In T254934 we have a case where some parts of the abuse log appear to be purged in the CU log. That task contains private information and the logs are in Persian (fawiki) so to facilitate the investigation, I am creating this parallel task whereby I describe the situation in a de-identified way, so as to figure out how the data ended up being purged in that way.
CU get edits result
Running a "get edits" query on the user in question resulted in a log entry that appeared like below. I redacted some parts to preserve privacy (the parts I redacted are in ALLCAPS); I also changed the date and time for the same reason.
1 June 2020 (Logs) . . 01:01 . . USERNAME talk contribs block (username removed) (log details removed) IP: 184.108.40.206 SOMEUSERAGENT
Given the username and the date and time, I quickly identified that the log is indeed an AbuseFilter log. Of note, the abuse log is *not* deleted or suppressed, and has never been.
A query on the cu_changes table was run on the production server, and the result looked like this (again, data has been modified to preserve identity):
select * from cu_changes where cuc_timestamp like '2020060101%' and cuc_user_text = 'USERNAME' limit 10\G *************************** 3. row *************************** cuc_id: SOMEID cuc_namespace: 4 cuc_title: PAGETITLE cuc_user: USERID cuc_user_text: USERNAME cuc_actiontext: (username removed) (log details removed) cuc_comment: cuc_minor: 0 cuc_page_id: SOMEPAGEID cuc_this_oldid: 0 cuc_last_oldid: 0 cuc_type: 3 cuc_timestamp: 20200601010101 cuc_ip: 220.127.116.11 cuc_ip_hex: SOMEIPHEX cuc_xff: cuc_xff_hex: NULL cuc_agent: SOMEUSERAGENT
I am having a hard time finding a hook in CheckUser code that would allow updating an existing cu_changes entry when its associated log is revdeled or supressed. This log was not revdeled or supressed, but if we had such a hook, maybe some piece of code incorrectly executed it? (UPDATE: this was not the case)
Alternatively, is it at all possible that the data was originally entered in this way (as opposed to being updated later)? (UPDATE: this was the case)