Ok, I've redone the whole shebang, hoping this'll pass muster. If not, I
can do a larger refactor of the whole ConfirmEdit extension, maybe make a
fresh one and introduce better machine-readable hook points into the API
and form.
But I hope this'll do for now. :)
> MediaWiki core: https://gerrit.wikimedia.org/r/53793
> ConfirmEdit ext: https://gerrit.wikimedia.org/r/53794
>
> test rig: https://github.com/brion/mw-createaccount-test
Major changes from previous approach:
* instead of falling through if in API mode (dangerous if using the new
extension on old core), we check the captcha in the same consistent place
in a hook from LoginForm.
* We add a fairly generic hook that allows extensions to add return data
via the createaccount API if they threw an abort instead of sending a
generic error. This is used to append the captcha data.
* We return result='needcaptcha' explicitly if we need to pass a captcha
* Captcha data is not available until after you have a token, so this
requires making two requests if you want to show a captcha before prompting
for username/password.
If y'all would prefer totally fresh interfaces with a consistent
machine-readable API... I can do that too, but it'd be spiffy if we could
do the less invasive change first. :)
-- brion
On Mon, Mar 25, 2013 at 1:38 AM, S Page <spage(a)wikimedia.org> wrote:
> On Thu, Mar 14, 2013 at 3:55 PM, Brion Vibber <bvibber(a)wikimedia.org>
> wrote:
>
> > MediaWiki core: https://gerrit.wikimedia.org/r/53793
> > ConfirmEdit ext: https://gerrit.wikimedia.org/r/53794
> >
> > So far I've tested it with the default 'math captcha' mode, with this
> test
> > rig: https://github.com/brion/mw-createaccount-test
>
> This is great to see.
>
> Using your test rig or Special:APISandbox, the API return warns about
> "Unrecognized parameters: 'wpCaptchaId', 'wpCaptchaWord" when I get
> the captcha wrong.
>
> It seems if the user gets the captcha wrong, there's no explicit
> indication like captcha-createaccount-fail ('Incorrect or missing
> confirmation code.'). Instead the API reports a generic Failure
> result, and the UI presents a new captcha.
>
> ConfirmEdit has a getMessage() to provide action-specific text like
> fancycaptcha-createaccount. Perhaps the API should pass that back as
> well. Otherwise the UI has to know the details of the captcha in use
> so it can get a message for it.
>
> The current CreateAccount form submission to Special:UserLogin reports
> many form errors like username exists, password wrong, etc. before it
> runs the AbortNewAccount hook where ConfirmEdit checks the captcha.
> But APICreateAccount runs the APICreateAccountBeforeCreate hook early,
> before it dummies up a login form and calls the same validation. So
> users will go through the frustration of getting the captcha right
> before being told their username isn't available or their password
> isn't long enough.
>
> There's also the weirdness that ApiCreateAccount winds up checking the
> CAPTCHA twice. AIUI, here's the program flow:
>
> ApiCreateAccount()
> Runs APICreateAccountBeforeCreate hook (captcha may abort)
> Creates a login forms and call $loginForm->addNewaccountInternal();
> addNewaccountInternal():
> Does a bunch of form validation
> Runs AbortNewAccount hook (captcha may abort, also
> TitleBlacklist, AntiSpoof, etc. may abort)
>
> If ApiCreateAccount() could tell there was a captcha failure within
> addNewaccountInternal and could ask the captcha to addCaptchaAPI() to
> the result, then we wouldn't need the new APICreateAccountBeforeCreate
> hook.
>
> It would be nice if captcha was always checked on its own hook instead
> of sharing a hook with other extensions. That would let a future
> validation API run the username past TitleBlacklist and AntiSpoof
> without getting shot down by the captcha.
>
> Cheers,
> --
> =S Page software engineer on E3
>
Prabhavathi, if you write about your project to the Wikimedia
researchers' mailing list
https://lists.wikimedia.org/mailman/listinfo/wiki-research-l and check
out the resources available at
https://meta.wikimedia.org/wiki/Research:Index , especially
https://en.wikipedia.org/wiki/Wikipedia:Ethically_researching_Wikipedia
, you might find more help. I hope you are able to add to the important
body of research around Wikipedia users' behavior while still respecting
the community you're engaging with. (By the way, did you already check
with your advisor to see whether you need an IRB okay for this?
http://cphs.berkeley.edu/ )
best,
Sumana Harihareswara
UC Berkeley class of 2002
--
Sumana Harihareswara
Engineering Community Manager
Wikimedia Foundation
> Date: Sun, 7 Apr 2013 23:20:34 -0700
> From: Prabhavathi Matta <prabha.matta(a)gmail.com>
> To: mediawiki-api(a)lists.wikimedia.org
> Subject: [Mediawiki-api] Problem with generating email tokens
> Message-ID:
> <CAPe0CmRbs2z1uCPgD5xhEazs3zs6KKOCw-6xveR9=vCn768sMA(a)mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
>
> I am working on an UC Berkeley research project to analyze wikipedia users'
> behaviour. As a part of the project, I am developing an application which
> sends a survey to a random sample of recent users. I am using mwclient code
> to send emails though API. After testing around 3-4 times, the email tokens
> are not getting generated anymore. I tried to send mails from different
> login user. It still gives the same error.
>
> When I tried to send email from website
> http://en.wikipedia.org/wiki/Special:EmailUser. It says," As an anti-spam
> measure, you are limited from performing this action too many times in a
> short space of time, and you have exceeded this limit. Please try again in
> a few minutes." It has been 8 hours since and I still get the same message.
>
> Does this mean, I exceeded limit for my ip address or for that user? When
> I googled it, the rate limit seems to be about 1000 api calls. I have sent
> mails only to 3-4 test users for 5 times maximum.
>
> Which is a better way of sending emails to wikipedia users - Toolserver or
> wikimedia API? How should I handle sending bulk emails(about 100) without
> getting the "throttled message"?
>
> Please help.
>
> Thanks,
> Prabha
> UC Berkeley
Hi,
I am working on an UC Berkeley research project to analyze wikipedia users'
behaviour. As a part of the project, I am developing an application which
sends a survey to a random sample of recent users. I am using mwclient code
to send emails though API. After testing around 3-4 times, the email tokens
are not getting generated anymore. I tried to send mails from different
login user. It still gives the same error.
When I tried to send email from website
http://en.wikipedia.org/wiki/Special:EmailUser. It says," As an anti-spam
measure, you are limited from performing this action too many times in a
short space of time, and you have exceeded this limit. Please try again in
a few minutes." It has been 8 hours since and I still get the same message.
Does this mean, I exceeded limit for my ip address or for that user? When
I googled it, the rate limit seems to be about 1000 api calls. I have sent
mails only to 3-4 test users for 5 times maximum.
Which is a better way of sending emails to wikipedia users - Toolserver or
wikimedia API? How should I handle sending bulk emails(about 100) without
getting the "throttled message"?
Please help.
Thanks,
Prabha
UC Berkeley