Wikipedia:Bots/Requests for approval/Matthewrbot
- The following discussion is an archived debate. Please do not modify it. To request review of this BRFA, please start a new section at WT:BRFA. The result of the discussion was
Request Expired.
Operator: Matthewrbowker (talk · contribs · SUL · edit count · logs · page moves · block log · rights log · ANI search)
Time filed: 17:26, Friday, April 1, 2016 (UTC)
Automatic, Supervised, or Manual: Automatic
Programming language(s): PHP
Source code available: Bot Source Code, Web-based tool source code
Function overview: Takes requests from a web-based form and places it on the appropriate subpage of Wikipedia:Requested Articles.
Links to relevant discussions (where appropriate): WT:RA
Edit period(s): Every half-hour (If there are requests pending)
Estimated number of pages affected: Wikipedia:Requested articles and sub-pages
Exclusion compliant (Yes/No): Not for this task, there is no need for exclusion compliance
Already has a bot flag (Yes/No):
Function details: This bot will take requests posted on a web-based form. It will sanitize the input to work with {{article request}} then post the request directly above {{User:Matthewrbot/Requests}}. If the template is not found, the bot will place the request at the bottom of the page and add the pages to Category:Requested Articles Pages with no template.
It will not re-add a request once it has been removed. The form itself contains a honeypot and eventually a Captcha based on Mediawiki's system.
Discussion
[edit]Note: Bot is not yet complete, I am still working on building it. Wanted to start the BRFA because it is a non-traditional request and I wanted to give time to handle concerns.
- External Loads
- What is this sending to bootstrapcdn? — xaosflux Talk 20:32, 1 April 2016 (UTC)
- Nothing is sent to bootstrapcdn. The bootstrap styling is retrieved from the bootstrap cdn, as bootstrap hasn't designed their repo to allow for git submoduling. ~ Matthewrbowker Drop me a note 20:56, 1 April 2016 (UTC)
- @Xaosflux: As of this commit, BootstrapCDN is no longer used. ~ Matthewrbowker Drop me a note 00:30, 5 April 2016 (UTC)
- Thank you! — xaosflux Talk 00:55, 5 April 2016 (UTC)
- Matthewrbowker it looks like your landing web page is explicitly sending to third parties again (code.jquery.com , maxcdn.bootstrapcdn.com) - is this the long term solution? — xaosflux Talk 19:22, 5 April 2016 (UTC)
- @Xaosflux: Which one are you looking at? I don't believe I've deployed the fix to the live form yet. ~ Matthewrbowker Drop me a note 19:59, 5 April 2016 (UTC)
- This link. — xaosflux Talk 20:09, 5 April 2016 (UTC)
- That is the live version of the tool. Updated. ~ Matthewrbowker Drop me a note 23:28, 5 April 2016 (UTC)
- This link. — xaosflux Talk 20:09, 5 April 2016 (UTC)
- @Xaosflux: Which one are you looking at? I don't believe I've deployed the fix to the live form yet. ~ Matthewrbowker Drop me a note 19:59, 5 April 2016 (UTC)
- Matthewrbowker it looks like your landing web page is explicitly sending to third parties again (code.jquery.com , maxcdn.bootstrapcdn.com) - is this the long term solution? — xaosflux Talk 19:22, 5 April 2016 (UTC)
- Thank you! — xaosflux Talk 00:55, 5 April 2016 (UTC)
- @Xaosflux: As of this commit, BootstrapCDN is no longer used. ~ Matthewrbowker Drop me a note 00:30, 5 April 2016 (UTC)
- Nothing is sent to bootstrapcdn. The bootstrap styling is retrieved from the bootstrap cdn, as bootstrap hasn't designed their repo to allow for git submoduling. ~ Matthewrbowker Drop me a note 20:56, 1 April 2016 (UTC)
- Page configurations
@Matthewrbowker: I'm a little concerned that anyone can edit the tool at User:Matthewrbot/Config/1/interface/all. The idea is cute, but it clearly appears to allow arbitrary html injection, which is probably a significant security and privacy risk to our users. --slakr\ talk / 02:46, 2 April 2016 (UTC)
- @Slakr: A concern of mine as well. I contacted an admin via IRC several months ago for cascading semi-protection, but was told that the protection is unlikely to be applied unless I can demonstrate vandalism. Would caching of the strings solve this concern? Alternatively, I can move them into xml files on the tool itself. P.S. Did I handle the template right? If not, my apologies ~ Matthewrbowker Drop me a note 03:25, 2 April 2016 (UTC)
- @Matthewrbowker: Cascading semi protection is not permitted because it's a security hazard. A plain full protection may be better if that "control" page has security implications.Jo-Jo Eumerus (talk, contributions) 17:55, 3 April 2016 (UTC)
- There's some precedent for this sort of thing (meta:www.wikipedia.org template), but it still makes me uncomfortable. Besides, if one of us full-protects the pages then you won't be able to edit them. Also, wouldn't this mean the tool is constantly fetching pages from on-wiki whenever it's loaded? While caching could help, that's still an inherently expensive operation. I suggest taking the configuration off-wiki. — Earwig talk 21:36, 3 April 2016 (UTC)
- @Jo-Jo Eumerus: @The Earwig: Acknowledged. I'm working on a quick patch that should be pushed tonight. It will move the configuration local. ~ Matthewrbowker Drop me a note 03:47, 4 April 2016 (UTC)
- @Slakr: @Jo-Jo Eumerus: @The Earwig: Fixed in this commit Fixed version has been pushed to the test version of the tool. ~ Matthewrbowker Drop me a note 07:10, 4 April 2016 (UTC)
- We can change the content model of this page to .js then it will be protected - would that work? (re: User:Matthewrbot/Config/1/interface/all) — xaosflux Talk 20:09, 5 April 2016 (UTC)
- Example User:Matthewrbot/Config/1/interface/all/2. — xaosflux Talk 20:12, 5 April 2016 (UTC)
- Hmm, you will have to log on with the bot's account to change that now though - that locks it to page owner and admins. — xaosflux Talk 20:14, 5 April 2016 (UTC)
- A thought perhaps, the concern with the editable pages was allowing experienced users to edit the tool. As of right now, the local configuration is functional. ~ Matthewrbowker Drop me a note 23:28, 5 April 2016 (UTC)
- @Xaosflux: Whoa, how did you do that...? — Earwig talk 04:06, 13 April 2016 (UTC)
- Hmm, you will have to log on with the bot's account to change that now though - that locks it to page owner and admins. — xaosflux Talk 20:14, 5 April 2016 (UTC)
- Example User:Matthewrbot/Config/1/interface/all/2. — xaosflux Talk 20:12, 5 April 2016 (UTC)
- We can change the content model of this page to .js then it will be protected - would that work? (re: User:Matthewrbot/Config/1/interface/all) — xaosflux Talk 20:09, 5 April 2016 (UTC)
- @Slakr: @Jo-Jo Eumerus: @The Earwig: Fixed in this commit Fixed version has been pushed to the test version of the tool. ~ Matthewrbowker Drop me a note 07:10, 4 April 2016 (UTC)
- @Jo-Jo Eumerus: @The Earwig: Acknowledged. I'm working on a quick patch that should be pushed tonight. It will move the configuration local. ~ Matthewrbowker Drop me a note 03:47, 4 April 2016 (UTC)
- Off site privacy
- What type of privacy policy is in place here? As you are soliciting usernames, and have access to request and address information. — xaosflux Talk 00:56, 5 April 2016 (UTC)
- @Xaosflux: See Labs Terms of use. I do not have access to IP addresses (they are stripped from the logs), so only username and request data is stored. ~ Matthewrbowker Drop me a note 19:03, 5 April 2016 (UTC)
- Sample outputs
- New question: What will the output on to wiki look like, can you make a post manually for example purposes? — xaosflux Talk 20:09, 5 April 2016 (UTC)
- Using {{Article request}}, see User:Matthewrbot/example1 (Headings have different examples) ~ Matthewrbowker Drop me a note 23:28, 5 April 2016 (UTC)
- The web form seems to have an extensive category selector - will that be posted on wiki as well? — xaosflux Talk 21:32, 6 April 2016 (UTC)
- @Xaosflux: Pages will be in the following form: "Wikipedia:Requested Articles/[category]/[sub-category]/sub-sub category]." If the sub-sub category is "other" it is chopped off. This does require re-structuring the existing RA sub pages. ~ Matthewrbowker Drop me a note 21:52, 6 April 2016 (UTC)
- The web form seems to have an extensive category selector - will that be posted on wiki as well? — xaosflux Talk 21:32, 6 April 2016 (UTC)
- Using {{Article request}}, see User:Matthewrbot/example1 (Headings have different examples) ~ Matthewrbowker Drop me a note 23:28, 5 April 2016 (UTC)
- Are there any rate limits to prevent someone flooding the tool? --slakr\ talk / 04:38, 12 April 2016 (UTC)
- @Slakr: The web-based form has no rate limiting as of yet, as I don't have an ability to really distinguish different users (Again, I don't have access to IPs). The bot will edit at a rate of one request every five seconds. ~ Matthewrbowker Drop me a note 05:27, 12 April 2016 (UTC)
- Any plans to add a captcha of some form? --slakr\ talk / 05:52, 16 April 2016 (UTC)
- Yes, it's in the works. I have to write my own solution, as there's currently no captcha solution for labs (specifically one that's compatible with the ToU, as far as I know). ~ Matthewrbowker Drop me a note 05:55, 16 April 2016 (UTC)
- Any plans to add a captcha of some form? --slakr\ talk / 05:52, 16 April 2016 (UTC)
- @Slakr: The web-based form has no rate limiting as of yet, as I don't have an ability to really distinguish different users (Again, I don't have access to IPs). The bot will edit at a rate of one request every five seconds. ~ Matthewrbowker Drop me a note 05:27, 12 April 2016 (UTC)
On Hold - I don't know if I'm doing this right, but I'm placing this request on hold. After discussion on IRC and some thought, I will be implementing OAuth functionality to the web-based interface. ~ Matthewrbowker Drop me a note 04:29, 27 April 2016 (UTC)
Request Expired. @Matthewrbowker: I'm moving this to expired, you may reactivate it in the future when ready. — xaosflux Talk 12:30, 7 May 2016 (UTC)- The above discussion is preserved as an archive of the debate. Please do not modify it. To request review of this BRFA, please start a new section at WT:BRFA.
