Page MenuHomePhabricator
Create Task
Maniphest T356599

DiscussionTools is incompatible with hCaptcha (and likely ReCaptcha)
Open, Needs TriagePublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Enable ConfirmEdit and choose the "hCaptcha" option
  • Be logged in
  • Attempt to use the "Reply" function in DiscussionTools

What happens?:

image.png (300×870 px, 20 KB)
appears

What should have happened instead?:
hCaptcha's UI should appear as it does on pages such as Special:CreateAccount

Software version (skip for WMF-hosted wikis like Wikipedia):

Product Version
MediaWiki 1.40.2 (13bc5ff)
22:43, 30 January 2024
PHP 8.2.7 (fpm-fcgi)

Other information (browser name/version, screenshots, etc.):

Related Objects

Event Timeline

Reception123 created this task.Feb 4 2024, 5:40 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 4 2024, 5:40 PM
Paladox subscribed.Feb 4 2024, 7:23 PM
Pppery renamed this task from DiscussionTool is incompatible with hCaptcha (and likely ReCaptcha) to DiscussionTools is incompatible with hCaptcha (and likely ReCaptcha).Feb 4 2024, 9:37 PM
Pppery updated the task description. (Show Details)
Bugreporter added a project: ConfirmEdit (CAPTCHA extension).Feb 5 2024, 3:20 AM
Esanders subscribed.Feb 5 2024, 10:50 AM

Note for Editing Team: this does not affect WMF wikis

kostajh added a parent task: T250227: Investigate and evaluate hCaptcha to replace Wikimedia's Fancy Captcha.Feb 16 2024, 12:51 PM
sbassett subscribed.Feb 16 2024, 3:02 PM
In T356599#9512522, @Esanders wrote:

Note for Editing Team: this does not affect WMF wikis

And it never should affect Wikimedia production, as the current ConfirmEdit integration with hCaptcha is far too basic to satisfy all of the technical concerns outlined in T250227 and elsewhere.

BlankEclair subscribed.Jun 20 2024, 6:46 AM
BlankEclair added a comment.Jun 20 2024, 11:22 AM

I believe the bug currently lies in DiscussionTools.

For VisualEditor, ConfirmEdit handles displaying the captcha. ve.init.mw.CaptchaSaveErrorHandler.js handles SimpleCaptcha and QuestyCaptcha (by using ext.confirmEdit.CaptchaInputWidget.js, a multi-purpose CAPTCHA text box), and ve.init.mw.HCaptchaSaveErrorHandler.js handles hCaptcha. All save error handlers are tested by VisualEditor as the modules register a hook with VE, and one is used based on the return value of matchFunction.

In contrast, DiscussionTools handles CAPTCHAs by only using ext.confirmEdit.CaptchaInputWidget (see dt.ui.ReplyWidget.js line 1085). This input widget only supports textboxes, while hCaptcha (and probably reCaptcha) uses an iframe.

A workaround would be to hardcode exceptions for hCaptcha and reCaptcha in DiscussionTools, and use their hooks somehow. A proper fix would be to either add hooks into DiscussionTools, or to reuse VisualEditor's.

Reedy subscribed.Mon, Oct 21, 4:22 PM

OOI, does this actually prevent using DiscussionTools with hCaptcha (or similar) enabled? Or does it just present an ineffective captcha (that can't be solved, and therefore doesn't prevent stuff that it maybe should've)...

BlankEclair added a comment.Tue, Oct 22, 11:12 AM

DiscussionTools can't properly display the captcha if it is given one, but otherwise it should work if there is no captcha presented to it. (Un)fortunately, there is no captcha bypass when using DT.

Reedy mentioned this in T374770: Non-autoconfirmed users get no CAPTCHA and cannot save external links with DiscussionTools new topic tool.Thu, Oct 24, 12:58 AM
Reedy merged a task: T327054: Recaptcha does not work icw DiscussionTools.Thu, Oct 24, 1:11 AM
Reedy added a subscriber: Ryoya3.
Reedy moved this task from Backlog to Bugs on the ConfirmEdit (CAPTCHA extension) board.Thu, Oct 24, 1:21 AM
Reedy removed a parent task: T250227: Investigate and evaluate hCaptcha to replace Wikimedia's Fancy Captcha.Thu, Oct 24, 1:25 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits