Page MenuHomePhabricator
Create Task
Maniphest T349356

Rate-limit is incremented before username and revision are validated
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate
  1. Install the ReportIncident extension
  2. Create a new account and make an edit using this account
  3. Open a user talk page
  4. Click on the "Report" link in the "Tools" menu
  5. Click through to the second step of the dialog
  6. Enter form data, but enter a username that does not exist
  7. Open DevTools and click on the 'Network' tab
  8. Click on submit until you see the error 429 (should take no more than 6 times in a standard configuration and no more than 1 time for a new user account). The errors seen before the 429 should have the error code 404.

What happens?:
The API request response has the status code 429, even though no reports were submitted in the previous request (as the form data failed validation).

What should have happened instead?:
All form validation should occur before the rate limit is increased, so that the rate limit should only be increased when a user submits a valid report that is emailed to the administrators.

Therefore, after 6 attempts to submit there should be no error with a code of 429.

Software version

MediaWiki 1.42.0-alpha (72f7b7a) 12:57, 18 October 2023. ReportIncident – (404454b) 13:13, 19 October 2023.

Other information

Example in Firefox DevTools:

image.png (80×1 px, 15 KB)

Details

SubjectRepoBranchLines +/-
ReportHandler: Split ::run and move authorization after validationmediawiki/extensions/ReportIncidentmaster+186 -50
Customize query in gerrit

Related Objects
Search...

Event Timeline

Dreamy_Jazz created this task.Oct 19 2023, 11:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 19 2023, 11:42 PM
Dreamy_Jazz added a project: Incident-Reporting-System.Oct 19 2023, 11:42 PM
Restricted Application added a project: Trust and Safety Tools Team Backlog. · View Herald TranscriptOct 19 2023, 11:42 PM
Dreamy_Jazz edited projects, added Trust and Safety Tools Team Backlog (Kanban); removed Trust and Safety Tools Team Backlog.Oct 19 2023, 11:42 PM
Dreamy_Jazz added a parent task: T337566: [EPIC]: Incident Reporting System - Minimal Testable Product (MTP).
gerritbot added a comment.Oct 19 2023, 11:51 PM

Change 967319 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/ReportIncident@master] Move authorizeAction call to after all form validation checks

https://gerrit.wikimedia.org/r/967319

gerritbot added a project: Patch-For-Review.Oct 19 2023, 11:51 PM
Dreamy_Jazz moved this task from 🎬 Ready to 💻 In Progress on the Trust and Safety Tools Team Backlog (Kanban) board.Oct 19 2023, 11:57 PM
gerritbot added a comment.Oct 21 2023, 7:13 AM

Change 967319 merged by jenkins-bot:

[mediawiki/extensions/ReportIncident@master] ReportHandler: Split ::run and move authorization after validation

https://gerrit.wikimedia.org/r/967319

Dreamy_Jazz mentioned this in rEREI85ce5be0b962: ReportHandler: Split ::run and move authorization after validation.Oct 21 2023, 7:13 AM
Maintenance_bot removed a project: Patch-For-Review.Oct 21 2023, 7:30 AM
Dreamy_Jazz updated the task description. (Show Details)Oct 21 2023, 8:24 AM
Dreamy_Jazz moved this task from 💻 In Progress to 🐛 QA on the Trust and Safety Tools Team Backlog (Kanban) board.

For QA, I would suggest following the steps to reproduce. Thus cannot be easily tested on the betawikis using a new account unless you wait 3 hours since its creation. This check if skipped on wikis in developer mode (such as patch demo or local wikis).

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.2; 2023-10-24).Oct 21 2023, 9:00 AM
Dreamy_Jazz updated the task description. (Show Details)Oct 23 2023, 4:18 PM
Dreamy_Jazz added a comment.Oct 23 2023, 4:23 PM

The 404 error for a username not being found should have the response body contain an error similar to The specified user ($1) does not exist with $1 replaced with the username you entered into the form. An example (from Firefox DevTools) is shown below:

image.png (194×873 px, 13 KB)

PatchDemoBot added a comment.Oct 23 2023, 7:43 PM

Test wiki created on Patch demo by DJacksonA using patch(es) linked to this task:
https://patchdemo.wmflabs.org/wikis/7707ba64c8/w

Djackson-ctr subscribed.EditedOct 23 2023, 7:54 PM

I have verified the fix for this issue has been implemented and is working as expected per the Ticket Description... Thank you @Dreamy_Jazz!!!
Testing was performed at the following url:
https://ko.wikipedia.beta.wmflabs.org/wiki/사용자토론:QS5E

image.png (934×1 px, 157 KB)

Djackson-ctr moved this task from 🐛 QA to 🤘 Done on the Trust and Safety Tools Team Backlog (Kanban) board.Oct 23 2023, 8:37 PM
Dreamy_Jazz closed this task as Resolved.Oct 25 2023, 1:09 PM
Dreamy_Jazz claimed this task.
PatchDemoBot added a comment.Tue, Apr 23, 3:51 PM

Test wiki on Patch demo by DJacksonA using patch(es) linked to this task was deleted:

https://patchdemo.wmflabs.org/wikis/7707ba64c8/w/

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL