For the purposes of testing, we should enable Special:Investigate on testwiki. Per the guidance we received, it should initially be enabled for only staff right holders so we can QA it to ensure there are no security bugs. After a week or two of testing, it can be enabled for more users.
@Niharika is the intention to add specific configuration so that only users in the staff global group can use the page? staff is not a right, but the group is granted checkuser rights, which is what is (currently) needed to use the special page.
Note that @Prtksxna and @sbassett are local checkusers (Prtksxna only until march 17) but neither appears to be in the staff global group; they would also have access unless a specific check is added against user groups
Note: I was granted functionary rights by Trust-and-Safety on testwiki and test2wiki due to my role on the Security-Team and my involvement with CU development and testing. This was not done via the staff group as I believe that grants functionary rights across all of the projects, which I do not require. It also might be noteworthy that I have both deployment and analytics-privatedata rights and so technically have unlimited, unmonitored access to all of the same underlying data that CU would be able to access.
Probably the best way to do this would be to add a new right, and then add that right to the requested groups.
Going to add a new investigate right. Should it also be required for the investigate log, or should the checkuser right be enough (or either? both?)
Change 581075 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[mediawiki/extensions/CheckUser@master] Add a new investigate right
So just investigate for the log? Looking closer, checkuser and checkuser-log are distinct
@DannyS712 The same new investigate right for Special:Investigate and its log page are fine. This is temporary and we will likely get rid of the special right once we've put it through a few rounds of testing.
Do you know why checkuser and checkuser-log are distinct?
It was done in T16839, but it does not appear to be used in production any longer (from what I can tell):
https://github.com/wikimedia/operations-mediawiki-config/blob/203f468dcdf3f07aa6f2c25bd7486861f8a95af4/wmf-config/CommonSettings.php#L917-L918
Nope - that is an onwiki change via global group rights. However, the right cannot be granted until the patch is deployed, because until then it isn't known to exist
Change 581075 merged by jenkins-bot:
[mediawiki/extensions/CheckUser@master] Add a new investigate right
Change 583105 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[operations/mediawiki-config@master] Enable Special:Investigate on testwiki, and add investigate right
Since the new feature isn't included in 1.35.0-wmf.25, not going to schedule the config update for SWAT until the actual feature is deployed next week
Change 583339 had a related patch set uploaded (by Dbarratt; owner: DannyS712):
[mediawiki/extensions/CheckUser@wmf/1.35.0-wmf.25] Add a new investigate right
Going to SWAT the feature as well as the config change: https://wikitech.wikimedia.org/wiki/Deployments#deploycal-item-20200325T2300
Change 583339 merged by Catrope:
[mediawiki/extensions/CheckUser@wmf/1.35.0-wmf.25] Add a new investigate right
Change 583105 merged by jenkins-bot:
[operations/mediawiki-config@master] Enable Special:Investigate on testwiki, and add investigate right
Mentioned in SAL (#wikimedia-operations) [2020-03-25T23:38:55Z] <catrope@deploy1001> Synchronized php-1.35.0-wmf.25/extensions/CheckUser/: Add new investigate right (T247645) (duration: 03m 17s)
Mentioned in SAL (#wikimedia-operations) [2020-03-25T23:49:21Z] <catrope@deploy1001> Synchronized wmf-config/CommonSettings.php: Add investigate to $wgAvailableRights (T247645) (duration: 03m 16s)
Mentioned in SAL (#wikimedia-operations) [2020-03-26T00:06:37Z] <catrope@deploy1001> Synchronized wmf-config/InitialiseSettings.php: Enable Special:Investigate on testwiki (T247645) (duration: 03m 14s)