Create Task
Maniphest T354730

Support creating items as not-logged-in user when TempAccounts is enabled
Closed, ResolvedPublic
Actions

Assigned To
Arian_Bozorg
Authored By
ArthurTaylor
Jan 10 2024, 9:40 AM
Tags
Referenced Files
F41752637: image.png
Feb 2 2024, 3:57 PM
F41717911: 2024-01-25_15-18-30.png
Jan 25 2024, 11:19 PM
F41717774: 2024-01-25_11-51-45.png
Jan 25 2024, 11:19 PM
F41717772: 2024-01-25_11-51-33.png
Jan 25 2024, 11:19 PM
F41717770: 2024-01-25_11-51-20.png
Jan 25 2024, 11:19 PM
F41710165: image.png
Jan 23 2024, 11:35 AM
F41697232: image.png
Jan 18 2024, 11:42 AM
F41663050: 2024-01-10-111452_1218x622_scrot.png
Jan 10 2024, 10:17 AM
View All 11 Files
Subscribers
Aklapper
Arian_Bozorg
ArthurTaylor
Bugreporter
Cparle
dcausse
GMikesell-WMF
View All 12 Subscribers

Description

TempAccounts is currently enabled on beta, and it should be possible to create a new item without logging in. But visiting Special:NewItem on Beta and filling out the form results in the following error message:

2024-01-10-103541_1206x474_scrot.png (474×1 px, 34 KB)

On a local development system, this results in a stacktrace:

2024-01-10-103703_1399x854_scrot.png (854×1 px, 317 KB)

The How it works document explains a bit more about the changes necessary. Essentially, for this and for any other action we have previously exposed to anonymous / IP Users, we need to explicitly add support for TemporaryUsers to avoid this error.

QA Results - Wikidata Beta

ACStatusDetails
1https://phabricator.wikimedia.org/T354730 here

Details

SubjectRepoBranchLines +/-
Use onTempUserCreatedRedirect hook in redirecting special pagesmediawiki/extensions/Wikibasemaster+104 -16
beta: Don’t prevent * from editing if IP masking enabledoperations/mediawiki-configmaster+1 -4
Add temporary user support to most API modulesmediawiki/extensions/Wikibasemaster+204 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

ArthurTaylor created this task.Jan 10 2024, 9:40 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 10 2024, 9:40 AM
ArthurTaylor added a parent task: T351968: Update Wikidata-related extensions for IP Masking.Jan 10 2024, 9:40 AM
Lydia_Pintscher added a comment.Jan 10 2024, 10:04 AM

We should also check if the same is the case for creating new Properties and Lexemes. I assume yes.

ArthurTaylor added a comment.EditedJan 10 2024, 10:17 AM

NewProperty fails with a clear permission error because the action is not enabled for anonymous users on beta. But that may not be the case for all installations - trying the same on a local development wiki creates the stack trace again.

2024-01-10-111526_915x192_scrot.png (192×915 px, 21 KB)

whereas NewLexeme fails with an alert:

2024-01-10-111452_1218x622_scrot.png (622×1 px, 107 KB)

Lydia_Pintscher added a comment.Jan 10 2024, 10:54 AM
In T354730#9449572, @ArthurTaylor wrote:

NewProperty fails with a clear permission error because the action is not enabled for anonymous users on beta. But that may not be the case for all installations - trying the same on a local development wiki creates the stack trace again.

2024-01-10-111526_915x192_scrot.png (192×915 px, 21 KB)

Thanks!
There could conceivably be Wikibase instances where Property creation is not restricted so we should probably check this still.

ArthurTaylor added a subscriber: Michael.EditedJan 15 2024, 7:19 AM

This may be related to T349130 - see also a WIP patch from @Tchanders https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/966585/

ArthurTaylor added a subscriber: Tchanders.Jan 15 2024, 9:39 AM
karapayneWMDE moved this task from Incoming to Product Backlog on the Wikidata Dev Team board.Jan 16 2024, 3:15 PM
Arian_Bozorg moved this task from Product Backlog to Unified DOT Backlog on the Wikidata Dev Team board.Jan 17 2024, 11:52 AM
Lucas_Werkmeister_WMDE added subscribers: dcausse, Lucas_Werkmeister_WMDE.EditedJan 18 2024, 11:42 AM
In T354730#9458861, @ArthurTaylor wrote:

This may be related to T349130 - see also a WIP patch from @Tchanders https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/966585/

That patch is now pretty far out of WIP (edit: I’ve now attached it to this task as well), and due to the way it’s implemented, it also seems to work for special pages even though it mostly focuses on the API:

image.png (321×1 px, 58 KB)

(There’s still an open question on the patch that I’d like feedback from @dcausse or someone else on.)

gerritbot added a comment.Jan 18 2024, 11:43 AM

Change 966585 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Tchanders):

[mediawiki/extensions/Wikibase@master] Add temporary user support to most API modules

https://gerrit.wikimedia.org/r/966585

gerritbot added a project: Patch-For-Review.Jan 18 2024, 11:43 AM
Lucas_Werkmeister_WMDE edited projects, added Wikidata Dev Team (Wikidata.org Slice); removed Wikidata Dev Team.Jan 19 2024, 1:04 PM

Picking this up into our “sprint” board, since I’ve already been working on it for the past few days. I think we’re pretty close to a mergeable version. (Note that this will not cover all API actions – merging / redirects will need a bit more work.)

Lucas_Werkmeister_WMDE claimed this task.Jan 19 2024, 1:04 PM
Lucas_Werkmeister_WMDE moved this task from In Task Breakdown to In Development on the Wikidata Dev Team (Wikidata.org Slice) board.
Maintenance_bot moved this task from Incoming to Ongoing on the wmde-wikidata-tech board.Jan 19 2024, 1:29 PM
Lucas_Werkmeister_WMDE removed Lucas_Werkmeister_WMDE as the assignee of this task.Jan 22 2024, 11:05 AM
Lucas_Werkmeister_WMDE moved this task from In Development to Ready for Peer Review on the Wikidata Dev Team (Wikidata.org Slice) board.
gerritbot added a comment.Jan 22 2024, 4:29 PM

Change 966585 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@master] Add temporary user support to most API modules

https://gerrit.wikimedia.org/r/966585

Maintenance_bot removed a project: Patch-For-Review.Jan 22 2024, 4:30 PM
kostajh added a project: Trust and Safety Product Sprint (Sprint Northumbrian smallpipes (8th Jan.‘24 - 19th Jan.'24)).Jan 22 2024, 4:33 PM
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Northumbrian smallpipes (8th Jan.‘24 - 19th Jan.'24)) board.
ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.15; 2024-01-23).Jan 22 2024, 5:00 PM
Lucas_Werkmeister_WMDE added a comment.Jan 23 2024, 11:35 AM

The Gerrit changes got merged, but it’s still not working:

image.png (680×1 px, 75 KB)

The action you have requested is limited to users in one of the groups: Users, Temporary users.
Permission error

I think this is because the Beta config is outdated and hasn’t been updated for the recent-ish(?) change where we still expect $wgGroupPermissions['*']['edit'] to be true.

gerritbot added a comment.Jan 23 2024, 11:43 AM

Change 992400 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[operations/mediawiki-config@master] beta: Don’t prevent * from editing if IP masking enabled

https://gerrit.wikimedia.org/r/992400

gerritbot added a project: Patch-For-Review.Jan 23 2024, 11:43 AM
gerritbot added a comment.Jan 23 2024, 2:19 PM

Change 992400 merged by jenkins-bot:

[operations/mediawiki-config@master] beta: Don’t prevent * from editing if IP masking enabled

https://gerrit.wikimedia.org/r/992400

Maintenance_bot removed a project: Patch-For-Review.Jan 23 2024, 2:30 PM
Lucas_Werkmeister_WMDE added a comment.Jan 23 2024, 4:13 PM

Now it’s working: https://wikidata.beta.wmflabs.org/w/index.php?title=Q627069&diff=prev&oldid=1355299&title=Q627069&diffonly=1

hoo moved this task from Ready for Peer Review to Ready for Tech Verification on the Wikidata Dev Team (Wikidata.org Slice) board.Jan 23 2024, 6:19 PM
GMikesell-WMF subscribed.Jan 25 2024, 11:19 PM

I was able to create an item in Special:NewItem with a temp user as seen as below. All browsers had similar results. This will be moved to Done. Thanks for all your work!

Status: ✅PASS
Environment: Wikidata Beta
OS: macOS Sonoma 14.2.1
Browser: Chrome 120, Firefox 121, Safari 17.2, Edge 120
Skins. Vector 2022
Device: MBA M2
Emulated Device:: n/a
Test Links:
Chrome: https://wikidata.beta.wmflabs.org/wiki/Q627105
Firefox: https://wikidata.beta.wmflabs.org/wiki/Q627104
Edge: https://wikidata.beta.wmflabs.org/wiki/Q627103
Safari: https://wikidata.beta.wmflabs.org/wiki/Q627102

✅AC1: https://phabricator.wikimedia.org/T354730

Create ItemWikiDataView HistoryComparison
2024-01-25_11-51-20.png (844×3 px, 325 KB)
2024-01-25_11-51-33.png (1×3 px, 398 KB)
2024-01-25_11-51-45.png (664×3 px, 322 KB)
2024-01-25_15-18-30.png (685×3 px, 192 KB)
GMikesell-WMF updated the task description. (Show Details)Jan 25 2024, 11:20 PM
GMikesell-WMF moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Northumbrian smallpipes (8th Jan.‘24 - 19th Jan.'24)) board.
Tchanders removed a project: Trust and Safety Product Sprint (Sprint Northumbrian smallpipes (8th Jan.‘24 - 19th Jan.'24)).Jan 30 2024, 4:53 PM
Lucas_Werkmeister_WMDE mentioned this in T355074: Check if client Wikidata Bridge leaks IP on the repo of the edited Item.Jan 31 2024, 10:35 AM
ArthurTaylor moved this task from Ready for Tech Verification to Product Verification on the Wikidata Dev Team (Wikidata.org Slice) board.Feb 1 2024, 11:53 AM

Is a Product-reproducible issue - let's have Product verify it.

Arian_Bozorg closed this task as Resolved.Feb 2 2024, 12:02 AM
Arian_Bozorg claimed this task.
Arian_Bozorg moved this task from Product Verification to Done on the Wikidata Dev Team (Wikidata.org Slice) board.

This is all working for me, thanks so much!

Lucas_Werkmeister_WMDE reopened this task as Open.EditedFeb 2 2024, 3:57 PM
Lucas_Werkmeister_WMDE added subscribers: Cparle, Tgr.

I’m afraid we have to reopen this (and other IP Masking tasks in Wikibase aren’t as done as we thought they were either). During discussions with @Tgr, @Tchanders and @Cparle in Slack, it turned out that we should redirect the user to the central login wiki (based on the TempUserCreatedRedirect hook, which CentralAuth interacts with) to ensure they’re centrally logged in as well.

For Special:NewItem and other special pages that already redirect the user on success, that should be straightforward enough – we just call the hook and adjust the redirect target accordingly. (The hook can be configured such that the resulting URL redirects to the title that we were going to redirect to anyways.) For special pages that don’t redirect the user on success (such as Special:RedirectEntity, T356149), we’ll have to add a new “success” state that the redirect URL can return back to (the page that shows “Q1 was redirected to Q2”), but that should be doable.

For interactive edits using the API, I’m not even sure what the UX should be. Suppose an anonymous user has started to edit a bunch of data on an item:

image.png (1×1 px, 267 KB)

Now they click one of the “publish” buttons, the API makes an edit, and returns a URL that we should redirect to. What do we do?

I think the options we have are:

  1. Redirect the user to that URL immediately.
    1. Just throw away the other edits they made prepared.
    2. Stash the other edits in the returntoquery and/or returntoanchor of the redirect URL, and hope it fits there (URLs have length limits after all).
    3. Stash the other edits server-side, and put some kind of identifier for that stash into the returntoquery and/or returntoanchor. But now we have to worry where that stash is stored server-side, when it expires, how to protect it against vandalism…
    4. Stash the other edits client-side (localStorage or similar).
  2. Wait until the other edits are done, then redirect the user. As far as I understand the purpose of the redirect, that should be fine-ish – it’s only needed for logging in on other wikis, additional edits on the same wiki should already use the temporary account anyway. But there’s a risk that the user will close the tab before finishing all the edits, and then the redirect never happens.
  3. Prevent the user from editing more than one thing at a time (if they’re not logged in), by disabling other “edit” buttons or similar.
  4. Don’t redirect at all. In that case, “your temp user identity will be irrecoverably limited to that single wiki” (@Tgr).

(For the record, I don’t think all of these solutions are realistic – they’re just theoretic options I can think of. 1.A and 5 are by far the easiest, and I have a feeling they’re almost the only realistic options if we don’t want to block IP Masking for longer than we’d like to. But it’s possible I’m being too pessimistic about how difficult the other options are to implement in the Wikibase UI.)

Bugreporter subscribed.Feb 2 2024, 4:07 PM

An alternative: Redirect user to login wiki when the user click edit, so user will have a temporary account when they are in the edit mode. Though (1) this will results in temporatry accounts with zero global activity and (2) this does not handle users who lost a session in edit mode.

Tchanders added a comment.Feb 2 2024, 4:10 PM

Don’t redirect at all. In that case, “your temp user identity will be irrecoverably limited to that single wiki” (@Tgr).

I suspect this won't be popular for attribution and patrolling purposes, and it's not something we're recommending elsewhere.

I realise your team will want to figure this out, but for what it's worth, 1D sounds sensible to me:

Stash the other edits client-side (localStorage or similar).

I believe Editing-team and Community-Tech have done some work on autosave, in case it would be helpful to speak to them.

Tgr added a comment.Feb 2 2024, 5:08 PM

But there’s a risk that the user will close the tab before finishing all the edits, and then the redirect never happens.

Maybe we could build some way of tracking whether the session has been "merged" into a central session, and force a central login at the next opportunity if that isn't the case. Though it wouldn't help if they close the tab and then go to another wiki next. Also the way CentralAuth works, the "remember me" flag (which makes logins expire after a year, instead of after a day) is only set during central login - I'm not quite sure if that's the case for temp users, who are logged in locally in a special way, but we should check. If it does affect temp users then the UI messaging about the temp account after the edit will be very misleading.

Tgr added a comment.Feb 2 2024, 5:10 PM

There is also a chance that T348388: Use central login wiki for login (SUL3) will find a way to make central login in the background work, and then this would become a non-issue. I wouldn't bet on it though.

gerritbot added a comment.Feb 2 2024, 5:29 PM

Change 995260 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/Wikibase@master] Use onTempUserCreatedRedirect hook in redirecting special pages

https://gerrit.wikimedia.org/r/995260

gerritbot added a project: Patch-For-Review.Feb 2 2024, 5:29 PM
Lucas_Werkmeister_WMDE added a comment.EditedFeb 6 2024, 11:32 AM
In T354730#9509749, @Lucas_Werkmeister_WMDE wrote:

For interactive edits using the API, I’m not even sure what the UX should be.

@Lydia_Pintscher, @ArthurTaylor and I discussed this situation now. Lydia said that, for new visitors who have never edited before, the situation of editing several data entries on the item at once should be quite uncommon; Arthur also pointed out that we can always add disabling other edit buttons later if we want. So we decided that:

  • For normal edits (mainly statements), just redirect away after the API request. (Option 1A above.) In practice, it should be quite rare for this to result in data loss.
    • If we get enough complaints, or otherwise see the need, we can later disable edit buttons for anonymous users after they start their first edit (Option 3 above). We also discovered that DiscussionTools does this even for logged-in users and regardless of IP Masking status – but we know that our power users would object if we did it for everyone.
  • For the legacy termbox, which makes a bunch of edits in rapid succession after clicking a single “save” button, redirect away after all those edits are done. (This is basically option 2 above, but with the difference that we’re not waiting for an indefinite amount of time until the user is done – we just wait until we’re done making all our API requests.)
  • The new mobile termbox (aka Termbox v2 and other names) makes a single edit, so we can redirect away just like for normal edits.
  • Option 4, not redirecting at all, is rejected, at least for code we’re responsible for. (WikibaseMediaInfo currently chooses this path, but should probably use one of the other options.)
Lucas_Werkmeister_WMDE mentioned this in T357020: [DOT] Perform necessary redirects after creating temporary account in Wikidata-related extensions.Feb 8 2024, 4:13 PM
gerritbot added a comment.Feb 8 2024, 5:03 PM

Change 995260 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@master] Use onTempUserCreatedRedirect hook in redirecting special pages

https://gerrit.wikimedia.org/r/995260

Maintenance_bot removed a project: Patch-For-Review.Feb 8 2024, 5:31 PM
ReleaseTaggerBot edited projects, added MW-1.42-notes (1.42.0-wmf.18; 2024-02-13); removed MW-1.42-notes (1.42.0-wmf.15; 2024-01-23).Feb 8 2024, 6:00 PM
Lucas_Werkmeister_WMDE mentioned this in T357120: [DOT] Make Wikibase View editing interface redirect user for CentralAuth after edit creates temporary account.Feb 9 2024, 11:57 AM
Michael mentioned this in T344984: [REPO][CLIENT][SW] Wikibase: Fire postEdit hook after making an edit.Feb 13 2024, 1:17 PM
Arian_Bozorg closed this task as Resolved.Mar 5 2024, 4:52 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits