Add hook to ConfirmAccount to filter out requests

We recently upgraded our wiki and it is being spammed now with account requests that include a URL. We'd like to filter out those requests. Bug: T379300 Change-Id: I4fad0888a219810606d1654bbeb7d7573b218d54
wikimedia · Jan 17, 2025 · 6efc92b · 6efc92b
1 parent 13cf1cd
commit 6efc92b
Show file tree

Hide file tree

Showing 8 changed files with 133 additions and 30 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,20 @@
+root = true
+
+[*]
+indent_style = tab
+indent_size = tab
+tab_width = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+# Ensure text editors don't turn leading spaces into tabs,
+# e.g. in multi-line bullet list items
+[*.md]
+indent_style = space
+indent_size = 2
+
+[.git/**]
+indent_style = space
+indent_size = 2
diff --git a/extension.json b/extension.json
@@ -57,6 +57,9 @@
 	"ExtensionMessagesFiles": {
 		"ConfirmAccountAliases": "ConfirmAccount.alias.php"
 	},
+	"AutoloadNamespaces": {
+		"MediaWiki\\Extension\\ConfirmAccount\\": "src/"
+	},
 	"AutoloadClasses": {
 		"ConfirmAccountHooks": "includes/ConfirmAccountHooks.php",
 		"ConfirmAccountUIHooks": "includes/frontend/ConfirmAccountUI.hooks.php",

diff --git a/includes/backend/UserAccountRequest.php b/includes/backend/UserAccountRequest.php
@@ -49,8 +49,8 @@ public static function newFromRow( $row ) {
 		$req->notes = $row->acr_notes;
 		$req->urls = $row->acr_urls;
 		$req->type = (int)$row->acr_type;
-		$req->areas = self::expandAreas( $row->acr_areas );
-		$req->fileName = strlen( $row->acr_filename )
+		$req->areas = self::expandAreas( $row->acr_areas ?? '' );
+		$req->fileName = strlen( $row->acr_filename ?? '' )
 			? $row->acr_filename
 			: null;
 		$req->fileStorageKey = $row->acr_storage_key;
@@ -87,37 +87,25 @@ public static function newFromArray( array $fields ) {
 		$req->notes = $fields['notes'];
 		$req->urls = $fields['urls'];
 		$req->type = (int)$fields['type'];
-		$req->areas = is_string( $fields['areas'] )
-			? self::expandAreas( $fields['areas'] ) // DB format
+		$req->areas = is_string( $fields['areas'] ?? '' )
+			? self::expandAreas( $fields['areas'] ?? '' ) // DB format
 			: $fields['areas']; // already expanded
-		$req->fileName = strlen( $fields['filename'] )
+		$req->fileName = strlen( $fields['filename'] ?? '' )
 			? $fields['filename']
 			: null;
-		$req->fileStorageKey = $fields['storage_key'];
-		$req->ip = $fields['ip'];
-		$req->xff = $fields['xff'];
-		$req->agent = $fields['agent'];
-		$req->emailToken = $fields['email_token']; // MD5 of token
-		$req->emailTokenExpires = wfTimestampOrNull( TS_MW, $fields['email_token_expires'] );
+		$req->fileStorageKey = $fields['storage_key'] ?? '';
+		$req->ip = $fields['ip'] ?? '';
+		$req->xff = $fields['xff'] ?? '';
+		$req->agent = $fields['agent'] ?? '';
+		$req->emailToken = $fields['email_token'] ?? ''; // MD5 of token
+		$req->emailTokenExpires = wfTimestampOrNull( TS_MW, $fields['email_token_expires'] ?? '' );
 		// These fields are typically left to default on insertion...
-		$req->emailAuthTimestamp = isset( $fields['email_authenticated'] )
-			? wfTimestampOrNull( TS_MW, $fields['email_authenticated'] )
-			: null;
-		$req->deleted = isset( $fields['deleted'] )
-			? $fields['deleted']
-			: false;
-		$req->rejectedTimestamp = isset( $fields['rejected'] )
-			? wfTimestampOrNull( TS_MW, $fields['rejected'] )
-			: null;
-		$req->heldTimestamp = isset( $fields['held'] )
-			? wfTimestampOrNull( TS_MW, $fields['held'] )
-			: null;
-		$req->user = isset( $fields['user'] )
-			? (int)$fields['user']
-			: 0;
-		$req->comment = isset( $fields['comment'] )
-			? $fields['comment']
-			: '';
+		$req->emailAuthTimestamp = wfTimestampOrNull( TS_MW, $fields['email_authenticated'] ?? null );
+		$req->deleted = $fields['deleted'] ?? false;
+		$req->rejectedTimestamp = wfTimestampOrNull( TS_MW, $fields['rejected'] ?? null );
+		$req->heldTimestamp = wfTimestampOrNull( TS_MW, $fields['held'] ?? null );
+		$req->user = (int)( $fields['user'] ?? 0 );
+		$req->comment = $fields['comment'] ?? '';
 
 		return $req;
 	}

diff --git a/includes/business/AccountRequestSubmission.php b/includes/business/AccountRequestSubmission.php
@@ -1,10 +1,13 @@
 <?php
 
+use MediaWiki\Extension\ConfirmAccount\HookRunner;
 use MediaWiki\MediaWikiServices;
 
 class AccountRequestSubmission {
 	/* User making the request */
 	protected $requester;
+	/* Copy of the parameters for the hook */
+	protected $params;
 	/* Desired name and fields filled from form */
 	protected $userName;
 	protected $realName;
@@ -29,6 +32,7 @@ class AccountRequestSubmission {
 
 	public function __construct( User $requester, array $params ) {
 		$this->requester = $requester;
+		$this->params = $params;
 		$this->userName = trim( $params['userName'] );
 		$this->realName = trim( $params['realName'] );
 		$this->tosAccepted = $params['tosAccepted'];
@@ -232,6 +236,14 @@ public function submit( IContextSource $context ) {
 					$context->msg( 'filecopyerror', $this->attachmentTempPath, $pathRel )->escaped() ];
 			}
 		}
+
+		$hookRunner = new HookRunner( MediaWikiServices::getInstance()->getHookContainer() );
+		$message = "";
+		if ( $hookRunner->onConfirmAccount__checkRequest( $u, $this->params, $message ) === false ) {
+			$dbw->cancelAtomic( __METHOD__ );
+			return [ 'acct_request_check_request_error', $message ];
+		}
+
 		$expires = null; // passed by reference
 		$token = ConfirmAccount::getConfirmationToken( $u, $expires );
 

diff --git a/includes/frontend/specialpages/actions/ConfirmAccount_body.php b/includes/frontend/specialpages/actions/ConfirmAccount_body.php
@@ -516,7 +516,7 @@ protected function showAccountConfirmForm( $msg = '' ) {
 		$form .= "<div id='wpComment'><p>" . $this->msg( 'confirmaccount-reason' )->escaped() . "</p>\n";
 		$form .= "<p>
 		<textarea name='wpReason' id='wpReason' rows='3' cols='80' style='width:80%; display=block;'>" .
-			htmlspecialchars( $this->reason ) . "</textarea></p></div>\n";
+			htmlspecialchars( $this->reason ?? '' ) . "</textarea></p></div>\n";
 		$form .= "<p>" . Xml::submitButton( $this->msg( 'confirmaccount-submit' )->text() ) . "</p>\n";
 		$form .= '</fieldset>';
 

diff --git a/includes/frontend/specialpages/actions/ConfirmAccountsPager.php b/includes/frontend/specialpages/actions/ConfirmAccountsPager.php
@@ -5,6 +5,7 @@
  */
 class ConfirmAccountsPager extends ReverseChronologicalPager {
 	public $mForm, $mConds;
+	public $rejects, $stale;
 
 	function __construct(
 		$form, $conds, $type, $rejects = false, $showHeld = false, $showStale = false

diff --git a/src/ConfirmAccount__checkRequestHook.php b/src/ConfirmAccount__checkRequestHook.php
@@ -0,0 +1,34 @@
+<?php
+
+/**
+ * Copyright (C) 2024  NicheWork, LLC
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * @author Mark A. Hershberger <[email protected]>
+ */
+
+namespace MediaWiki\Extension\ConfirmAccount;
+
+use MediaWiki\User\User;
+
+// phpcs:disable Squiz.Classes.ValidClassName.NotCamelCaps
+interface ConfirmAccount__checkRequestHook {
+    // phpcs:ignore MediaWiki.NamingConventions.LowerCamelFunctionsName.FunctionName
+	public function onConfirmAccount__checkRequest(
+		User $user,
+		array $params,
+		string &$message
+	): ?bool;
+}
diff --git a/src/HookRunner.php b/src/HookRunner.php
@@ -0,0 +1,45 @@
+<?php
+
+/**
+ * Copyright (C) 2024  NicheWork, LLC
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * @author Mark A. Hershberger <[email protected]>
+ */
+
+namespace MediaWiki\Extension\ConfirmAccount;
+
+use MediaWiki\HookContainer\HookContainer;
+use MediaWiki\User\User;
+
+class HookRunner implements ConfirmAccount__checkRequestHook {
+	private HookContainer $container;
+
+	public function __construct( HookContainer $container ) {
+		$this->container = $container;
+	}
+
+    // phpcs:ignore MediaWiki.NamingConventions.LowerCamelFunctionsName.FunctionName
+	public function onConfirmAccount__checkRequest(
+		User $user,
+		array $params,
+		string &$message
+	): ?bool {
+		return $this->container->run(
+			'ConfirmAccount::checkRequest',
+			[ $user, $params, &$message ]
+		);
+	}
+}