Topic on Talk:Phabricator/Help

Preventing simple vandalism on Phabricator

20
Summary by AKlapper (WMF)

Central general discussion place for this topic is https://phabricator.wikimedia.org/T84

Dcljr (talkcontribs)

As I type this, a user who just created their account moments ago is busy on Phabricator changing the names, priorities, assignees, subscribers, and "everything else" on dozens of existing tasks. It should not be so easy for worthless dimwits like this one to do all of this within seconds of creating an account there. Can't Phabricator have the kind of minimal safeguards that Wikimedia content wikis have (where edit rights are initially restricted and gradually accrue as one edits more)? Or is there such a system, but it's too permissive?

Dcljr (talkcontribs)

Oops. I misread the time signature on the account. It's been about 23 hours since it was created. Still…

Jeremyb-phone (talkcontribs)
Jeremyb-phone (talkcontribs)
Fayenatic london (talkcontribs)
Dcljr (talkcontribs)

The user was already marked as "Disabled" as the vandalism was still actively happening. As I was looking at that "User Details" page just before commenting here, it already said "Disabled" and yet dozens of acts of vandalism were still being done by the user. So, I'm not sure what "Disabled" even means in this context…

AKlapper (WMF) (talkcontribs)

That is not correct. If you have an example of a specific action (with a timestamp), please provide a testcase.

Dcljr (talkcontribs)

Well, I know what I saw. As I sat there last night looking at the user's profile page, seeing the word "Disabled" right there, clear as day, I continued to see notifications pop up in the lower left corner, timestamped with the current time. And when I reloaded the homepage, I saw new items from that user in the Activity Feed.

If you're saying this is "not possible", then I can only assume it was due to server lag or something. As for evidence, you can see all the timestamps I can, and you presumably know more about how Phabricator works than I do, so you're in a better position to find evidence one way or the other.

The last action the user made at Phabricator was (as I see it, on the profile page) at "10:14 PM" (this would be America/Chicago timezone, which would make it 3:14am UTC). I was looking at the user's profile well before that: I opened this thread at 1:39am UTC, according to the page history here.

Dcljr (talkcontribs)

Yeah, it must be server lag (or notification lag, or whatever the appropriate term is): the purported final change made by the user, according to the Recent Activity on their profile page was timestamped "Sat, Jun 30, 10:14 PM" (again, in my local timezone), whereas the task page itself lists those changes as happening "Sat, Jun 30, 8:14 PM" (1:14 UTC). So there ya go.

Dcljr (talkcontribs)

And, BTW, the purported first changes are marked "Sat, Jun 30, 8:01 PM" (1:01 UTC).

AKlapper (WMF) (talkcontribs)

Notifications are indeed server lag. :)

I thought you refer to actual changes in a task that you have seen.

AKlapper (WMF) (talkcontribs)

Thanks for reporting this. Admins are aware and working on reverting. For discussing potential safeguards, feel free to file a task in Phabricator about Phabricator.

Dcljr (talkcontribs)

Surely these are not the only two options (alluding to Jbp's comments): allow new users to do "everything" or not allow them to do anything until they are "approved" — at which point, they can presumably do "everything", so that seems like a highly problematic solution. (I will note, BTW, that this was an "LDAP User" — as opposed to a "MediaWiki User" — as seen in the link in Fl's comment. Does that mean this person had a developer account??)

As for filing a task (AK), I figured it was likely than anything I could file about this at Phabricator would be duplicating some previous task(s) where such matters had already been discussed. (After all, this is the second such vandalism "streak" I have noticed since I started watching a handful of projects earlier this year.)

My main purpose in posting this here wasn't notification (since there was basically no way my notice about the problem would get to anyone who could do anything about it before the direct evidence of the vandalism itself got to them), and it wasn't to suggest particular solutions (because I don't have the requisite knowledge for that); it was mainly to ask what the hell is going on: what safeguards are currently in place and why they are so ineffective against this kind of simple-minded vandalism? (Perhaps the fact that it was an LDAP account partially answers the latter question?)

That all being said, yes, someone who knows more about the actual workings of Phabricator (like maybe AKlapper?), please do file a task about adding better vandalism-fighting features to the Phabricator, if that has not been done already.

Mainframe98 (talkcontribs)

Developer accounts are accounts those users can obtain by creating an account on wikitech.wikimedia.org. They aren't any more a developer than you or me.

For a task about anti-vandalism features on Phabricator, see T84.

AKlapper (WMF) (talkcontribs)
Deryck Chan (talkcontribs)

Progress report from the phab ticket: a bot is on the case. There are about 3000 tasks left to restore. Expected runtime is about 30 hours from now.

Dcljr (talkcontribs)

So the user makes 3,800 changes in about 2 hours (max — so they were obviously using a bot!), but a bot can't clean it up in less than a day and a half? That's insane…

ToBeFree (talkcontribs)

There had been no limit before; now there is a limit. For this reason (and because this isn't absolutely urgent), it will take some time to undo it. It would take the same time to vandalize again, preventing this from happening in such an insane dimension again.

Dcljr (talkcontribs)

Just correcting some info I gave above: all the user's edits apparently happened in about 13 minutes! (See comments about "lag" above.)

ToBeFree (talkcontribs)

^ moved above (indent)