Page MenuHomePhabricator

Create temporary account early in edit cycle for all edit attempts
Closed, ResolvedPublic

Description

Context

When the temporary account feature is enabled, and an anonymous user successfully saves an edit, we create a temporary account for the user and log the user in to this account.

The current order of operations in EditPage.php#internalAttemptSave is:

  • onEditPage__attemptSave
  • onEditFilter
  • edit conflict checks
  • Constructing a Content object
  • EditConstraintRunner() has run:
    • EditFilterMergedContentHookConstraint
    • UnicodeConstraint
    • SimpleAntiSpamConstraint
    • SpamRegexConstraint
    • ImageRedirectConstraint
    • UserBlockConstraint
    • ContentModelChangeConstraint
    • ReadOnlyConstraint
    • UserRateLimitConstraint
    • PageSizeConstraint
    • ChangeTagsConstraint
    • AccidentalRecreationConstraint
    • EditRightConstraint
    • DefaultTextConstraint
    • NewSectionMissingSubjectConstraint
    • MissingCommentConstraint
    • AutoSummaryMissingSummaryConstraint
    • SelfRedirectConstraint
  • Create temp account

A consequence of this ordering is that there are numerous stopping points where an edit attempt does not result in temporary account creation. For example, if the edit fails the PageSizeConstraint, no temp account is created and the edit is not saved. For some fairly straightforward constraints, that is not a problem.

For other hooks and constraints, MediaWiki extensions need to be able to log an actor associated with a failed attempt. For example, AbuseFilter logs the account or IP associated with a failed edit attempt T334623: How do we log unsuccessful first edits for temporary users?. In that context, it is difficult to know how to log a failed edit attempt because the temporary account doesn't exist yet at the time of rejection. See also T358806: CannotCreateActorException when a logged out user triggers SpamBlacklist log for a similar failure in SpamBlacklist.

In discussing T307060: [Epic] Temporary account AbuseFilter support with @STran, @Dreamy_Jazz, @Daimona and @Tchanders, one idea we discussed is that every loggable (on Special:Log) action should have a temporary account associated with it. Applying that to the edit save cycle, this could be worded as "Every anonymous edit attempt should result in a temp account." In order to do that, we need to have the temporary account created earlier in the edit cycle, before hooks and constraint checks run.

Proposal

  1. Create the temporary account at the beginning of EditPage::internalAttemptSave.
  2. Perform a top-level redirect for failed edit attempts via the form and API, so that the temp user account is attached to loginwiki.

Consequences

Benefits

  1. We have a temporary account to associate with logs generated by e.g. AbuseFilter and SpamBlacklist
    1. We build an account history for someone repeatedly tripping AbuseFilters early on
  2. Easier to communicate with users who have tripped an edit constraint (since they'll have an account and access to Echo notifications)

Disadvantages

  1. Increase in number of temporary accounts created per month (T334623#9587082)
  2. Users whose edit attempt is rejected would lose their content because of top-level navigation wiping out form contents. (VisualEditor/DiscussionTools users should be able to recover stashed content.)
  3. Performing top-level redirect on failure is clunky--we would need to preserve the error message key and parameters, probably by encoding into the URL query string for the redirect to the loginwiki, and then reconstruct the error message when the user arrives back at the local wiki.

Related Objects

Event Timeline

Change 1008530 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/core@master] [WIP] Experiment with creating the temp user at beginning of save

https://gerrit.wikimedia.org/r/1008530

I don't really have time to dive into this, but if we're okay with the predicted increase in the number of temporary accounts, then this seems fine to me. In fact logging AbuseFilter hits this way seems like an improvement, and it probably makes a lot of things easier to implement (and design, and communicate to users).

I don't really have time to dive into this, but if we're okay with the predicted increase in the number of temporary accounts, then this seems fine to me.

That is something we hope to find out with T359194: Instrument potential temporary account creations.

kostajh updated the task description. (Show Details)
kostajh renamed this task from Create temporary account early in edit request cycle to Create temporary account for edit attempts before pre-save hooks run in EditPage.Mar 12 2024, 1:28 PM
kostajh renamed this task from Create temporary account for edit attempts before pre-save hooks run in EditPage to Create temporary account for edit attempts.Mar 21 2024, 10:33 AM
kostajh updated the task description. (Show Details)

I spent some time on handling top-level redirects for temp accounts on failed edits. My main observations are:

  1. Handling failed edits properly is going to be a pain and involve piling some more hacks onto EditPage.php and ApiEditPage.
    1. On edit failure, we could add the error message(s) and parameter(s) as query parameters for top level login, and render those in the form when the user is back in the local wiki. But they'd still lose their edit content for wikitext editor users. (Arguably, not a huge deal)
    2. We'd need to update JS editors to perform a top-level redirect on failures and show the error
  2. We'd need to rework some of the constraints (e.g. UserBlockConstraint to make sure that blocks against anonymous editing are respected)
  3. It's easier for bad faith users to script out attacks that block anonymous users from editing, simply by submitting multiple constraint trips and using up the allocated temp account quota for an IP address
kostajh renamed this task from Create temporary account for edit attempts to Create temporary account for early in edit cycle for all edit attempts.Mar 21 2024, 12:18 PM
Tchanders renamed this task from Create temporary account for early in edit cycle for all edit attempts to Create temporary account early in edit cycle for all edit attempts.Mar 21 2024, 1:42 PM
  1. We'd need to rework some of the constraints (e.g. UserBlockConstraint to make sure that blocks against anonymous editing are respected)

Helpfully, anon-only blocks (softblocks) do actually block temp accounts: T343714

Change #1021768 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/core@master] [WIP] Temporary accounts: Perform redirect for first successful edit

https://gerrit.wikimedia.org/r/1021768

A few observations based on https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1008530 and https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1021768 in my local environment:

  • For non JS and JS editing, the UI isn't updated when the user sees an error message that their edit didn't go through. This is probably OK.
  • There are some instances where the user will see "centralauth-token-mismatch": "Sorry, we could not process your form submission due to a loss of session data.", error message in the UX. In some cases, they will be able to press "Save" after removing the text that trips the AbuseFilter or SpamBlacklist. In other case, the centralauth-token-mismatch error persists. It's hard to know if we'd see a similar issue in production CentralAuth setup
  • Sometimes, the user will see the error about having their edit denied, then make a successful edit and see the temporary user banner, then on subsequent page load, the user is logged-out. This feels similar to T299193 but I am not sure. And I am also not sure if it has to do with my local setup or if we'd see something else in Wikimedia production.

A few observations based on https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1008530 and https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1021768 in my local environment:

  • For non JS and JS editing, the UI isn't updated when the user sees an error message that their edit didn't go through. This is probably OK.
  • There are some instances where the user will see "centralauth-token-mismatch": "Sorry, we could not process your form submission due to a loss of session data.", error message in the UX. In some cases, they will be able to press "Save" after removing the text that trips the AbuseFilter or SpamBlacklist. In other case, the centralauth-token-mismatch error persists. It's hard to know if we'd see a similar issue in production CentralAuth setup
  • Sometimes, the user will see the error about having their edit denied, then make a successful edit and see the temporary user banner, then on subsequent page load, the user is logged-out. This feels similar to T299193 but I am not sure. And I am also not sure if it has to do with my local setup or if we'd see something else in Wikimedia production.

Pretty sure the flaky logout issues are due to my local setup, and not the patches listed above.

Change #1008530 merged by jenkins-bot:

[mediawiki/core@master] Temporary accounts: Create user on edit save attempts

https://gerrit.wikimedia.org/r/1008530

Change #1021768 merged by jenkins-bot:

[mediawiki/core@master] Temporary accounts: Perform redirect for first successful edit

https://gerrit.wikimedia.org/r/1021768

@kostajh are there more patches for review, or can this be closed now?

@kostajh are there more patches for review, or can this be closed now?

I think we can close it, unless you think we should QA this task specifically?