mhershberger wrote:

Unassigning default assignments. http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/54734

• Bug 41263 has been marked as a duplicate of this bug. ***

Marking this as easy.

This bug doesn't make sense. What does it mean to "hit the title blacklist"?

If a title is blacklisted, the user simply does not see a "Create" tab when visiting that title. I don't see any point to just log hits to blacklisted pages...

(In reply to comment #4)

If a title is blacklisted, the user simply does not see a "Create" tab when
visiting that title.

This is wrong, apparently. But my point stands: it seems silly to log accesses to title=Bad_title&action=edit.

The information could be used to see, whether an entry is still needed or maybe removed.

• Bug 63086 has been marked as a duplicate of this bug. ***

(In reply to This, that and the other from comment #5)

This is wrong, apparently. But my point stands: it seems silly to log
accesses to title=Bad_title&action=edit.

and if it's done so it could be easy to get that log spammed (and it looks like some kind of CSRF).

There is already a spam blacklist log which does not get spammed, making this point a possibility which doesn't happen. It would also be just as easy to spam edits to pages as spam actions to the proposed TBL log.

Like the SBL log, it should be admin-only, so that people don't get the idea that spamming it is possible.

Liangent, you've also merged a bug that was monitored by people who are actually active with this bug and not included them in the CC list. Is there any way to update that?

(In reply to Ajraddatz from comment #9)

There is already a spam blacklist log which does not get spammed, making
this point a possibility which doesn't happen. It would also be just as easy
to spam edits to pages as spam actions to the proposed TBL log.

The point is that, the method to spam this list is GET, and without a token, while the spamblacklist one is POST with a token. I could embed [img=1,1]http://en.wikipedia.org/w/index.php?title=Bad_title&action=edit[/img] in my forum signature to have that URL accessed by hundreds of people.

(In reply to Ajraddatz from comment #10)

you've also merged a bug that was monitored by people who are
actually active with this bug and not included them in the CC list. Is there
any way to update that?

Add them to the CC list.

(In reply to Liangent from comment #11)

(In reply to Ajraddatz from comment #9)

There is already a spam blacklist log which does not get spammed, making
this point a possibility which doesn't happen. It would also be just as easy
to spam edits to pages as spam actions to the proposed TBL log.

The point is that, the method to spam this list is GET, and without a token,
while the spamblacklist one is POST with a token. I could embed
[img=1,1]http://en.wikipedia.org/w/index.php?title=Bad_title&action=edit[/
img] in my forum signature to have that URL accessed by hundreds of people.

That's very true, thanks for clarifying. Hopefully by keeping the log private people wouldn't think to do that.

Change 123128 had a related patch set uploaded by Gerrit Patch Uploader:
[WIP] Add log for TB hits

https://gerrit.wikimedia.org/r/123128

Change 123150 had a related patch set uploaded by Gerrit Patch Uploader:
[WIP] Add TitleBlacklist hit log

https://gerrit.wikimedia.org/r/123150

Change 123150 abandoned by Brian Wolff:
[WIP] Add TitleBlacklist hit log

Reason:
accidental commit

https://gerrit.wikimedia.org/r/123150

legoktm recommended to just log account creations/page moves, avoiding the problem described above.

That's there the most useful part of the log would be anyhow, so that works.

Change 123128 merged by jenkins-bot:
Add log for TitleBlacklist hits

https://gerrit.wikimedia.org/r/123128

Created bug 66450 to update the WMF configuration.

Change 138745 had a related patch set uploaded by Gerrit Patch Uploader:
Fixes regarding title blacklist log

https://gerrit.wikimedia.org/r/138745

Make logging of IPs for account creations optional, default disabled

https://gerrit.wikimedia.org/r/138745

That's sensible. Once merged, extension page needs to be updated.

Actually, after bug 66450 is fixed, we should think of making the log enabled by default, because it's an extension we bundle with core. Separate bug for that?

(In reply to Liangent from comment #8)

(In reply to This, that and the other from comment #5)

This is wrong, apparently. But my point stands: it seems silly to log
accesses to title=Bad_title&action=edit.

and if it's done so it could be easy to get that log spammed (and it looks
like some kind of CSRF).

Couldn't this be solved for edit and move by only logging recently active registered users ?

It would be helpful to have a bot report those hitting it multiple times, cause they often find ways to elude it after enough tries.

Jackmcbarn said on "Make logging of IPs for account creations optional, default disabled" https://gerrit.wikimedia.org/r/#/c/138745/4:

I doubt that many non-WMF wikis would want this off.

I disagree. I think non-WMF wikis are even more likely to want IPs hidden: many of them don't even install CheckUser because the marginal gain in antispam features is overcome by the burden of being forced to manage a privacy policy. We should ship a default MediaWiki which gives as little maintenance and legal burden as possible by default.

As far as I can see, there's already a title blacklist log avalaible in Special:Log. No entries on it though.

In T23206#1220239, @MarcoAurelio wrote:

As far as I can see, there's already a title blacklist log avalaible in Special:Log. No entries on it though.

See:

• T68450: Set $wgTitleBlacklistLogHits = true on WMF wikis
• T74905: Hide "titleblacklist" from [[Special:Log]] if $wgTitleBlacklistLogHits is false

Shouldn't this task be closed?

I think so. This was implemented by
https://gerrit.wikimedia.org/r/#/c/123128/
mentioned on T23206#248973 above.