Page MenuHomePhabricator

Allow Stewards to enable 'emergency CAPTCHAs' for anonymous IP edits
Open, MediumPublic

Description

In the recent botnet editing attack, one of the original reasons that the wiki community escalated to SRE was that enabling the 'emergency CAPTCHA' functionality for anonymous IP edits requires a configuration push.

Currently this is implemented by editing $wmgEmergencyCaptcha in InitialiseSettings.php, like this patch.

There was broad agreement afterwards from both involved WMF staff and from responders in the community that it would be ideal if Stewards could enable this themselves, without having to escalate to someone with deploy access.

Related Objects

Event Timeline

Shame this couldn't really use an opt-in wiki set—that kind of functionality would be great though 😁

Shame this couldn't really use an opt-in wiki set—that kind of functionality would be great though 😁

Why couldn't it?

$emergencyCaptchaWikiSet = \MediaWiki\Extension\CentralAuth\WikiSet::newFromName( 'emergency-captcha-wikis' );
if ( $emergencyCaptchaWikiSet !== null ) {
	$wikisToEnable = $emergencyCaptchaWikiSet->getWikis();
	foreach ( $wikisToEnable as $wiki ) {
		$wmgEmergencyCaptcha[$wiki] = true;
	}
	unset( $wikisToEnable );
	unset( $wiki );
}
unset( $emergenceyCaptchaWikiSet );

any time a wikiset is defined with the name 'emergency-captcha-wikis', whether it is opt-in or opt-out, if this is added to CommonSettings.php it will turn on emergency captcha on those wikis. It should be fairly performant, since the wiki sets are cached indefinitely and only purged when they change

Shame this couldn't really use an opt-in wiki set—that kind of functionality would be great though 😁

Why couldn't it?

I'm not sure if I like a pattern of wiki sets with "magical" properties not configured via or visible in the UI.

$emergencyCaptchaWikiSet = \MediaWiki\Extension\CentralAuth\WikiSet::newFromName( 'emergency-captcha-wikis' );
if ( $emergencyCaptchaWikiSet !== null ) {
	$wikisToEnable = $emergencyCaptchaWikiSet->getWikis();
	foreach ( $wikisToEnable as $wiki ) {
		$wmgEmergencyCaptcha[$wiki] = true;
	}
	unset( $wikisToEnable );
	unset( $wiki );
}
unset( $emergenceyCaptchaWikiSet );

any time a wikiset is defined with the name 'emergency-captcha-wikis', whether it is opt-in or opt-out, if this is added to CommonSettings.php it will turn on emergency captcha on those wikis. It should be fairly performant, since the wiki sets are cached indefinitely and only purged when they change

CR-1 as too complicated:

if (
	$wmgEnableEmergencyCaptcha
	// if we're hardcoding things, I'd prefer hardcoding an ID instead of a name since it's harder to change by accident
	|| \MediaWiki\Extension\CentralAuth\WikiSet::newFromId( 42 )->inSet( WikiMap::getCurrentWikiId() )
) {
	// do what's currently in the `if ( $wmgEnableEmergencyCaptcha )` block
}

Although I'm not sure if you can access the database or caches when evaluating CS.php since the settings needed for that aren't fully registered yet.

A better solution would be to add a hook to ConfirmEdit that lets you specify if a given action should get a captcha prompt, at that point the config is surely fully loaded and it's also more efficient (less queries needed even for the cached values, since you don't need to evaluate that every page view).

The problem with using a hard coded id is that as far as I understand it, when all wikis are removed from a set it gets deleted, and the next time we want to use it a new set would be created with a different id, so this would require the same set to keep existing. On the other hand, doing it by name is just as unique but allows for recreation

(I'd like to note that the permissions for this task do not allow the subscribers to view it. Does it even need to be private, anyway?)

sbassett added a subscriber: sbassett.

(I'd like to note that the permissions for this task do not allow the subscribers to view it. Does it even need to be private, anyway?)

Maybe due to it being sub-tasked from T302047? I don't think this needs to be private at all, so I'll go ahead and make it public.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 9 2022, 10:22 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".

Given

... it would be ideal if Stewards could enable this themselves, without having to escalate to someone with deploy access.

This task is still about some kind of manual UI config mechanism, no? Like a new ConfirmEdit special page or a lightweight extension under metawiki that allowed for an easy way to set/unset $wmgEnableEmergencyCaptcha for various projects or groups of projects?

Given

... it would be ideal if Stewards could enable this themselves, without having to escalate to someone with deploy access.

This task is still about some kind of manual UI config mechanism, no? Like a new ConfirmEdit special page or a lightweight extension under metawiki that allowed for an easy way to set/unset $wmgEnableEmergencyCaptcha for various projects or groups of projects?

So the reason I suggested using CentralAuth global groups is that if we want to add new functionality like this somewhere else, it requires some thinking about how we should be storing the data - should there be a new database table to remember which wikis are configured to have it enabled? Easier to implement, but means a database read each time. Or, perhaps have the special page or whatever write to an included php file, like the installer does when setting the initial configuration - harder to implement, but lower performance impact since the settings would just be read as normal configuration.

Reusing CentralAuth means that there is already an interface, logging, database, etc. available, which I think would be easier and more stable than trying to write new handling from scratch.

jbond triaged this task as Medium priority.Mar 21 2022, 11:41 AM

Change 778678 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/ConfirmEdit@master] Add new ConfirmEditTriggersCaptchaHook

https://gerrit.wikimedia.org/r/778678

Change 778680 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/CentralAuth@master] Allow stewards to enable emergency captchas via a wikiset

https://gerrit.wikimedia.org/r/778680

Change 778678 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] Add new ConfirmEditTriggersCaptchaHook

https://gerrit.wikimedia.org/r/778678