Page MenuHomePhabricator

Confirm Wikibase REST API are considered by the AbuseFilter
Closed, ResolvedPublic


Likely similar to investigation done for rate limiting: T322746

Time box: 24 hrs

Event Timeline

The Wikibase REST API is covered by the AbuseFilter extension by using the same MediawikiEditEntity::attemptSave() low-level service. This service calls the EditFilterMergedContent hook which is registered by the extension (see extension.json). The error response returned by the Wikibase REST API is a generic 500 unexpected-error.

How I verified this:

  • Created a "Block all" filter where Conditions: was true in order to match on everything and:
    • selected the Prevent the user from performing the action in question checkbox
    • set the System message to use for disallowing: and Page name of other message: to abusefilter-disallowed
  • Tried to add a new Statement via the /entities/items/{item_id}/statements endpoint and noticed it returned a generic 500 unexpected-error response.
  • Added a breakpoint in HookContainer::run() and in the catch block of UnexpectedErrorHandlerMiddleware::run()
  • Made a request with all edit endpoints and verified that the failed hook was EditFilterMergedContent and the unexpected error was due to the "Block all" filter:
    • POST /entities/items/{item_id}/statements
    • PUT /entities/items/{item_id}/statements/{statement_id}
    • PATCH /entities/items/{item_id}/statements/{statement_id}
    • DELETE /entities/items/{item_id}/statements/{statement_id}
    • PUT /entities/items/{item_id}/statements/{statement_id}
    • PATCH /statements/{statement_id}
    • DELETE /statements/{statement_id}
Jakob_WMDE added a subscriber: Jakob_WMDE.

I was able to verify this following the same steps you described, @Ollie.Shotton_WMDE. Nice work, thanks!