Context
When the temporary account feature is enabled, and an anonymous user successfully saves an edit, we create a temporary account for the user and log the user in to this account.
The current order of operations in EditPage.php#internalAttemptSave is:
- onEditPage__attemptSave
- onEditFilter
- edit conflict checks
- Constructing a Content object
- EditConstraintRunner() has run:
- EditFilterMergedContentHookConstraint
- UnicodeConstraint
- SimpleAntiSpamConstraint
- SpamRegexConstraint
- ImageRedirectConstraint
- UserBlockConstraint
- ContentModelChangeConstraint
- ReadOnlyConstraint
- UserRateLimitConstraint
- PageSizeConstraint
- ChangeTagsConstraint
- AccidentalRecreationConstraint
- EditRightConstraint
- DefaultTextConstraint
- NewSectionMissingSubjectConstraint
- MissingCommentConstraint
- AutoSummaryMissingSummaryConstraint
- SelfRedirectConstraint
- Create temp account
A consequence of this ordering is that there are numerous stopping points where an edit attempt does not result in temporary account creation. For example, if the edit fails the PageSizeConstraint, no temp account is created and the edit is not saved. For some fairly straightforward constraints, that is not a problem.
For other hooks and constraints, MediaWiki extensions need to be able to log an actor associated with a failed attempt. For example, AbuseFilter logs the account or IP associated with a failed edit attempt T334623: How do we log unsuccessful first edits for temporary users?. In that context, it is difficult to know how to log a failed edit attempt because the temporary account doesn't exist yet at the time of rejection. See also T358806: CannotCreateActorException when a logged out user triggers SpamBlacklist log for a similar failure in SpamBlacklist.
In discussing T307060: [Epic] Temporary account AbuseFilter support with @STran, @Dreamy_Jazz, @Daimona and @Tchanders, one idea we discussed is that every loggable (on Special:Log) action should have a temporary account associated with it. Applying that to the edit save cycle, this could be worded as "Every anonymous edit attempt should result in a temp account." In order to do that, we need to have the temporary account created earlier in the edit cycle, before hooks and constraint checks run.
Proposal
- Create the temporary account at the beginning of EditPage::internalAttemptSave.
- Perform a top-level redirect for failed edit attempts via the form and API, so that the temp user account is attached to loginwiki.
Consequences
Benefits
- We have a temporary account to associate with logs generated by e.g. AbuseFilter and SpamBlacklist
- We build an account history for someone repeatedly tripping AbuseFilters early on
- Easier to communicate with users who have tripped an edit constraint (since they'll have an account and access to Echo notifications)
Disadvantages
- Increase in number of temporary accounts created per month (T334623#9587082)
- Users whose edit attempt is rejected would lose their content because of top-level navigation wiping out form contents. (VisualEditor/DiscussionTools users should be able to recover stashed content.)
- Performing top-level redirect on failure is clunky--we would need to preserve the error message key and parameters, probably by encoding into the URL query string for the redirect to the loginwiki, and then reconstruct the error message when the user arrives back at the local wiki.