Page MenuHomePhabricator
Create Task
Maniphest T331934

wmopbot should not let users without JavaScript submit incomplete cloak requests
Open, LowPublic
Actions

Description

Earlier today, I requested a cloak for my volunteer account (IRC lucaswerkmeister). Since I’d gone through the process only a few days ago for my work account (@Lucas_Werkmeister_WMDE, IRC Lucas_WMDE), I didn’t read the form very carefully: I selected “new cloak” (rather than “change” or whatever the third option is) and clicked the submit button. Only afterwards did I realize that I had NoScript enabled, and the wmopbot web tool had not asked me to select the kind of cloak I wanted (wikipedia, wikidata, etc.). As far as I can tell, my cloak request was still submitted (cloakstatus now reports “pending”), but it probably shouldn’t have been, since it wasn’t complete?

Event Timeline

LucasWerkmeister created this task.Mar 13 2023, 9:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2023, 9:46 PM
LucasWerkmeister removed a subscriber: Lucas_Werkmeister_WMDE.Mar 13 2023, 9:46 PM

I can’t easily test this again, since the bot now tells me “You have already requested a cloak, please wait for the request be processed”. As far as I can see in cloak.html on GitLab, the submit button should have been wrapped in a style="display:none" element, so I’m not sure why it still worked for me.

stwalkerster added subscribers: Danilo, stwalkerster.Mar 13 2023, 10:55 PM

@LucasWerkmeister I see two requests in the system from you, neither with a cloak actually requested (as you suspected). I'll decline them both, which should allow you to resubmit the form with a request.

@Danilo FYI. These are requests 1342 and 1343 if you're doing some digging.

LucasWerkmeister added a comment.Mar 13 2023, 11:32 PM

Thanks. With no JS (F36910309), here’s what I see:

Screenshot from 2023-03-14 00-28-14.png (697×1 px, 120 KB)

And I just realized why:

<div class="bothcloak" id="submit" style="text-align: center" style="display:none">

That’s two style= attributes on the same tag :) so I guess Firefox is discarding the second one.

(Also, ~tools.wmopbot local master is four commits ahead of origin/master, which also hasn’t been changed from Diffusion to GitLab yet.)

LucasWerkmeister added a comment.EditedMar 13 2023, 11:33 PM

So I think a relatively simple fix would be:

  • merge those two style attributes into one, (probably) making the button invisible without JS
  • to be nice, also add something like <noscript>JavaScript needs to be enabled to use this form</noscript>
Danilo claimed this task.Mar 14 2023, 5:18 PM
Danilo triaged this task as Low priority.
LucasWerkmeister added a comment.Apr 8 2023, 5:24 PM

(FYI, I’ve now submitted another cloak request with JS, so I might not be able to test this for you anymore if you deploy a fix.)

Base subscribed.Apr 19 2023, 1:15 AM

/me expresses unhelpful grumbling about where and when the web has turned wrong way for such simple forms to require JS nowadays

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits