Wikipedia:Bots/Requests for approval/Matthewrbot


 * The following discussion is an archived debate. Please do not modify it. To request review of this BRFA, please start a new section at WT:BRFA. The result of the discussion was Symbol neutral vote.svg Request Expired.

Matthewrbot
Operator:

Time filed: 17:26, Friday, April 1, 2016 (UTC)

Automatic, Supervised, or Manual: Automatic

Programming language(s): PHP

Source code available: ,

Function overview: Takes requests from a web-based form and places it on the appropriate subpage of Requested Articles.

Links to relevant discussions (where appropriate): WT:RA

Edit period(s): Every half-hour (If there are requests pending)

Estimated number of pages affected: Requested articles and sub-pages

Exclusion compliant (Yes/No): Not for this task, there is no need for exclusion compliance

Already has a bot flag (Yes/No):

Function details: This bot will take requests posted on a web-based form. It will sanitize the input to work with article request then post the request directly above. If the template is not found, the bot will place the request at the bottom of the page and add the pages to Category:Requested Articles Pages with no template.

It will not re-add a request once it has been removed. The form itself contains a honeypot and eventually a Captcha based on Mediawiki's system.

Discussion
Note:  Bot is not yet complete, I am still working on building it. Wanted to start the BRFA because it is a non-traditional request and I wanted to give time to handle concerns.


 * External Loads
 * What is this sending to bootstrapcdn? — xaosflux  Talk 20:32, 1 April 2016 (UTC)
 * Nothing is sent to bootstrapcdn. The bootstrap styling is retrieved from the bootstrap cdn, as bootstrap hasn't designed their repo to allow for git submoduling.  ~  Matthewrbowker  Drop me a note 20:56, 1 April 2016 (UTC)
 * As of this commit, BootstrapCDN is no longer used. ~ Matthewrbowker  Drop me a note 00:30, 5 April 2016 (UTC)
 * Thank you! — xaosflux  Talk 00:55, 5 April 2016 (UTC)
 * it looks like your landing web page is explicitly sending to third parties again (code.jquery.com, maxcdn.bootstrapcdn.com) - is this the long term solution? — xaosflux  Talk 19:22, 5 April 2016 (UTC)
 * Which one are you looking at? I don't believe I've deployed the fix to the live form yet. ~  Matthewrbowker  Drop me a note 19:59, 5 April 2016 (UTC)
 * This link. — xaosflux  Talk 20:09, 5 April 2016 (UTC)
 * That is the live version of the tool. Updated.  ~  Matthewrbowker  Drop me a note 23:28, 5 April 2016 (UTC)

I'm a little concerned that anyone can edit the tool at User:Matthewrbot/Config/1/interface/all. The idea is cute, but it clearly appears to allow arbitrary html injection, which is probably a significant security and privacy risk to our users. -- slakr \ talk / 02:46, 2 April 2016 (UTC)
 * Page configurations
 * A concern of mine as well. I contacted an admin via IRC several months ago for cascading semi-protection, but was told that the protection is unlikely to be applied unless I can demonstrate vandalism.  Would caching of the strings solve this concern? Alternatively, I can move them into xml files on the tool itself. P.S. Did I handle the template right?  If not, my apologies ~  Matthewrbowker  Drop me a note 03:25, 2 April 2016 (UTC)
 * Cascading semi protection is not permitted because it's a security hazard. A plain full protection may be better if that "control" page has security implications.Jo-Jo Eumerus (talk, contributions) 17:55, 3 April 2016 (UTC)
 * There's some precedent for this sort of thing (www.wikipedia.org template), but it still makes me uncomfortable. Besides, if one of us full-protects the pages then you won't be able to edit them. Also, wouldn't this mean the tool is constantly fetching pages from on-wiki whenever it's loaded? While caching could help, that's still an inherently expensive operation. I suggest taking the configuration off-wiki. —  Earwig   talk 21:36, 3 April 2016 (UTC)
 * Acknowledged. I'm working on a quick patch that should be pushed tonight.  It will move the configuration local. ~  Matthewrbowker  Drop me a note 03:47, 4 April 2016 (UTC)
 * Fixed in this commit Fixed version has been pushed to the test version of the tool. ~ Matthewrbowker  Drop me a note 07:10, 4 April 2016 (UTC)
 * We can change the content model of this page to .js then it will be protected - would that work? (re: User:Matthewrbot/Config/1/interface/all) — xaosflux  Talk 20:09, 5 April 2016 (UTC)
 * Example User:Matthewrbot/Config/1/interface/all/2. — xaosflux  Talk 20:12, 5 April 2016 (UTC)
 * Hmm, you will have to log on with the bot's account to change that now though - that locks it to page owner and admins. — xaosflux  Talk 20:14, 5 April 2016 (UTC)
 * A thought perhaps, the concern with the editable pages was allowing experienced users to edit the tool. As of right now, the local configuration is functional. ~  Matthewrbowker  Drop me a note 23:28, 5 April 2016 (UTC)
 * Whoa, how did you do that...? —  Earwig   talk 04:06, 13 April 2016 (UTC)


 * Off site privacy
 * What type of privacy policy is in place here? As you are soliciting usernames, and have access to request and address information. —  xaosflux  Talk 00:56, 5 April 2016 (UTC)
 * See Labs Terms of use. I do not have access to IP addresses (they are stripped from the logs), so only username and request data is stored. ~  Matthewrbowker  Drop me a note 19:03, 5 April 2016 (UTC)


 * Sample outputs
 * New question: What will the output on to wiki look like, can you make a post manually for example purposes? — xaosflux  Talk 20:09, 5 April 2016 (UTC)
 * Using Article request, see User:Matthewrbot/example1 (Headings have different examples) ~ Matthewrbowker  Drop me a note 23:28, 5 April 2016 (UTC)
 * The web form seems to have an extensive category selector - will that be posted on wiki as well? — xaosflux  Talk 21:32, 6 April 2016 (UTC)
 * Pages will be in the following form: "Wikipedia:Requested Articles/[category]/[sub-category]/sub-sub category]." If the sub-sub category is "other" it is chopped off.  This does require re-structuring the existing RA sub pages. ~  Matthewrbowker  Drop me a note 21:52, 6 April 2016 (UTC)
 * Are there any rate limits to prevent someone flooding the tool? -- slakr \ talk / 04:38, 12 April 2016 (UTC)
 * The web-based form has no rate limiting as of yet, as I don't have an ability to really distinguish different users (Again, I don't have access to IPs). The bot will edit at a rate of one request every five seconds. ~  Matthewrbowker  Drop me a note 05:27, 12 April 2016 (UTC)
 * Any plans to add a captcha of some form? -- slakr \ talk / 05:52, 16 April 2016 (UTC)
 * Yes, it's in the works. I have to write my own solution, as there's currently no captcha solution for labs (specifically one that's compatible with the ToU, as far as I know). ~ Matthewrbowker  Drop me a note 05:55, 16 April 2016 (UTC)

On Hold - I don't know if I'm doing this right, but I'm placing this request on hold. After discussion on IRC and some thought, I will be implementing OAuth functionality to the web-based interface. ~ Matthewrbowker  Drop me a note 04:29, 27 April 2016 (UTC)
 * I'm moving this to expired, you may reactivate it in the future when ready. — xaosflux  Talk 12:30, 7 May 2016 (UTC)
 * The above discussion is preserved as an archive of the debate. Please do not modify it. To request review of this BRFA, please start a new section at WT:BRFA.