You are browsing a read-only backup copy of Wikitech. The live site can be found at


From Wikitech-static
Revision as of 23:01, 25 October 2021 by imported>Eileen (→‎Email integration - Acoustic)
Jump to navigation Jump to search
WMF Donation Pipeline overview

This is the homepage for fundraising-tech documentation. If you can't find what you are looking from from here then take a look at our documentation plan and add the appropriate header & links.

Note that much of the content on this page should be moved to linked pages.

A Donor-facing endpoints

DonationForm - reusable frontend

B Internal endpoints


WMF fundraising uses CiviCRM to track donor data.

CiviCRM requires a 'host CMS' and to that end we use Drupal7. Drupal 7 is EOL in November 2022 and next year we plan to upgrade to Drupal 9 - or maybe even 10. Our goal, however, is that we do not use any CMS-specific code going forwards. While we currently expect to stick with Drupal in we should be equally able to move to Wordpress. To this end we are in the process of migrating our drupal modules to CiviCRM extensions.


Drush is a really useful drupal command line utility. There is a lot of documentation about drush on the internet but a few things to know with regards to WMF.

  • On production, staging and in our docker dev set up we have an alias 'wmff' which tells drush details about where the code is and to use user 1.
  • Common usage:
Command Where What
`drush @wmff updb` local dev and prod Run any database updates that need to be run
`drush @wmff up --security-only` local dev Download and install any security updates (these are then checked into git to deploy)
`drush @wmff cvapi Contact.get version=4 checkPermissions=0` local dev and prod Run a civicrm api - the Contact.get action is probably not in itself useful but it does show how a api version 4 call would look

Our CiviCRM customisations

We have customised CiviCRM using both CiviCRM Extensions and drupal modules

C External services

D Cluster layout, deployment, codebases

E Data and multi-component processes

Payment processors

We have the ability to use several payment processors for online donations. Currently, we route most credit card donations to GlobalCollect.

  • Ingenico:
    • Ingenico has the ability to handle payments from multiple international systems including: credit card, direct debit, real time bank transfer, eWallets and more.
  • PayPal:
  • Amazon: A widget on our page, integrated using Login and Pay with Amazon.
  • Adyen:, documentation
  • WorldPay An alternate credit card processor that we use primarily for France and RTL languages. We can do other methods through them, too, if we want.

See also, "Ways to Give" for our recommended donation methods according to country.

Payment processor capabilities:

Ingenico PayPal Amazon Adyen WorldPay AstroPay Banks Checks
Credit card Yes Yes Yes Yes Yes Yes
Bank transfer Yes Yes No Yes IBAN, Swift
Countries list USA[1]
Currencies [2] list USD All[3]
Direct debit [4] No No n/i
Recurring Yes Yes Yes Yes[5]
Mobile optimized No n/i[6] n/i[7] n/i
Languages [8] [9] ? ?
Account required No No Yes No No No
Refund by API n/i n/i n/i n/i
Fully automated auditing Yes Yes Yes Yes No Yes


Yes Implemented
n/i Not yet implemented
No Unsupported by processor
Notification failure policies:

When we don't respond to an IPN message from a payment processor with a successful HTTP code, they usually resend it.

Adyen: back-off algorithm from 5 minutes to 8 hrs, then every 8 hrs for a week

Amazon: every hour for 14 days

Email integration - Acoustic

Acoustic is the service we use to send out bulk emails. They are able to handle high volumes of emails and are responsible for managing server reputation to improve deliverability. Acoustic also provide tools for A-B testing to see which emails perform better. In order to be able to use our donor information from Acoustic we have a nightly upload job. We also re-import information from acoustic - for details go to Fundraising/Data and Integrated Processes/Acoustic Integration

Note that prior brandings of the Acoustic platform may still linger - ie Silverpop, WCM, Watson Campaign Manager, or sometimes just 'IBM'

Message queues

This describes the WMF fundraising systems configuration. See the page on payments message queues for a discussion of how message queues are used to buffer and decouple fundraising infrastructure, and to read about the format and content of normalized messages.

WMF fundraising uses the ActiveMQ ( message broker for most queues, and STOMP as its wire protocol. This queue server is outside of PCI scope, and communicates with CiviCRM.

The limbo queue *WILL SOON BE* stored in Redis on the payments cluster, which is important for PCI certification. We cannot afford to have our queue servers in scope.

Various queue wrangling techniques are available.


All queues feeding into services outside the fr-cluster live on a single ActiveMQ instance. This is a SPOF.

Frack Redis

The DonationInterface frontends set and delete messages on localhost's queue. Nice to have: if record to delete is not found, try the other masters.

Orphan slayer pops messages off of available masters in round-robin order. Set and delete are to the same queue the message came from.


Redis masters on payments1-3 replicate to three slaves on payments4.

codfw holds (three or) six replicas of the queues on eqiad payments1-4.


Port all STOMP queuing to high-availability Redis instead.

We should clean up any unused queues, and overly narrowly defined ones.

Contribution tracking

When a potential donor visits the Wikimedia donation page, a tracking record is created in the drupal.contribution_tracking table. This record includes the user's language, referrer, donation comment, opt-out status, a timestamp, and various other data. The tracking is handled on the MediaWiki side by the DonationInterface and ContributionTracking extensions. If the user makes a successful donation, a contribution record is passed to CiviCRM via ActiveMQ. The queue2civicrm module then inserts the contribution record into the CiviCRM database and updates the tracking record with the id given to the contribution by CiviCRM.


Banner impressions and landing page stats are collected from the production proxies. Fundraising_Analytics/Impression_Stats. The wmf:Thank_you page includes wmf:Template:Hide_banners which loads Special:HideBanners from multiple domains via image src. HideBanners sets cookies for donors which tell CentralNotice's bannerController.js not to pester them for a year or so.


Contribution tracking data is surfaced through a stats portal on foundation wiki. All entries have to be white listed under wgAllowedTemplates in CommonSettings.php so that we don't surface any doctored banners.


This is a tracking variable which is supposed to collect information about the transaction. Currently, it is a period-separated concatenation of three components. One interpretation of the components is, 1) banner name, 2) landing page name, and 3) payment method. We are currently in the process of standardizing (see FR #965 and FR #673).

In theory, each component may be a tilde-concatenation of a sequence of landing pages, for example. That code is badly dysfunctional.


Donor was referred by this type of site: sitenotice, spontaneous, sidebar, socialmedia.

Seems unuseful at this broad granularity.


The parent campaign for the banner where this donation was initiated.



Mediawiki extensions

The following Mediawiki extensions related to fundraising are installed on the payments wiki:


This module handles all of the payment gateway specific functionality for the fundraising system at the point the user makes a donation. Other handling (secondary verification, queue managing) is handled on DonationInterface It is made up of the following components:


Contains the Stomp library and provides a mechanism for correctly formatting a message for storage in ActiveMQ. This could probably be refactored a bit to allow the other extension pieces to more flexibly rely on this to communicate with ActiveMQ. As it is right now, the functionality exposed by activemq_stomp.php is very limited, however the included Stomp library exposes whatever you might need to communicate with the queue.


This directory contains several different hooks that can be used as needed at various points in a gateway's donation workflow. Extras include conversion_log, custom_filters (used for fraud prevention), minfraud (which also exists as a custom filter), and recaptcha.


Generally, the gateway_common directory contains gateway adapter code written to be gateway-agnostic, but which all the gateway-specific classes are descended from.


Forms and form classes that are not written to be gateway-specific should be kept here.


All gateway-specific code can be found here.


In the course of a normal globalcollect hosted credit card transaction, a small percentage of donors will complete a transaction on the globalcollect hosted credit card form, and not manage to come back to the globalcollect ResultSwitcher page. The function of the ResultSwitcher page is to both filter and finalize the pending transaction and record it in the case of a successful conversion, so the donor not returning to the ResultSwitcher would effectively strand the otherwise successful transaction in a sort of limbo state. The code contained in the globalcollect scripts directory was written to address the problem of these stranded transactions.

This maintenance script is currently running on a Jenkins job, and uses data pulled from the 'cc-limbo' queue in ActiveMQ.


Generally speaking, all modules that could be said to be gateway-agnostic should live in this directory. These modules will be loaded as-needed with resource loader.


This exposes the credit card donation form (as opposed to the PayPal stuff) and handles the communication between the donation page and PayflowPro. It negotiates the entire process from the point the user submits the donation to insertion of a donation into ActiveMQ - if a donation is considered valid at the point of submission, it is placed in the 'donation' queue. Otherwise, it is either rejected or placed in the 'pending_pfp' queue for review. Further handling happens on pending messages by

Fraud filtering

There are a series of extra sub-extensions, or filters, for payflowpro_gateway that perform analysis on credit card transactions to determine the likelihood that a transaction is fraudulent. Each of the filters helps determine the 'risk score' for a transaction. Actions to take based on certain risk scores can be configured for payflowpro_gateway (reject, review, challenge, accept). The filters currently available include:

  • MaxMind/MinFraud - a third party solution that helps analyze the transaction. They return their own 'risk score' for a transaction which heavily influences our own internal scoring.
  • Referrer - Regular expressions can be configured to be run on a transaction's 'referrer', and each regex can be configured to apply a different score in the event that the referrer is a match.
  • utm_source - Same as referrer, but for the utm_source bit in the tracking fields.

Our configuration of payflowpro_gateway causes two local logfiles to be generated:

  • /var/log/mw/minfraud
  • /var/log/mw/payflow

The 'minfraud' log logs more than just 'minfraud' related information. It tracks a user's transaction through our fraud prevention filters, and if their transaction is considered safe enough to be sent off to PayflowPro, Payflow's response object also gets logged here. This log also gets used to help us determine patterns in fraudulent transactions, analyze more general patterns in our transactions and determine why or why not a certain transaction was accepted/rejected.

The 'payflow' log logs more than just payflow related information. It's more of a debug log, tracking a transactions progress through the different parts of the payflowpro_gateway experience. The only piece of transactional data that actually gets recorded in the log is our internal 'trxn_id', which is considered the 'invoice id' by PayPal/Payflow (this makes it possible to line up transactional information either later on our end [eg from CiviCRM] or from the PayPal manager with the information contained in this log). We primarily use this log to keep track of timing information - how long it takes to communicate with the various third party services (MaxMind and PayflowPro), timeouts, retries, etc.

It is important to note that for our purposes, these log files actually get aggregated and later archived - more details can be found on the documentation for the payments cluster.


Handles the redirect from the Wikimedia site to PayPal for donations.

We are implementing a stand-alone listener to talk to PayPal's IPN and push pending PayPal transactions into the proper queue (see


See also: Tracking Architecture

The ContributionTracking extension provides an unlisted special page for logging online donations. When the donation process is initiated, the extension stores some basic information in the Drupal contribution_tracking table and the transaction is assigned a unique, internal ID. This ID is used to track the contribution through the process of being validated and ultimately consumed in CiviCRM.

This extension also exposes a function contributionTrackingConnection() which will allow you to connect to the database containing the contribution_tracking table.


This extension makes it possible to provide a user-facing link that will direct the user to n possible URLs x% of the time. For instance, this is useful for doing randomized A/B testing - you can configure the module to send 50% of clicks to one URL, and the other 50% to another URL. The percentages are completely configurable as are the URLs. This was used extensively to make the 'Donate' sidebar link on Wikipedia point to a number of different donation landing pages for testing purposes.

High-level Overview of Donation Pipeline

Click the images for further explanation.

Miscellaneous Scripts

There are some miscellaneous scripts to help with things like Paypal Verification, queue handling, etc. Details of which can be found on


See Fundraising/Translation for more info

  • Donatewiki translations go out regularly on the l10n cache
  • TYs need to be manually deployed - make a task for this and put it in pending review in the current sprint
  • Subject line needs to be manually deployed - make a task for this and put it in pending review in the current sprint
  • Payments needs to be manually deployed - make a task for this and put it in pending review in the current sprint

Public reporting - possibly entirely out of date

The public reporting data is stored in the civicrm.public_reporting table on db9. This data gets replicated to the slave database, db10, which is where the public reporting pages actually pull the data from.

The code that manages the public reporting data lives in /srv/org.wikimedia.civicrm/sites/all/bin/public_reporting on the grosley server (

  • table.sql - Creates the public_reporting table
  • trigger.sql - Sets up the database triggers for updating the table
  • synchronize.sql - Can be used to manually sync the public reporting data with the existing contribution records

The reporting pages are created through the ContributionReporting mediawiki exntension

F How we work

Fundraising Emergencies

Fundraising Engineering Documentation has with system information and emergency response protocols. Or more specifically Shutting the pipeline down details how/when to disable banner campaigns or other fundraising/payment services.

Fundraising On-Call documentation

Fundraising Engineering On-call documentation is a quick-reference page for on-call duty.

Feature / Bug Trackers

There's loads of information about how fr-tech triages bugs here:

Not sure what to do next? See Fundraising Tech's Phabricator Workboard