Page MenuHomePhabricator

Rate-limit is incremented before username and revision are validated
Closed, ResolvedPublicBUG REPORT


Steps to replicate
  1. Install the ReportIncident extension
  2. Create a new account and make an edit using this account
  3. Open a user talk page
  4. Click on the "Report" link in the "Tools" menu
  5. Click through to the second step of the dialog
  6. Enter form data, but enter a username that does not exist
  7. Open DevTools and click on the 'Network' tab
  8. Click on submit until you see the error 429 (should take no more than 6 times in a standard configuration and no more than 1 time for a new user account). The errors seen before the 429 should have the error code 404.

What happens?:
The API request response has the status code 429, even though no reports were submitted in the previous request (as the form data failed validation).

What should have happened instead?:
All form validation should occur before the rate limit is increased, so that the rate limit should only be increased when a user submits a valid report that is emailed to the administrators.

Therefore, after 6 attempts to submit there should be no error with a code of 429.

Software version

MediaWiki 1.42.0-alpha (72f7b7a) 12:57, 18 October 2023. ReportIncident – (404454b) 13:13, 19 October 2023.

Other information

Example in Firefox DevTools:

image.png (80×1 px, 15 KB)

Event Timeline

Change 967319 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/ReportIncident@master] Move authorizeAction call to after all form validation checks

Change 967319 merged by jenkins-bot:

[mediawiki/extensions/ReportIncident@master] ReportHandler: Split ::run and move authorization after validation

For QA, I would suggest following the steps to reproduce. Thus cannot be easily tested on the betawikis using a new account unless you wait 3 hours since its creation. This check if skipped on wikis in developer mode (such as patch demo or local wikis).

The 404 error for a username not being found should have the response body contain an error similar to The specified user ($1) does not exist with $1 replaced with the username you entered into the form. An example (from Firefox DevTools) is shown below:

image.png (194×873 px, 13 KB)

Test wiki created on Patch demo by DJacksonA using patch(es) linked to this task:

I have verified the fix for this issue has been implemented and is working as expected per the Ticket Description... Thank you @Dreamy_Jazz!!!
Testing was performed at the following url:사용자토론:QS5E

image.png (934×1 px, 157 KB)

Dreamy_Jazz claimed this task.