Page MenuHomePhabricator
Create Task
Maniphest T381117

Unregistered users can be thanked via the API
Open, Needs TriagePublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

What happens?:
API succeeds and a log entry is generated (example) although unregistered users can't be notified about the thanks.

What should have happened instead?:
API should fail with a notice that unregistered users can't be thanked

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

Was originally reported at https://meta.wikimedia.org/wiki/Talk:SWViewer#[BUG]:_Remove_the_ability_to_thank_IP_Users

Related Objects

Event Timeline

Toadette created this task.Nov 28 2024, 6:42 PM
Restricted Application added a project: Growth-Team. · View Herald TranscriptNov 28 2024, 6:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Toadette triaged this task as Low priority.Nov 28 2024, 6:44 PM
Myrealnamm subscribed.Nov 28 2024, 8:46 PM

Thanks, I was thinking whether or not to create a phab for this.

jhsoby subscribed.Nov 29 2024, 12:12 AM

Go to https://test.wikipedia.org/wiki/Special:APISandbox

Just FYI: Since the test Wikipedia has Temporary accounts enabled, and you can actually thank temporary accounts (that's a built-in feature), as opposed to IP users, it might not be the best place to test this bug.

Etonkovidova moved this task from Inbox to Needs Discussion on the Growth-Team board.Dec 6 2024, 5:44 PM
DMburugu moved this task from Needs Discussion to Triaged on the Growth-Team board.Oct 2 2025, 4:25 PM
Restricted Application added a project: Connection-Team. · View Herald TranscriptOct 2 2025, 4:25 PM
Daimona raised the priority of this task from Low to Needs Triage.Oct 12 2025, 12:27 AM
Daimona merged a task: T407055: It's possible to thank a (legacy) anonymous user.
Daimona added a subscriber: matej_suchanek.
matej_suchanek updated the task description. (Show Details)Oct 12 2025, 8:42 AM
matej_suchanek added a comment.Oct 14 2025, 9:39 AM

I think this is an oversight that stems from the unfortunate state of the codebase where thanks "eligibility" checks are done by each interface separately. Hence, if a new check is to be added (such as T407056), it needs to be duplicated everywhere where the eligibility for thanking (definitive or tentative) is checked.

In particular, some checks are run in Hooks::insertThankLink, Hooks::onLogEventsListLineEnding, ApiThank, ApiCoreThank, LogStore::getLogEntryFromId, and even LogStore::thank (where it's actually too late). Some of them do share code, but the logic is duplicated nevertheless.

It would be nice to come up with an interface that would encapsulate all (most of) the checks, differentiate between tentative ("quick", batch checks for interface) and definitive ("expensive", for authorization) ones, and satisfy both the user interface, where a mere boolean is expected, and the API, where different error states are presented (perhaps using Status?).

Urbanecm_WMF removed a project: Growth-Team.Oct 28 2025, 12:27 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits