[e-lang] wiki.erights.org and anonymous edits
toby.murray at comlab.ox.ac.uk
Mon Jan 12 09:21:31 CST 2009
On Mon, 2009-01-12 at 14:54 +0100, Dominique Quatravaux wrote:
> On Mon, Jan 12, 2009 at 2:37 PM, Kevin Reid <kpreid at mac.com> wrote:
> > * With anonymous editing, they just edit and we can block their
> > address and prohibit account creation from it.
> This suggests adding captchas, instead of (or in addition to)
> disabling anonymous edits.
wiki.erights.org already uses captchas for account creation and
anonymous edits to pages where the new page text includes a URL. (Modern
bots work around this second restriction by including the URL in the
message associated with the edit, rather than the edit itself, so that
it still shows up in the RecentChanges and RSS feeds etc.)
The reCAPTCHA MediaWiki extension can be customised to alter exactly
when the captcha should be invoked. ConfirmEdit.php of the extension has
the relevant code. (I don't run or have anything really to do with
wiki.erights.org but do have some experience with MediaWiki and
reCAPTCHA from elsewhere.) Quoting from ConfirmEdit.php:
> * Actions which can trigger a captcha
> * If the 'edit' trigger is on, *every* edit will trigger the captcha.
> * This may be useful for protecting against vandalbot attacks.
> * If using the default 'addurl' trigger, the captcha will trigger on
> * edits that include URLs that aren't in the current version of the page.
> * This should catch automated linkspammers without annoying people when
> * they make more typical edits.
> * The captcha code should not use $wgCaptchaTriggers, but CaptchaTriggers()
> * which also takes into account per namespace triggering.
> $wgCaptchaTriggers = array();
> $wgCaptchaTriggers['edit'] = false; // Would check on every edit
> $wgCaptchaTriggers['create'] = true; // Check on page creation.
> $wgCaptchaTriggers['addurl'] = true; // Check on edits that add URLs
> $wgCaptchaTriggers['createaccount'] = true; // Special:Userlogin&type=signup
> $wgCaptchaTriggers['badlogin'] = true; // Special:Userlogin after failure
So one could easily alter it to run a captcha on every edit, anonymous or not,
$wgCaptchaTriggers['edit'] = true;
One could then disable captchas for all logged-in users via the
$wgGroupPermissions settings, to wit:
> * The 'skipcaptcha' permission key can be given out to
> * let known-good users perform triggering actions without
> * having to go through the captcha.
> * By default, sysops and registered bot accounts will be
> * able to skip, while others have to go through it.
> $wgGroupPermissions['*' ]['skipcaptcha'] = false;
> $wgGroupPermissions['user' ]['skipcaptcha'] = false;
> $wgGroupPermissions['autoconfirmed']['skipcaptcha'] = false;
> $wgGroupPermissions['bot' ]['skipcaptcha'] = true; // registered bots
> $wgGroupPermissions['sysop' ]['skipcaptcha'] = true;
So one can set
$wgGroupPermissions['user']['skipcaptha'] = true;
and logged-in users will never have to do a captcha.
These two changes combined might have the desired effect. This may
certainly be better than disabling anonymous edits entirely.
More information about the e-lang