

The scope of this task is a bit wider than the patch. If an item can not be created because of an label/description conflict, the ID is still allocated. Therefore the issue described in T232620#6456047 still exists and there are no way to detect this.

Other circumstances that item creation will fail may include rate limit, abusefilter and malformed entity content.

This task specifically is only about blocks, the other issues will require different strategies to fix (and that will be much more involved because currently Wikibase assumes the id to be set during all of these things).

Bugreporter added a comment.Sep 30 2020, 5:42 PM

My task originally said "Checking whether save is possible before assigning Qids". Should I file a new task for these other issues?

noarave subscribed.Oct 2 2020, 9:30 AM

@Bugreporter yes, please open a new task for these issues.

Bugreporter mentioned this in T264448: Entity ID should not be assigned for label/description conflict.Oct 2 2020, 3:05 PM
Bugreporter mentioned this in T264449: Entity ID should not be assigned for invalid entity data.
Bugreporter mentioned this in T264450: Entity ID should not be assigned if rate limit is hit.Oct 2 2020, 3:08 PM
Bugreporter mentioned this in T264451: Entity ID should not be assigned if disallowed by AbuseFilter.
Bugreporter removed subtasks: T264451: Entity ID should not be assigned if disallowed by AbuseFilter, T264450: Entity ID should not be assigned if rate limit is hit, T264449: Entity ID should not be assigned for invalid entity data, T264448: Entity ID should not be assigned for label/description conflict.Oct 2 2020, 3:10 PM
DannyS712 subscribed.Oct 2 2020, 3:16 PM
noarave added a comment.Oct 7 2020, 1:31 PM

How to test locally:

first verify on master - block yourself, then execute api.postWithEditToken( { action: 'wbeditentity', new: 'item', data: '{}' } ) in your developer console
no new item will be created, but each time you do it, your wb_id_counters will be updated:

MariaDB [wikidatawiki]> SELECT * FROM wb_id_counters;

And once you check out the patch that should no longer happen

gerritbot added a comment.Oct 12 2020, 1:28 PM

Change 630979 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] Don't allocate entity ids for users that can't edit

https://gerrit.wikimedia.org/r/630979

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.13; 2020-10-12).Oct 12 2020, 2:00 PM
Maintenance_bot removed a project: Patch-For-Review.Oct 12 2020, 2:10 PM
Lucas_Werkmeister_WMDE moved this task from Peer Review to Test (Verification) on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.Oct 12 2020, 2:38 PM
Lydia_Pintscher closed this task as Resolved.Oct 15 2020, 11:33 AM
Lydia_Pintscher moved this task from Test (Verification) to Done on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.

Adam and I just tried it on test.wikidata.org and IDs are no longer skipped when blocked users create Items.
\o/

Lydia_Pintscher mentioned this in T44362: skipped item IDs.Nov 21 2020, 11:46 AM
Maintenance_bot moved this task from incoming to in progress on the Wikidata board.Nov 21 2020, 12:15 PM
WMDE-leszek mentioned this in T268625: [20h] Investigate the significant number of skipped Item IDs for newly created Wikidata items.Nov 24 2020, 2:23 PM
gerritbot added a comment.Dec 7 2021, 4:13 PM

Change 744799 had a related patch set uploaded (by Tobias Andersson; author: Hoo man):

[mediawiki/extensions/Wikibase@REL1_35] Don't allocate entity ids for users that can't edit

https://gerrit.wikimedia.org/r/744799

gerritbot added a project: Patch-For-Review.Dec 7 2021, 4:13 PM
gerritbot added a comment.Feb 1 2022, 11:36 AM

Change 744799 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@REL1_35] Don't allocate entity ids for users that can't edit

https://gerrit.wikimedia.org/r/744799

hoo mentioned this in T65632: AbuseFilter *_links variables incorrect on item edits..Jul 12 2023, 1:11 PM
Maintenance_bot removed a project: Patch-For-Review.Jul 12 2023, 1:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL