Page MenuHomePhabricator
People hector.arroyo

hector.arroyo (Héctor Aroyo)
User

Projects (7)
View All

Calendar

Today

  • No visible events.

Tomorrow

  • No visible events.

Thursday

  • No visible events.

User Details

User Since
Oct 28 2024, 10:36 AM (84 w, 23 h)
Availability
Available
LDAP User
Harroyo-wmf
MediaWiki User
HArroyo-WMF [ Global Accounts ]

Recent Activity
View All

Today

hector.arroyo changed the point value for T425929: Cannot publish after dismissing hCaptcha challenge triggered by AbuseFilter on mobile source editor from 1 to 3.
Tue, Jun 9, 9:10 AM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), MobileFrontend, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T427073: hCaptcha risk scores (MobileFrontend): Add a hook which is fired when a block message is shown from QA to Done on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Tue, Jun 9, 9:07 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), MobileFrontend (MobileFrontend (Editor))
hector.arroyo closed T427073: hCaptcha risk scores (MobileFrontend): Add a hook which is fired when a block message is shown, a subtask of T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices, as Resolved.
Tue, Jun 9, 9:06 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo closed T427073: hCaptcha risk scores (MobileFrontend): Add a hook which is fired when a block message is shown as Resolved.

This is working as expected in the master branch of MobileFrontend.

image.png (712×1 px, 187 KB)

Tue, Jun 9, 9:06 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), MobileFrontend (MobileFrontend (Editor))
hector.arroyo moved T426943: hCaptcha risk scores (MobileFrontend): Load ext.confirmEdit.hCaptcha when a block message is shown from QA in Prod to Done on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
Tue, Jun 9, 8:59 AM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), MobileFrontend (MobileFrontend (Editor)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension)
hector.arroyo closed T426943: hCaptcha risk scores (MobileFrontend): Load ext.confirmEdit.hCaptcha when a block message is shown as Resolved.

This is working as expected (tested locally with the master branches of the MobileFrontend and ConfirmEdit).

Tue, Jun 9, 8:58 AM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), MobileFrontend (MobileFrontend (Editor)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension)
hector.arroyo closed T426943: hCaptcha risk scores (MobileFrontend): Load ext.confirmEdit.hCaptcha when a block message is shown, a subtask of T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices, as Resolved.
Tue, Jun 9, 8:58 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)

Yesterday

hector.arroyo added a comment to T425929: Cannot publish after dismissing hCaptcha challenge triggered by AbuseFilter on mobile source editor.

If I first clear cookies and then repeat the test:

Mon, Jun 8, 11:33 AM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), MobileFrontend, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo added a comment to T425929: Cannot publish after dismissing hCaptcha challenge triggered by AbuseFilter on mobile source editor.

The issue is only occurring if the first widget does not use the always challenge sitekey

Mon, Jun 8, 10:51 AM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), MobileFrontend, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo added a comment to T425929: Cannot publish after dismissing hCaptcha challenge triggered by AbuseFilter on mobile source editor.

I get the same result both in Chrome and in Firefox

Mon, Jun 8, 10:45 AM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), MobileFrontend, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo added a comment to T425929: Cannot publish after dismissing hCaptcha challenge triggered by AbuseFilter on mobile source editor.

I've tested by closing the challenge manually (the ticket says when the hCaptcha challenge shows, dismiss it (click away or press Esc)).

Mon, Jun 8, 10:25 AM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), MobileFrontend, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo added a comment to T425929: Cannot publish after dismissing hCaptcha challenge triggered by AbuseFilter on mobile source editor.

I've pulled the latest master branches for ConfirmEdit (CAPTCHA extension) and MobileFrontend and retested this locally, and this is working as expected in my local environment: If I open the consequence by typing "showcaptcha" in the summary, clicking outside the captcha (or pressing Esc), then trying to submit again shows a new captcha. Then, the edit is saved after solving it.

Mon, Jun 8, 10:15 AM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), MobileFrontend, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T407339: hCaptcha: Implement hCaptcha on edits made through the MobileFrontend from Awaiting Code Review to Feature Requests/Improvements on the ConfirmEdit (CAPTCHA extension) board.
Mon, Jun 8, 9:39 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), ConfirmEdit (CAPTCHA extension), MobileFrontend (MobileFrontend (Editor)), OKR-Work, Bot detection and mitigation (WE4.2 hCaptcha editing trial)
hector.arroyo moved T426943: hCaptcha risk scores (MobileFrontend): Load ext.confirmEdit.hCaptcha when a block message is shown from Awaiting Code Review to Feature Requests/Improvements on the ConfirmEdit (CAPTCHA extension) board.
Mon, Jun 8, 9:38 AM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), MobileFrontend (MobileFrontend (Editor)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension)
hector.arroyo moved T427067: hCaptcha risk scores (MobileFrontend): Collect and submit risk scores when showing a blocked edit notice in the MobileFrontend from Awaiting Code Review to Feature Requests/Improvements on the ConfirmEdit (CAPTCHA extension) board.
Mon, Jun 8, 9:38 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension), MobileFrontend (MobileFrontend (Editor))

Fri, Jun 5

hector.arroyo renamed T427259: hCaptcha risk scores: Move hCaptcha-specific backend code (risk scores, retries, logging) to a dedicated service from hCaptcha risk scores: Move hCaptcha-specific code (risk scores, retries, logging) to a dedicated service to hCaptcha risk scores: Move hCaptcha-specific backend code (risk scores, retries, logging) to a dedicated service.
Fri, Jun 5, 2:17 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo added a comment to T408795: hCaptcha: when challenge triggered makes entire screen white in Dark mode.
Fri, Jun 5, 2:14 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.2 hCaptcha editing trial), ConfirmEdit (CAPTCHA extension)
hector.arroyo moved T425929: Cannot publish after dismissing hCaptcha challenge triggered by AbuseFilter on mobile source editor from In progress to Needs review on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
Fri, Jun 5, 1:22 PM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), MobileFrontend, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T425929: Cannot publish after dismissing hCaptcha challenge triggered by AbuseFilter on mobile source editor from Backlog to Awaiting Code Review on the ConfirmEdit (CAPTCHA extension) board.
Fri, Jun 5, 1:22 PM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), MobileFrontend, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T425929: Cannot publish after dismissing hCaptcha challenge triggered by AbuseFilter on mobile source editor from Backlog to In progress on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Fri, Jun 5, 1:22 PM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), MobileFrontend, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T426943: hCaptcha risk scores (MobileFrontend): Load ext.confirmEdit.hCaptcha when a block message is shown from In progress to QA on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Fri, Jun 5, 10:33 AM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), MobileFrontend (MobileFrontend (Editor)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension)
hector.arroyo closed T428180: hCaptcha: confirmEdit.hCaptchaRenderCallback events don't seem to trigger the corresponding subscribers as Resolved.

We've deployed a change to use a new interface name for the MobileFrontend and now it seems the subscriber for the confirmEdit.hCaptchaRenderCallback event in the MobileFrontend is working as expected. I'm closing this task now.

Fri, Jun 5, 10:22 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha

Thu, Jun 4

hector.arroyo created T428180: hCaptcha: confirmEdit.hCaptchaRenderCallback events don't seem to trigger the corresponding subscribers.
Thu, Jun 4, 2:45 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha
hector.arroyo added a comment to T425929: Cannot publish after dismissing hCaptcha challenge triggered by AbuseFilter on mobile source editor.

I'm not able to reproduce this locally, but I can reproduce it on test.wikipedia.org.

Thu, Jun 4, 1:44 PM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), MobileFrontend, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo claimed T425929: Cannot publish after dismissing hCaptcha challenge triggered by AbuseFilter on mobile source editor.
Thu, Jun 4, 12:03 PM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), MobileFrontend, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo placed T427816: hCaptcha: Wikitext source editor always fails with incorrect CAPTCHA error when in mobile mode on vector up for grabs.
Thu, Jun 4, 12:02 PM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension), hCaptcha
hector.arroyo changed the status of T427816: hCaptcha: Wikitext source editor always fails with incorrect CAPTCHA error when in mobile mode on vector from In Progress to Open.
Thu, Jun 4, 12:02 PM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension), hCaptcha
hector.arroyo placed T421041: hCaptcha challenge not shown when triggering AbuseFilter on Special:CreateAccount up for grabs.
Thu, Jun 4, 11:41 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), ConfirmEdit (CAPTCHA extension), AbuseFilter, Bot detection and mitigation (WE4.2 hCaptcha account creation trial)
hector.arroyo moved T421041: hCaptcha challenge not shown when triggering AbuseFilter on Special:CreateAccount from In progress to Ready on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
Thu, Jun 4, 11:41 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), ConfirmEdit (CAPTCHA extension), AbuseFilter, Bot detection and mitigation (WE4.2 hCaptcha account creation trial)
hector.arroyo moved T427816: hCaptcha: Wikitext source editor always fails with incorrect CAPTCHA error when in mobile mode on vector from Ready to In progress on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
Thu, Jun 4, 11:41 AM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension), hCaptcha
hector.arroyo changed the status of T427816: hCaptcha: Wikitext source editor always fails with incorrect CAPTCHA error when in mobile mode on vector from Open to In Progress.
Thu, Jun 4, 11:40 AM · MW-1.47-notes (1.47.0-wmf.6; 2026-06-09), Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension), hCaptcha
hector.arroyo added a comment to T421041: hCaptcha challenge not shown when triggering AbuseFilter on Special:CreateAccount.

Anyway, we can't just re-submit the CreateAccount form automatically since, on page reload, the password field and its confirmation come empty (unless we are ok with writing the user-provided password in the HTML we send back with the error -- probably we shouldn't since the current implementation explicitly avoids doing so; or unless we implement an additional mechanism to temporarily store the user-submitted password in the user session for retrieving it back in SpecialCreateAccount if the field comes empty (which still feels potentially dangerous)).

Thu, Jun 4, 10:54 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), ConfirmEdit (CAPTCHA extension), AbuseFilter, Bot detection and mitigation (WE4.2 hCaptcha account creation trial)
hector.arroyo added a comment to T421041: hCaptcha challenge not shown when triggering AbuseFilter on Special:CreateAccount.

Locally,

  • ✅ Setting $wgCaptchaTriggers['createaccount']=true and having a filer with account_name contains 'AF' as the condition works as expected (it seems to just trigger the normal createaccount action)
  • ❌ Setting $wgCaptchaTriggers['createaccount']=false and having the previous filter fails (it goes back to the form with an "Incorrect or missing CAPTCHA" error). Trying to submit the form the second time shows the captcha, solving it creates the account correctly.
Thu, Jun 4, 10:07 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), ConfirmEdit (CAPTCHA extension), AbuseFilter, Bot detection and mitigation (WE4.2 hCaptcha account creation trial)

Wed, Jun 3

hector.arroyo added a comment to T427067: hCaptcha risk scores (MobileFrontend): Collect and submit risk scores when showing a blocked edit notice in the MobileFrontend.

With the following changes applied:

Wed, Jun 3, 11:45 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension), MobileFrontend (MobileFrontend (Editor))
hector.arroyo claimed T421041: hCaptcha challenge not shown when triggering AbuseFilter on Special:CreateAccount.
Wed, Jun 3, 8:50 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), ConfirmEdit (CAPTCHA extension), AbuseFilter, Bot detection and mitigation (WE4.2 hCaptcha account creation trial)

Tue, Jun 2

hector.arroyo moved T427067: hCaptcha risk scores (MobileFrontend): Collect and submit risk scores when showing a blocked edit notice in the MobileFrontend from Needs review to QA in Prod on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
Tue, Jun 2, 1:54 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension), MobileFrontend (MobileFrontend (Editor))
hector.arroyo moved T427067: hCaptcha risk scores (MobileFrontend): Collect and submit risk scores when showing a blocked edit notice in the MobileFrontend from In progress to QA on the Bot detection and mitigation (WE4.10 hCaptcha) board.

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1290753 was merged

Tue, Jun 2, 1:54 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension), MobileFrontend (MobileFrontend (Editor))
hector.arroyo changed the status of T426068: hCaptcha risk scores: New API endpoint for collecting risk scores from Open to In Progress.
Tue, Jun 2, 1:44 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo changed the status of T426068: hCaptcha risk scores: New API endpoint for collecting risk scores, a subtask of T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices, from Open to In Progress.
Tue, Jun 2, 1:44 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T426068: hCaptcha risk scores: New API endpoint for collecting risk scores from Done to QA on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Tue, Jun 2, 11:24 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo added a comment to T426068: hCaptcha risk scores: New API endpoint for collecting risk scores.
In T426068#11975361, @Dreamy_Jazz wrote:

What about QA?

Tue, Jun 2, 8:30 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T426077: hCaptcha risk scores: Wire the frontend code for the Desktop entry point to the API endpoint from Backlog to Done on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Tue, Jun 2, 8:28 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T426077: hCaptcha risk scores: Wire the frontend code for the Desktop entry point to the API endpoint from Awaiting Code Review to Feature Requests/Improvements on the ConfirmEdit (CAPTCHA extension) board.
Tue, Jun 2, 8:28 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo closed T426077: hCaptcha risk scores: Wire the frontend code for the Desktop entry point to the API endpoint as Resolved.

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1290031 was merged, closing this task

Tue, Jun 2, 8:27 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo closed T426077: hCaptcha risk scores: Wire the frontend code for the Desktop entry point to the API endpoint, a subtask of T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices, as Resolved.
Tue, Jun 2, 8:27 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo closed T426072: hCaptcha risk scores: API endpoint rate limiting, a subtask of T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices, as Resolved.
Tue, Jun 2, 8:25 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo closed T426072: hCaptcha risk scores: API endpoint rate limiting as Resolved.

This was done in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1290031 as part of T426068: hCaptcha risk scores: New API endpoint for collecting risk scores. That patch is now merged and the related task is closed, so closing this one too.

Tue, Jun 2, 8:25 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T426072: hCaptcha risk scores: API endpoint rate limiting from Awaiting Code Review to Feature Requests/Improvements on the ConfirmEdit (CAPTCHA extension) board.
Tue, Jun 2, 8:24 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T426072: hCaptcha risk scores: API endpoint rate limiting from In progress to Done on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Tue, Jun 2, 8:24 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo closed T426068: hCaptcha risk scores: New API endpoint for collecting risk scores, a subtask of T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices, as Resolved.
Tue, Jun 2, 8:21 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo closed T426068: hCaptcha risk scores: New API endpoint for collecting risk scores as Resolved.

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1295993 & https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1290031 were merged, closing this task

Tue, Jun 2, 8:21 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T426068: hCaptcha risk scores: New API endpoint for collecting risk scores from Awaiting Code Review to Feature Requests/Improvements on the ConfirmEdit (CAPTCHA extension) board.
Tue, Jun 2, 8:21 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T426068: hCaptcha risk scores: New API endpoint for collecting risk scores from Needs review to Done on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
Tue, Jun 2, 8:21 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)

Mon, Jun 1

hector.arroyo closed T426069: hCaptcha risk scores: Handle events for risk scores obtained for blocks in CaptchaScoreHooks as Resolved.

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikimediaEvents/+/1288971 was merged, closing this task.

Mon, Jun 1, 6:45 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, Patch-For-Review, MediaWiki-extensions-WikimediaEvents, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo closed T426069: hCaptcha risk scores: Handle events for risk scores obtained for blocks in CaptchaScoreHooks, a subtask of T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices, as Resolved.
Mon, Jun 1, 6:45 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T426069: hCaptcha risk scores: Handle events for risk scores obtained for blocks in CaptchaScoreHooks from In progress to Done on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Mon, Jun 1, 6:44 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, Patch-For-Review, MediaWiki-extensions-WikimediaEvents, Bot detection and mitigation (WE4.10 hCaptcha)

Fri, May 29

hector.arroyo changed the status of T426069: hCaptcha risk scores: Handle events for risk scores obtained for blocks in CaptchaScoreHooks from Stalled to In Progress.

The schema update from T426071: hCaptcha risk scores: Schema update for risk_score events has been merged, so this is no longer blocked.

Fri, May 29, 9:31 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, Patch-For-Review, MediaWiki-extensions-WikimediaEvents, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo changed the status of T426069: hCaptcha risk scores: Handle events for risk scores obtained for blocks in CaptchaScoreHooks, a subtask of T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices, from Stalled to In Progress.
Fri, May 29, 9:31 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T427073: hCaptcha risk scores (MobileFrontend): Add a hook which is fired when a block message is shown from In progress to QA on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Fri, May 29, 8:46 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), MobileFrontend (MobileFrontend (Editor))

Thu, May 28

hector.arroyo closed T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs as Resolved.
Thu, May 28, 10:44 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo closed T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs, a subtask of T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices, as Resolved.
Thu, May 28, 10:44 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo updated the task description for T427014: hCaptcha risk scores: Add a new method to GlobalBlocking to retrieve a block by ID.
Thu, May 28, 7:32 AM · MW-1.47-notes (1.47.0-wmf.4; 2026-05-26), hCaptcha, GlobalBlocking, Bot detection and mitigation (WE4.10 hCaptcha), Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22))

Wed, May 27

hector.arroyo added a comment to T427087: MobileFrontend hCaptcha: SDK loaded if blocked user attempts to edit page.
In T427087#11960570, @Dreamy_Jazz wrote:

What about updating the module handler for MobileFrontend to only load the hCaptcha SDK when the editor actually appears and is usable?

Wed, May 27, 5:23 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), MobileFrontend (MobileFrontend (Editor)), ConfirmEdit (CAPTCHA extension), hCaptcha
hector.arroyo added a comment to T427087: MobileFrontend hCaptcha: SDK loaded if blocked user attempts to edit page.

I think this happens because https://gerrit.wikimedia.org/g/mediawiki/extensions/ConfirmEdit/+/master/includes/Hooks/Handlers/MakeGlobalVariablesScriptHookHandler.php does not check it the user is blocked but only if HCaptcha is enabled for the MobileFrontend. However, that behavir will be required for collecting hCaptcha risk scores, so I'm not sure a fix for this would be needed (maybe we could skip loading the modules if the user is blocked and HCaptchaBlockedIpEditingScoreCollectionSiteKey is not set )

Wed, May 27, 4:35 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), MobileFrontend (MobileFrontend (Editor)), ConfirmEdit (CAPTCHA extension), hCaptcha
hector.arroyo changed the status of T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs from Open to In Progress.
Wed, May 27, 4:03 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo changed the status of T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs, a subtask of T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices, from Open to In Progress.
Wed, May 27, 4:03 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs from Ready to Needs review on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
Wed, May 27, 3:44 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo added a comment to T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs.

Revert here: https://gerrit.wikimedia.org/r/c/integration/config/+/1294335

Wed, May 27, 3:44 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo closed T427078: hCaptcha risk scores: Include block IDs by type in VisualEditor's ApiVisualEditor as Invalid.
Wed, May 27, 3:08 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), MobileFrontend (MobileFrontend (Editor)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo moved T427078: hCaptcha risk scores: Include block IDs by type in VisualEditor's ApiVisualEditor from Needs review to Done on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
Wed, May 27, 3:08 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), MobileFrontend (MobileFrontend (Editor)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo moved T427078: hCaptcha risk scores: Include block IDs by type in VisualEditor's ApiVisualEditor from In progress to Done on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Wed, May 27, 3:07 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), MobileFrontend (MobileFrontend (Editor)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo moved T426674: hCaptcha risk scores: Add a new hook type in ConfirmEdit for forwarding risk score infomation for blocks from In progress to Done on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Wed, May 27, 8:05 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension)
hector.arroyo moved T426674: hCaptcha risk scores: Add a new hook type in ConfirmEdit for forwarding risk score infomation for blocks from Awaiting Code Review to Feature Requests/Improvements on the ConfirmEdit (CAPTCHA extension) board.
Wed, May 27, 8:05 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension)
hector.arroyo closed T426674: hCaptcha risk scores: Add a new hook type in ConfirmEdit for forwarding risk score infomation for blocks as Resolved.

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1288955 was merged, closing this ticket

Wed, May 27, 8:05 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), ConfirmEdit (CAPTCHA extension)
hector.arroyo closed T426674: hCaptcha risk scores: Add a new hook type in ConfirmEdit for forwarding risk score infomation for blocks, a subtask of T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices, as Resolved.
Wed, May 27, 8:05 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)

Tue, May 26

hector.arroyo updated the task description for T427073: hCaptcha risk scores (MobileFrontend): Add a hook which is fired when a block message is shown.
Tue, May 26, 4:19 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), MobileFrontend (MobileFrontend (Editor))
hector.arroyo added a project to T427259: hCaptcha risk scores: Move hCaptcha-specific backend code (risk scores, retries, logging) to a dedicated service: ConfirmEdit (CAPTCHA extension).
Tue, May 26, 10:23 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo created T427259: hCaptcha risk scores: Move hCaptcha-specific backend code (risk scores, retries, logging) to a dedicated service.
Tue, May 26, 10:22 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T427078: hCaptcha risk scores: Include block IDs by type in VisualEditor's ApiVisualEditor from To Triage to Improvements to Existing Functionality on the VisualEditor board.
Tue, May 26, 8:26 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), MobileFrontend (MobileFrontend (Editor)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo moved T427078: hCaptcha risk scores: Include block IDs by type in VisualEditor's ApiVisualEditor from Backlog to Triaged on the MobileFrontend (MobileFrontend (Editor)) board.
Tue, May 26, 8:26 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), MobileFrontend (MobileFrontend (Editor)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo moved T427078: hCaptcha risk scores: Include block IDs by type in VisualEditor's ApiVisualEditor from Backlog to In progress on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Tue, May 26, 8:26 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), MobileFrontend (MobileFrontend (Editor)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo moved T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs from To Triage to Triaged on the VisualEditor board.
Tue, May 26, 7:57 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo moved T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs from Needs review to Done on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
Tue, May 26, 7:56 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo closed T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs as Resolved.

The CI config change https://gerrit.wikimedia.org/r/c/integration/config/+/1292060 was merged today morning, closing.

Tue, May 26, 7:56 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo closed T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs, a subtask of T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices, as Resolved.
Tue, May 26, 7:56 AM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T424634: WE4.10.5: Add client side code to collect a risk score via 100% passive mode SiteKey from Ready to Done on the Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)) board.
Tue, May 26, 7:30 AM · Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)), ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T426658: hCaptcha MobileFrontend source editor: Publish button remains spinning icon if visual challenge exited during first hCaptcha execution from Ready to Done on the Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)) board.
Tue, May 26, 7:30 AM · Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)), Bot detection and mitigation (WE4.10 hCaptcha), hCaptcha, MobileFrontend (MobileFrontend (Editor))
hector.arroyo moved T426829: New users unable to create Wikidata items: Incorrect or missing CAPTCHA from Ready to Done on the Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)) board.
Tue, May 26, 7:30 AM · Patch-For-Review, Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)), hCaptcha, Wikidata

Sat, May 23

hector.arroyo added a comment to T427078: hCaptcha risk scores: Include block IDs by type in VisualEditor's ApiVisualEditor.

CI errors in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualEditor/+/1292052 seem to be caused by DiscussionTools, submitting a patch on that repo with no functional changes currently make the CI fail there: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DiscussionTools/+/1292872, https://integration.wikimedia.org/ci/job/quibble-vendor-mysql-php83-phpunit-standalone/6735/console

Sat, May 23, 2:43 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), MobileFrontend (MobileFrontend (Editor)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor

Fri, May 22

hector.arroyo moved T427078: hCaptcha risk scores: Include block IDs by type in VisualEditor's ApiVisualEditor from In progress to Needs review on the Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)) board.
Fri, May 22, 5:26 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), MobileFrontend (MobileFrontend (Editor)), hCaptcha, Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo moved T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs from Backlog to In progress on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Fri, May 22, 5:15 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo moved T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs from In progress to Needs review on the Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)) board.
Fri, May 22, 5:15 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo added a parent task for T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs: T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices.
Fri, May 22, 4:53 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo added a subtask for T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices: T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs.
Fri, May 22, 4:53 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo changed the status of T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs from Open to In Progress.
Fri, May 22, 4:53 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo created T427086: hCaptcha: Add GlobalBlocking as a dependency for VisualEditor CI jobs.
Fri, May 22, 4:52 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Bot detection and mitigation (WE4.10 hCaptcha), VisualEditor
hector.arroyo moved T424943: Estimate expected coverage % of uploads for hCaptcha from Backlog to Done on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Fri, May 22, 3:52 PM · Product-Analytics, Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T424629: [epic] WE4.10.5 hCaptcha risk scores for blocked edit notices from Backlog to In progress on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Fri, May 22, 3:52 PM · Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)), Epic, Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T424653: "⧼ooui-dialog-process-back⧽" on hCaptcha error page from Backlog to Done on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Fri, May 22, 3:52 PM · MW-1.46-notes, MW-1.47-notes (1.47.0-wmf.1; 2026-05-05), OOUI, Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)), MobileFrontend, ConfirmEdit (CAPTCHA extension), Bot detection and mitigation (WE4.10 hCaptcha)
hector.arroyo moved T424216: hCaptcha: Set pat=off in hCaptcha secure-api.js URL settings from Backlog to Done on the Bot detection and mitigation (WE4.10 hCaptcha) board.
Fri, May 22, 3:51 PM · Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)), Bot detection and mitigation (WE4.10 hCaptcha)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits