Page MenuHomePhabricator

CU 2.0: Enable Special:Investigate on testwiki [small]
Closed, ResolvedPublic1 Estimated Story Points

Description

Goal

For the purposes of testing, we should enable Special:Investigate on testwiki. Per the guidance we received, it should initially be enabled for only staff right holders so we can QA it to ensure there are no security bugs. After a week or two of testing, it can be enabled for more users.

Acceptance criteria
  • Enable Special:Investigate on testwiki for users who are in the WMF staff group.

Event Timeline

Niharika triaged this task as Medium priority.Mar 13 2020, 10:33 PM
Niharika created this task.
DannyS712 added subscribers: sbassett, Prtksxna, DannyS712.

@Niharika is the intention to add specific configuration so that only users in the staff global group can use the page? staff is not a right, but the group is granted checkuser rights, which is what is (currently) needed to use the special page.
Note that @Prtksxna and @sbassett are local checkusers (Prtksxna only until march 17) but neither appears to be in the staff global group; they would also have access unless a specific check is added against user groups

Note: I was granted functionary rights by Trust-and-Safety on testwiki and test2wiki due to my role on the Security-Team and my involvement with CU development and testing. This was not done via the staff group as I believe that grants functionary rights across all of the projects, which I do not require. It also might be noteworthy that I have both deployment and analytics-privatedata rights and so technically have unlimited, unmonitored access to all of the same underlying data that CU would be able to access.

Probably the best way to do this would be to add a new right, and then add that right to the requested groups.

ARamirez_WMF renamed this task from CU 2.0: Enable Special:Investigate on testwiki to CU 2.0: Enable Special:Investigate on testwiki [small].Mar 18 2020, 4:51 PM
ARamirez_WMF set the point value for this task to 1.

Probably the best way to do this would be to add a new right, and then add that right to the requested groups.

Going to add a new investigate right. Should it also be required for the investigate log, or should the checkuser right be enough (or either? both?)

Probably the best way to do this would be to add a new right, and then add that right to the requested groups.

Going to add a new investigate right. Should it also be required for the investigate log, or should the checkuser right be enough (or either? both?)

Also for the log. Thanks.

Change 581075 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[mediawiki/extensions/CheckUser@master] Add a new investigate right

https://gerrit.wikimedia.org/r/581075

Probably the best way to do this would be to add a new right, and then add that right to the requested groups.

Going to add a new investigate right. Should it also be required for the investigate log, or should the checkuser right be enough (or either? both?)

Also for the log. Thanks.

So just investigate for the log? Looking closer, checkuser and checkuser-log are distinct

Probably the best way to do this would be to add a new right, and then add that right to the requested groups.

Going to add a new investigate right. Should it also be required for the investigate log, or should the checkuser right be enough (or either? both?)

Also for the log. Thanks.

So just investigate for the log? Looking closer, checkuser and checkuser-log are distinct

@DannyS712 The same new investigate right for Special:Investigate and its log page are fine. This is temporary and we will likely get rid of the special right once we've put it through a few rounds of testing.
Do you know why checkuser and checkuser-log are distinct?

Probably the best way to do this would be to add a new right, and then add that right to the requested groups.

Going to add a new investigate right. Should it also be required for the investigate log, or should the checkuser right be enough (or either? both?)

Also for the log. Thanks.

So just investigate for the log? Looking closer, checkuser and checkuser-log are distinct

@DannyS712 The same new investigate right for Special:Investigate and its log page are fine. This is temporary and we will likely get rid of the special right once we've put it through a few rounds of testing.
Do you know why checkuser and checkuser-log are distinct?

Probably to allow read-only access and for auditing the log

Do you know why checkuser and checkuser-log are distinct?

It was done in T16839, but it does not appear to be used in production any longer (from what I can tell):
https://github.com/wikimedia/operations-mediawiki-config/blob/203f468dcdf3f07aa6f2c25bd7486861f8a95af4/wmf-config/CommonSettings.php#L917-L918

I reckon this ticket still needs a patch to add the new right to the staff group?

I reckon this ticket still needs a patch to add the new right to the staff group?

Nope - that is an onwiki change via global group rights. However, the right cannot be granted until the patch is deployed, because until then it isn't known to exist

Change 581075 merged by jenkins-bot:
[mediawiki/extensions/CheckUser@master] Add a new investigate right

https://gerrit.wikimedia.org/r/581075

Change 583105 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[operations/mediawiki-config@master] Enable Special:Investigate on testwiki, and add investigate right

https://gerrit.wikimedia.org/r/583105

DannyS712 changed the task status from Open to Stalled.Mar 24 2020, 5:11 PM

Since the new feature isn't included in 1.35.0-wmf.25, not going to schedule the config update for SWAT until the actual feature is deployed next week

Change 583339 had a related patch set uploaded (by Dbarratt; owner: DannyS712):
[mediawiki/extensions/CheckUser@wmf/1.35.0-wmf.25] Add a new investigate right

https://gerrit.wikimedia.org/r/583339

dbarratt changed the task status from Stalled to Open.Mar 25 2020, 2:00 PM

Since the new feature isn't included in 1.35.0-wmf.25, not going to schedule the config update for SWAT until the actual feature is deployed next week

Going to SWAT the feature as well as the config change: https://wikitech.wikimedia.org/wiki/Deployments#deploycal-item-20200325T2300

Change 583339 merged by Catrope:
[mediawiki/extensions/CheckUser@wmf/1.35.0-wmf.25] Add a new investigate right

https://gerrit.wikimedia.org/r/583339

Change 583105 merged by jenkins-bot:
[operations/mediawiki-config@master] Enable Special:Investigate on testwiki, and add investigate right

https://gerrit.wikimedia.org/r/583105

Mentioned in SAL (#wikimedia-operations) [2020-03-25T23:38:55Z] <catrope@deploy1001> Synchronized php-1.35.0-wmf.25/extensions/CheckUser/: Add new investigate right (T247645) (duration: 03m 17s)

Mentioned in SAL (#wikimedia-operations) [2020-03-25T23:49:21Z] <catrope@deploy1001> Synchronized wmf-config/CommonSettings.php: Add investigate to $wgAvailableRights (T247645) (duration: 03m 16s)

Mentioned in SAL (#wikimedia-operations) [2020-03-26T00:06:37Z] <catrope@deploy1001> Synchronized wmf-config/InitialiseSettings.php: Enable Special:Investigate on testwiki (T247645) (duration: 03m 14s)

Per the discussion on IRC that this is working, closing; has been enabled