Page MenuHomePhabricator
Create Task
Maniphest T111439

Current he.wiki interface-editor group config doesn't comply with privacy policy
Closed, ResolvedPublic
Actions

Description

Currently he.wiki's interface-editor group has the following userrights:
*abusefilter-hidden-log
*abusefilter-hide-log
which are oversight-level rights. As soon as a request to suppress some abuselog's entry will come, this config will break privacy policy by giving access to suppressed data to non-identified users.

Details

SubjectRepoBranchLines +/-
Revoke suppression-level rights from interface editors on hewikioperations/mediawiki-configmaster+1 -2
Customize query in gerrit

Related Objects

Event Timeline

Vituzzu created this task.Sep 3 2015, 8:01 PM
Vituzzu raised the priority of this task from to Needs Triage.
Vituzzu updated the task description. (Show Details)
Vituzzu added a project: Wikimedia-Site-requests.
Vituzzu added subscribers: Vituzzu, Snowolf, MarcoAurelio and 2 others.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptSep 3 2015, 8:01 PM
Vituzzu mentioned this in T109755: Add new user groups for azbwiki.Sep 3 2015, 8:02 PM
Krenair subscribed.EditedSep 3 2015, 8:06 PM

I checked back through the history of that permission earlier, unfortunately it seems to predate the migration of mediawiki-config to the public git repository, and the history of the old private SVN repository was lost.

Snowolf added a comment.EditedSep 3 2015, 8:11 PM

The matter was originally discussed on T34048 it seems. The original requested is already cc'ed on this bug.

Krenair added a project: Privacy.Sep 3 2015, 8:13 PM
Jalexander added a comment.Sep 4 2015, 1:53 AM

I left this note on a gerrit change earlier but, yes, this is a suppression level right and it should be removed. I see how it happened (just adding all of the abusefilter rights and it's not well documented) but that's how it's been used (essentially deleting logs which contain private data and being able to view those deleted logs).

gerritbot subscribed.Sep 4 2015, 1:58 AM

Change 235960 had a related patch set uploaded (by Alex Monk):
Revoke suppression-level rights from interface editors on hewiki

https://gerrit.wikimedia.org/r/235960

gerritbot added a project: Patch-For-Review.Sep 4 2015, 1:58 AM

Change 235960 merged by jenkins-bot:
Revoke suppression-level rights from interface editors on hewiki

https://gerrit.wikimedia.org/r/235960

Krenair closed this task as Resolved.Sep 4 2015, 1:58 AM
Krenair claimed this task.
Krenair mentioned this in rOMWCfcbb07a193eb: Revoke suppression-level rights from interface editors on hewiki.Sep 4 2015, 1:59 AM
Krenair moved this task from Backlog to Done on the Wikimedia-Site-requests board.Sep 8 2015, 4:22 PM
IKhitron awarded a token.Feb 28 2018, 11:33 AM
IKhitron subscribed.
sbassett triaged this task as Medium priority.Oct 16 2019, 5:35 PM
sbassett moved this task from Intake to Done on the Privacy board.
sbassett removed a project: Patch-For-Review.Oct 16 2019, 5:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL