Last modified: 2014-09-23 23:46:59 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 12693 - Include username in new messages bar ("youhavenewmessages")
Include username in new messages bar ("youhavenewmessages")
Status: NEW
Product: MediaWiki
Classification: Unclassified
Interface (Other open bugs)
1.22.0
All All
: Low minor with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
: patch, patch-need-review
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-19 18:45 UTC by Navou
Modified: 2014-09-23 23:46 UTC (History)
14 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
Add user name to the youhavenewmessages message (1.18 KB, patch)
2008-01-19 19:03 UTC, CBM
Details
updated patch (escape username) (1.24 KB, patch)
2008-01-19 19:33 UTC, CBM
Details
Patch to add username to notification message (1.24 KB, patch)
2012-02-26 19:51 UTC, Srikanth Logic
Details

Description Navou 2008-01-19 18:45:49 UTC
Change the default New Messages bar to read "User" you have new messages.  This change is request to preclude UI spoofing.
Comment 1 AGK 2008-01-19 18:51:59 UTC
Anything that stems this "omg, you have new messages... rly!" nonsense, is something I welcome with open arms.

--AGK
Comment 2 CBM 2008-01-19 19:03:15 UTC
Created attachment 4560 [details]
Add user name to the youhavenewmessages message
Comment 3 CBM 2008-01-19 19:04:49 UTC
Since there is no CURRENTUSER magic word, I don't think there is any way in wiki code to generate the name of the logged-in user. So just adding this to the bar should be enough to detect spoofs. I uploaded a patch.
Comment 4 CBM 2008-01-19 19:33:01 UTC
Created attachment 4561 [details]
updated patch (escape username)

Updated patch to escape username with wfEscapeWikiText()
Comment 5 Random832 2008-01-19 20:29:54 UTC
How about moving it out of the content area altogether? put it where the sitenotice normally is, for example.
Comment 6 Navou 2008-01-29 13:24:35 UTC
I've altered to minor, due to it being an exploitable issue.  That being a UI spoof.  Additionally, do we know if there is a status on this bug?

Comment 7 Umherirrender 2010-04-16 21:43:03 UTC
(In reply to comment #5)
> How about moving it out of the content area altogether? put it where the
> sitenotice normally is, for example.

bug 12681
Comment 8 Sumana Harihareswara 2011-11-10 02:34:47 UTC
CBM, thanks for your patch.  I'm sorry it took so long for you to get a response.  Your patch doesn't apply to trunk anymore, since trunk has changed substantially in the past few years.  If you have the time and the interest in revising it, please stop by #mediawiki on freenode IRC to chat about the best approach, so you don't end up redoing too much work.  Thanks again!
Comment 9 Sumana Harihareswara 2012-02-22 05:26:00 UTC
Santhosh verified that this bug is "easy" and suitable for a new MediaWik developer.
Comment 10 Srikanth Logic 2012-02-26 19:51:44 UTC
Created attachment 10109 [details]
Patch to add username to notification message

I didnt think of UI spoofing, but one user had mentioned to me before, he thought the notification was some standard thing and never bothered to click it(and know talk page / messages left to him), never realized it was a notification for personal message left on talk.
Comment 11 Sumana Harihareswara 2012-05-25 03:04:06 UTC
Srikanth, thanks for the patch! Can I ask you to use developer access to directly suggest it into Git/Gerrit?

https://www.mediawiki.org/wiki/Git/Workflow#How_to_submit_a_patch in case you need that.
Comment 12 Alex Monk 2012-06-26 22:37:23 UTC
Sikranth, are you going to submit this for review? :)
Comment 13 Bawolff (Brian Wolff) 2012-07-17 18:23:30 UTC
(In reply to comment #1)
> Anything that stems this "omg, you have new messages... rly!" nonsense, is
> something I welcome with open arms.
> 
> --AGK

You know [[Special:Block]] is also good for that too... (Better one could even argue)
----
In regards to patch, the "You" should probably be lowercase since it no longer starts a sentence.
Comment 14 Bawolff (Brian Wolff) 2012-07-17 19:04:05 UTC
Actually thinking about this, the construction "<Username>, you have new messages" seems a tad artificial to me, but maybe that's just me. 

Another option:

"You have new messages on User talk:<username>".
Comment 15 Platonides 2012-07-17 19:14:17 UTC
Thinking about the anons, "127.0.0.1, you have new messages" doesn't look good.   "There are new messages for USERNAME" might be useful in separating that it was sent to the ip, no necessarily to the person reading it (I have been sent a message about vandalising, but I didn't edit anything!). OTOH, many newbies wouldn't think it's a message for them if we called them by IP address.
Comment 16 Sumana Harihareswara 2012-08-17 10:45:53 UTC
Srikanth, I added the "design" keyword because I imagine the design group would have some feedback on this proposed change.
Comment 17 Munaf Assaf 2012-12-10 18:59:04 UTC
Thanks Sumana!

From a copy design perspective, I agree that "[Username], you have new messages" might sound too concierge-like, especially since most users aren't accustomed to having themselves addressed by their username in everyday conversation (as opposed to their real first name).

I like Bawolff's proposal:
"You have new messages on User talk:<username>"

"You" alone is attention-grabbing enough, in my experience. Some people will debate whether or not pronouns are OK in these situations, but until Echo handles notifications, I think this would be a fine approach to prevent UI spoofing.

Cheers,
Munaf
Comment 18 Andre Klapper 2013-04-02 19:53:35 UTC
[removing keyword as design input was provided]

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links