Page MenuHomePhabricator
Create Task
Maniphest T427335

hCaptcha DiscussionTools: hCaptcha token reused if AbuseFilter denies the edit
Closed, ResolvedPublicBUG REPORT
Actions

Description

Summary

The DiscussionTools integration with hCaptcha submits a hCaptcha response token alongside the API request. If this API request fails because an AbuseFilter denies the edit, the next attempt to save the edit will fail because a new hCaptcha token is not generated

Steps to reproduce

  1. Open the DiscussionTools editor with a user who lacks the skipcaptcha right
  2. Write a comment which should trigger an AbuseFilter to deny the edit (on testwiki writing the abuse filter will block this will do this)
  3. Press save changes
  4. Press save changes again

image.png (1,104×419 px, 61 KB)

Acceptance criteria

  • The hCaptcha response token is not used in the DiscussionTools handler for more than one request, and so is regenerated for each edit attempt

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
ReplyWidget: Update CAPTCHA for all failed editsmediawiki/extensions/DiscussionToolsmaster+114 -29
CaptchaWidget: Rename updateForCaptchaFailure to updateForFailuremediawiki/extensions/ConfirmEditmaster+139 -29
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.Tue, May 26, 10:18 PM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptTue, May 26, 10:18 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Dreamy_Jazz edited projects, added: Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)); removed: Product Safety and Integrity.Tue, May 26, 10:18 PM
Dreamy_Jazz moved this task from Backlog to Ready on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
Dreamy_Jazz claimed this task.Wed, May 27, 12:52 PM
gerritbot added a comment.Wed, May 27, 1:50 PM

Change #1294295 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/ConfirmEdit@master] CaptchaWidget: Rename updateForCaptchaFailure to updateForFailure

https://gerrit.wikimedia.org/r/1294295

gerritbot added a project: Patch-For-Review.Wed, May 27, 1:50 PM
MPostoronca-WMF claimed this task.Wed, May 27, 2:20 PM
MPostoronca-WMF moved this task from Ready to In progress on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
Dreamy_Jazz claimed this task.Wed, May 27, 2:44 PM
Dreamy_Jazz added a subscriber: MPostoronca-WMF.
MPostoronca-WMF moved this task from In progress to Ready on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.Wed, May 27, 2:50 PM
gerritbot added a comment.Wed, May 27, 6:43 PM

Change #1294379 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/DiscussionTools@master] ReplyWidget: Update CAPTCHA for all failed edits

https://gerrit.wikimedia.org/r/1294379

Dreamy_Jazz moved this task from Ready to Needs review on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.Wed, May 27, 9:45 PM
gerritbot added a comment.Thu, May 28, 9:46 AM

Change #1294295 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] CaptchaWidget: Rename updateForCaptchaFailure to updateForFailure

https://gerrit.wikimedia.org/r/1294295

gerritbot added a comment.Thu, May 28, 6:23 PM

Change #1294379 merged by jenkins-bot:

[mediawiki/extensions/DiscussionTools@master] ReplyWidget: Update CAPTCHA for all failed edits

https://gerrit.wikimedia.org/r/1294379

Maintenance_bot removed a project: Patch-For-Review.Thu, May 28, 6:30 PM
Dreamy_Jazz moved this task from Needs review to QA in Prod on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.Thu, May 28, 6:32 PM
dom_walden moved this task from QA in Prod to Done on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.Mon, Jun 1, 12:58 PM
dom_walden subscribed.

On testwiki without these fixes:

  1. Open a DT reply or new topic
  2. Make trigger AF disallow consequence by writing disallow in edit summary
  3. See warning from AF that I have triggered a filter
  4. Remove disallow from edit summary so AF is not triggered
  5. Attempt to submit reply: unsuccessful
  6. Attempt to submit reply again: successful

On my local wiki with these fixes:

  1. Open a DT reply or new topic
  2. Make trigger AF disallow consequence by writing disallow in edit summary
  3. See warning from AF that I have triggered a filter
  4. Remove disallow from edit summary so AF is not triggered
  5. Attempt to submit reply: successful
Dreamy_Jazz closed this task as Resolved.EditedTue, Jun 2, 10:09 AM

Thanks, regarding step 5 on testwiki this seems like a bug but we are currently improving the flow such that an AbuseFilter CAPTCHA should automatically resubmit in T426476: DiscussionTools hCaptcha: When user encounters AbuseFilter hCaptcha challenge no indication is shown they need to resubmit their edit

If it isn't improved by that ticket, we can always revisit it

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits