Page MenuHomePhabricator
Create Task
Maniphest T235152

don't show bridge edit pens when editor can't edit the article
Closed, ResolvedPublic5 Estimated Story Points
Actions

Description

As an admin on the client wiki I don't want editors who can't edit an article to have an easy way to edit the article by vandalizing on the repository in order to prevent vandalism creeping into my articles.

Problem:
When the article on the client is protected people can still vandalize it through the repository potentially. With the edit pens being the only visible edit actions in the article this is a very tempting option. We shouldn't make it so easy.

BDD
GIVEN an editor on the client
AND they don't have the rights to edit the current article
WHEN they view the article
THEN no bridge-enabled edit links are shown

Acceptance criteria:

  • edit pens are hidden when the current editor can't edit the current article because of an article protection
  • we only touch bridge-enabled edit links

Details

SubjectRepoBranchLines +/-
bridge: conditional edit pensmediawiki/extensions/Wikibasemaster+26 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Lydia_Pintscher created this task.Oct 10 2019, 8:01 AM
Restricted Application added a project: Wikidata. · View Herald TranscriptOct 10 2019, 8:01 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Lydia_Pintscher moved this task from Incoming to Ready to estimate on the Wikidata-Bridge board.Oct 10 2019, 8:11 AM
Lydia_Pintscher mentioned this in T231209: investigation about permissions and protection.Oct 10 2019, 8:14 AM
Lydia_Pintscher moved this task from incoming to ready to go on the Wikidata board.Oct 10 2019, 12:25 PM
Lucas_Werkmeister_WMDE added subscribers: abian, Lucas_Werkmeister_WMDE.Oct 15 2019, 1:06 PM

The discussion in T231209 assumes that we do this via JS, by checking mw.config.get( 'wgIsProbablyEditable' ). But I think we can do this via CSS, depending on the mw-editable class on the surrounding body (added in T208315) – that CSS could either be part of the init module, or be added PHP-side so it doesn’t even have to wait for ResourceLoader. I think this would be more efficient and better for the user (no flash of unhidden edit buttons before we get around to hiding them).

In fact, it looks like this is exactly what mw-editable was added for? This code in eswiki:common.css looks very similar to what we’d want:

/*
 * Evitar que usuarios no confirmados se salten las semiprotecciones
 * a través de la edición en Wikidata: [[phab:T208315]], [[phab:T207648]].
 */
.wikidata-link {
  display:none;
}
body.mw-editable .wikidata-link {
  display:inline;
}

Except that we identify Wikidata Bridge links differently.

Michael subscribed.Oct 15 2019, 1:10 PM

I think this would be more efficient and better for the user (no flash of unhidden edit buttons before we get around to hiding them).

Sounds good to me 👍

abian added a comment.Oct 15 2019, 1:32 PM
In T235152#5575023, @Lucas_Werkmeister_WMDE wrote:

In fact, it looks like this is exactly what mw-editable was added for?

That's right. :-)

abian added a parent task: T207648: If users can't edit a Wikipedia article, don't encourage them to edit its Wikidata item.Oct 15 2019, 1:48 PM
WMDE-leszek updated the task description. (Show Details)Oct 22 2019, 8:50 AM
WMDE-leszek set the point value for this task to 5.Oct 22 2019, 8:54 AM
WMDE-leszek moved this task from Ready to estimate to Ready to pick up on the Wikidata-Bridge board.
Lucas_Werkmeister_WMDE edited projects, added Wikidata-Bridge-Sprint-8; removed Wikidata-Bridge.Oct 23 2019, 9:12 AM
Lucas_Werkmeister_WMDE added a comment.Oct 23 2019, 9:46 AM

(Task breakdown note: we’ll go for the CSS variant unless it turns out to be impossible for some reason.)

Lucas_Werkmeister_WMDE added a comment.Oct 24 2019, 10:23 AM

I suggest we add the display: none portion of the styles through OutputPage::addModuleStyles(), so that it’s loaded independent of ResourceLoader. This both helps users without JavaScript (who can’t use the bridge anyways) and also should prevent a brief flash of visible buttons before the ResourceLoader styles are loaded. On the other hand, the display: inline part can be loaded via ResourceLoader, as part of the app or init module (not yet sure which would be more appropriate – probably init?).

Michael added a comment.Oct 24 2019, 10:25 AM

So the idea is to only show the edit pens when the bridge is ready? That might actually work quite well 🤔

Lucas_Werkmeister_WMDE added a comment.Oct 24 2019, 10:29 AM

Wait, no, the edit links are functional links specifically so that no-JS users can still use them 🤦 so we probably want the display: inline to be loaded via addModuleStyles() as well. (Unless @Lydia_Pintscher thinks otherwise?)

Lydia_Pintscher added a comment.Oct 24 2019, 2:47 PM

Yeah agreed.

Matthias_Geisler_WMDE claimed this task.Oct 28 2019, 11:37 AM
Matthias_Geisler_WMDE moved this task from To do to Doing on the Wikidata-Bridge-Sprint-8 board.
gerritbot added a comment.Oct 28 2019, 2:04 PM

Change 546499 had a related patch set uploaded (by Matthias Geisler; owner: Matthias Geisler):
[mediawiki/extensions/Wikibase@master] bridge: conditional edit pens

https://gerrit.wikimedia.org/r/546499

gerritbot added a project: Patch-For-Review.Oct 28 2019, 2:05 PM
Matthias_Geisler_WMDE moved this task from Doing to Peer Review on the Wikidata-Bridge-Sprint-8 board.Oct 28 2019, 2:17 PM
Addshore moved this task from ready to go to in progress on the Wikidata board.Oct 30 2019, 1:52 PM
gerritbot added a comment.Nov 1 2019, 4:08 PM

Change 546499 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] bridge: conditional edit pens

https://gerrit.wikimedia.org/r/546499

Maintenance_bot removed a project: Patch-For-Review.Nov 1 2019, 4:10 PM
ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.5; 2019-11-05).Nov 1 2019, 6:00 PM
Tonina_Zhelyazkova_WMDE moved this task from Peer Review to Verification on the Wikidata-Bridge-Sprint-8 board.Nov 4 2019, 12:48 PM
Charlie_WMDE subscribed.Nov 4 2019, 4:39 PM

@Matthias_Geisler_WMDE do we have a way of verifying this? We don't have the rights to block the article to then check if it works. does one of you have the rights and could show us?

Matthias_Geisler_WMDE added a subscriber: LucasWerkmeister.Nov 5 2019, 10:56 AM

@LucasWerkmeister Do you have the rights to do that or do we have to make the way around by wikidata beta?

Lucas_Werkmeister_WMDE removed a subscriber: LucasWerkmeister.Nov 5 2019, 12:13 PM
Stashbot added a comment.Nov 5 2019, 12:16 PM

Mentioned in SAL (#wikimedia-releng) [2019-11-05T12:16:09Z] <Lucas_WMDE> lucaswerkmeister-wmde@deployment-deploy01:~$ mwscript createAndPromote.php dewiki 'Lucas Werkmeister (WMDE)' --force --sysop # make myself admin for T235152

Lucas_Werkmeister_WMDE added a comment.Nov 5 2019, 12:18 PM

I protected de:Data-Bridge so that only registered users can edit it – open it in a private window to verify the hidden edit pens.

Charlie_WMDE added a comment.Nov 5 2019, 2:57 PM

@Lucas_Werkmeister_WMDE could you also temporarily block my user on the same page so i can check if it also works when i am banned? or is that the same behavior in the background anyway?

Lucas_Werkmeister_WMDE added a comment.Nov 5 2019, 3:42 PM

Blocked you from that page for one day.

Charlie_WMDE added a comment.Nov 5 2019, 3:43 PM

coolio, thanks!

Lucas_Werkmeister_WMDE added a comment.Nov 5 2019, 3:52 PM

And blocked you from the whole wiki now (same duration) to test behavior of partial vs. full blocks.

Charlie_WMDE added a comment.Nov 5 2019, 3:53 PM

just tested with a partial and complete(?) block. It still shows the edit links in both cases :/ @Lydia_Pintscher what to do?

Charlie_WMDE added a comment.Nov 5 2019, 4:05 PM

My suggestion is to expand the screen we're planning to show for when the user is blocked on the repo T235154 (desktop blocked screen) and have a version for when the user is blocked on the client. Not sure we have another feasibly alternative handy. Other suggestion would be to investigate again for this specific case, if that even makes sense @Lucas_Werkmeister_WMDE ?

Lucas_Werkmeister_WMDE added a comment.Nov 5 2019, 4:29 PM

No, I think doing that will make the most sense.

Lydia_Pintscher moved this task from Verification to To do on the Wikidata-Bridge-Sprint-8 board.Nov 5 2019, 8:52 PM
In T235152#5636638, @Charlie_WMDE wrote:

just tested with a partial and complete(?) block. It still shows the edit links in both cases :/ @Lydia_Pintscher what to do?

Ok then let's move it back to todo so you and the devs can look into it in-person while I'm gone. When you're happy feel free to close and move it to done.

Michael moved this task from To do to Doing on the Wikidata-Bridge-Sprint-8 board.Nov 6 2019, 9:33 AM
Charlie_WMDE updated the task description. (Show Details)Nov 6 2019, 9:48 AM
Pablo-WMDE subscribed.Nov 6 2019, 9:48 AM

During the sprint start we quickly discussed this and concluded that we will move the missing functionality (blocked on the client) into a dedicated ticket.

Charlie_WMDE closed this task as Resolved.Nov 6 2019, 9:48 AM
Charlie_WMDE moved this task from Doing to Done on the Wikidata-Bridge-Sprint-8 board.

changed the ACs, moving this to done and making a new ticket for the AC that was not met

Lucas_Werkmeister_WMDE closed subtask T237116: browser test edit link visibility based on permission as Resolved.Nov 7 2019, 12:22 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits