Page MenuHomePhabricator

don't show bridge edit pens when editor can't edit the article
Closed, ResolvedPublic5 Story Points

Description

As an admin on the client wiki I don't want editors who can't edit an article to have an easy way to edit the article by vandalizing on the repository in order to prevent vandalism creeping into my articles.

Problem:
When the article on the client is protected people can still vandalize it through the repository potentially. With the edit pens being the only visible edit actions in the article this is a very tempting option. We shouldn't make it so easy.

BDD
GIVEN an editor on the client
AND they don't have the rights to edit the current article
WHEN they view the article
THEN no bridge-enabled edit links are shown

Acceptance criteria:

  • edit pens are hidden when the current editor can't edit the current article because of an article protection
  • we only touch bridge-enabled edit links

Details

Related Gerrit Patches:
mediawiki/extensions/Wikibase : masterbridge: conditional edit pens

Event Timeline

Restricted Application added a project: Wikidata. · View Herald TranscriptOct 10 2019, 8:01 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

The discussion in T231209 assumes that we do this via JS, by checking mw.config.get( 'wgIsProbablyEditable' ). But I think we can do this via CSS, depending on the mw-editable class on the surrounding body (added in T208315) – that CSS could either be part of the init module, or be added PHP-side so it doesn’t even have to wait for ResourceLoader. I think this would be more efficient and better for the user (no flash of unhidden edit buttons before we get around to hiding them).

In fact, it looks like this is exactly what mw-editable was added for? This code in eswiki:common.css looks very similar to what we’d want:

/*
 * Evitar que usuarios no confirmados se salten las semiprotecciones
 * a través de la edición en Wikidata: [[phab:T208315]], [[phab:T207648]].
 */
.wikidata-link {
  display:none;
}
body.mw-editable .wikidata-link {
  display:inline;
}

Except that we identify Wikidata Bridge links differently.

I think this would be more efficient and better for the user (no flash of unhidden edit buttons before we get around to hiding them).

Sounds good to me 👍

abian added a comment.Oct 15 2019, 1:32 PM

In fact, it looks like this is exactly what mw-editable was added for?

That's right. :-)

WMDE-leszek updated the task description. (Show Details)Oct 22 2019, 8:50 AM
WMDE-leszek set the point value for this task to 5.Oct 22 2019, 8:54 AM
WMDE-leszek moved this task from Ready to estimate to Ready to pick up on the Wikidata-Bridge board.

(Task breakdown note: we’ll go for the CSS variant unless it turns out to be impossible for some reason.)

I suggest we add the display: none portion of the styles through OutputPage::addModuleStyles(), so that it’s loaded independent of ResourceLoader. This both helps users without JavaScript (who can’t use the bridge anyways) and also should prevent a brief flash of visible buttons before the ResourceLoader styles are loaded. On the other hand, the display: inline part can be loaded via ResourceLoader, as part of the app or init module (not yet sure which would be more appropriate – probably init?).

So the idea is to only show the edit pens when the bridge is ready? That might actually work quite well 🤔

Wait, no, the edit links are functional links specifically so that no-JS users can still use them 🤦 so we probably want the display: inline to be loaded via addModuleStyles() as well. (Unless @Lydia_Pintscher thinks otherwise?)

Change 546499 had a related patch set uploaded (by Matthias Geisler; owner: Matthias Geisler):
[mediawiki/extensions/Wikibase@master] bridge: conditional edit pens

https://gerrit.wikimedia.org/r/546499

Addshore moved this task from ready to go to in progress on the Wikidata board.Oct 30 2019, 1:52 PM

Change 546499 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] bridge: conditional edit pens

https://gerrit.wikimedia.org/r/546499

@Matthias_Geisler_WMDE do we have a way of verifying this? We don't have the rights to block the article to then check if it works. does one of you have the rights and could show us?

@LucasWerkmeister Do you have the rights to do that or do we have to make the way around by wikidata beta?

Mentioned in SAL (#wikimedia-releng) [2019-11-05T12:16:09Z] <Lucas_WMDE> lucaswerkmeister-wmde@deployment-deploy01:~$ mwscript createAndPromote.php dewiki 'Lucas Werkmeister (WMDE)' --force --sysop # make myself admin for T235152

I protected de:Data-Bridge so that only registered users can edit it – open it in a private window to verify the hidden edit pens.

@Lucas_Werkmeister_WMDE could you also temporarily block my user on the same page so i can check if it also works when i am banned? or is that the same behavior in the background anyway?

Blocked you from that page for one day.

coolio, thanks!

And blocked you from the whole wiki now (same duration) to test behavior of partial vs. full blocks.

just tested with a partial and complete(?) block. It still shows the edit links in both cases :/ @Lydia_Pintscher what to do?

My suggestion is to expand the screen we're planning to show for when the user is blocked on the repo T235154 (desktop blocked screen) and have a version for when the user is blocked on the client. Not sure we have another feasibly alternative handy. Other suggestion would be to investigate again for this specific case, if that even makes sense @Lucas_Werkmeister_WMDE ?

No, I think doing that will make the most sense.

just tested with a partial and complete(?) block. It still shows the edit links in both cases :/ @Lydia_Pintscher what to do?

Ok then let's move it back to todo so you and the devs can look into it in-person while I'm gone. When you're happy feel free to close and move it to done.

Michael moved this task from To do to Doing on the Wikidata-Bridge-Sprint-8 board.Nov 6 2019, 9:33 AM
Charlie_WMDE updated the task description. (Show Details)Nov 6 2019, 9:48 AM

During the sprint start we quickly discussed this and concluded that we will move the missing functionality (blocked on the client) into a dedicated ticket.

Charlie_WMDE closed this task as Resolved.Nov 6 2019, 9:48 AM
Charlie_WMDE moved this task from Doing to Done on the Wikidata-Bridge-Sprint-8 board.

changed the ACs, moving this to done and making a new ticket for the AC that was not met