Page MenuHomePhabricator

wmopbot should not let users without JavaScript submit incomplete cloak requests
Open, LowPublic

Description

Earlier today, I requested a cloak for my volunteer account (IRC lucaswerkmeister). Since I’d gone through the process only a few days ago for my work account (@Lucas_Werkmeister_WMDE, IRC Lucas_WMDE), I didn’t read the form very carefully: I selected “new cloak” (rather than “change” or whatever the third option is) and clicked the submit button. Only afterwards did I realize that I had NoScript enabled, and the wmopbot web tool had not asked me to select the kind of cloak I wanted (wikipedia, wikidata, etc.). As far as I can tell, my cloak request was still submitted (cloakstatus now reports “pending”), but it probably shouldn’t have been, since it wasn’t complete?

Event Timeline

I can’t easily test this again, since the bot now tells me “You have already requested a cloak, please wait for the request be processed”. As far as I can see in cloak.html on GitLab, the submit button should have been wrapped in a style="display:none" element, so I’m not sure why it still worked for me.

@LucasWerkmeister I see two requests in the system from you, neither with a cloak actually requested (as you suspected). I'll decline them both, which should allow you to resubmit the form with a request.

@Danilo FYI. These are requests 1342 and 1343 if you're doing some digging.

Thanks. With no JS (F36910309), here’s what I see:

Screenshot from 2023-03-14 00-28-14.png (697×1 px, 120 KB)

And I just realized why:

<div class="bothcloak" id="submit" style="text-align: center" style="display:none">

That’s two style= attributes on the same tag :) so I guess Firefox is discarding the second one.

(Also, ~tools.wmopbot local master is four commits ahead of origin/master, which also hasn’t been changed from Diffusion to GitLab yet.)

So I think a relatively simple fix would be:

  • merge those two style attributes into one, (probably) making the button invisible without JS
  • to be nice, also add something like <noscript>JavaScript needs to be enabled to use this form</noscript>
Danilo triaged this task as Low priority.

(FYI, I’ve now submitted another cloak request with JS, so I might not be able to test this for you anymore if you deploy a fix.)

/me expresses unhelpful grumbling about where and when the web has turned wrong way for such simple forms to require JS nowadays