Page MenuHomePhabricator
Create Task
Maniphest T264879

IPInfo: Consider permissions logic for getting IP information from log entries
Closed, ResolvedPublic3 Estimated Story PointsOct 20 2020
Actions

Description

What is the problem?

If a log entry is deleted and only the option "Hide target and parameters" is checked (screenshot), it is still possible to see information about the performer and/or target of the log action.

Note that if both the performer and target of a logged action is an IP, IPInfo will return information about both of them.

For example, if an anonymous user on 192.168.1.1 creates the page User:192.168.1.2.

Proposal 1:

We don't want to see info about the Target of a logged action at all. We are only interested in IPs that are performing actions, not having actions done on them.

Proposal 2:

Come up with some sort of permissions logic based on whether user has ipinfo, deletedhistory (which allows them to see deleted log entries, I think...) and/or suppressionlog (which allows them to see suppressed log entries).

Below are some of my own proposals of how it could work.

The deleted state of a log entry (based on the bit field in the logging table, which are defined in English below) and what users with different rights should be able to see:

Deleted Stateipinfoipinfo + deletedhistoryipinfo + suppressionlog
DELETED_ACTIONCannot viewPerformer + TargetPerformer + Target
DELETED_USERCannot viewPerformer + TargetPerformer + Target
DELETED_RESTRICTED + DELETED_ACTIONCannot viewCannot viewPerformer + Target
DELETED_RESTRICTED + DELETED_USERCannot viewCannot viewPerformer + Target

The equivalent deleted state as it appears in English:
DELETED_ACTION = "Hide target and parameters"
DELETED_USER = "Editor's username/IP address"
DELETED_RESTRICTED = "Suppress data from administrators as well as others"

Proposal 3:

Similar to 2, but a bit more granular:

Deleted Stateipinfoipinfo + deletedhistoryipinfo + suppressionlog
DELETED_ACTIONPerformerPerformer + TargetPerformer + Target
DELETED_USERTargetPerformer + TargetPerformer + Target
DELETED_RESTRICTED + DELETED_ACTIONPerformerPerformerPerformer + Target
DELETED_RESTRICTED + DELETED_USERTargetTargetPerformer + Target
Steps to reproduce problem
  1. Login as a user with deletelogentry rights
  2. Go to Special:Log
  3. Find a log of an action performed by or performed on an IP
  4. Check the box next to it and click "Change visibility of selected log entries"
  5. Make a note of the log id, which will be in the url (e.g. ?action=historysubmit&type=logging&revisiondelete=1&ids[$log_id]=1)
  6. Check "Hide target and parameters" and click "Apply to selected revision"
  7. Login as another user who has ipinfo permissions but not other permissions (like deletedhistory or suppressionlog)
  8. Go to $wiki_url/rest.php/ipinfo/v0/log/$log_id

Expected behavior: You cannot see any information about the IP(s)
Observed behavior: See information about the IP(s)

Environment

Wiki(s): local docker environment MediaWiki 1.36.0-alpha (ac4a4f5) 06:33, 7 October 2020; IP Info 0.0.0 (fba8213) 06:36, 7 October 2020

Screenshots (if applicable):

delete_log_entry.png (641×827 px, 75 KB)

Details

Due Date
Oct 20 2020, 4:00 AM
SubjectRepoBranchLines +/-
Control access to log targetmediawiki/extensions/IPInfomaster+186 -8
Customize query in gerrit

Related Objects

Event Timeline

dom_walden created this task.Oct 7 2020, 1:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 7 2020, 1:16 PM
Niharika moved this task from Untriaged to Triage/To be Estimated on the Anti-Harassment board.Oct 7 2020, 3:21 PM
Niharika set the point value for this task to 3.Oct 7 2020, 4:06 PM
ARamirez_WMF moved this task from Triage/To be Estimated to Cards ready for development on the Anti-Harassment board.Oct 7 2020, 4:08 PM
ARamirez_WMF moved this task from Cards ready for development to The Letter Song on the Anti-Harassment board.Oct 8 2020, 3:44 PM
ARamirez_WMF edited projects, added Anti-Harassment (The Letter Song); removed Anti-Harassment.
ARamirez_WMF changed the subtype of this task from "Bug Report" to "Deadline".Oct 8 2020, 10:13 PM
ARamirez_WMF set Due Date to Oct 20 2020, 4:00 AM.
dbarratt claimed this task.Oct 10 2020, 12:50 AM
dbarratt moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (The Letter Song) board.
gerritbot added a comment.Oct 10 2020, 4:46 PM

Change 633313 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/extensions/IPInfo@master] Control access to to log target

https://gerrit.wikimedia.org/r/633313

gerritbot added a project: Patch-For-Review.Oct 10 2020, 4:46 PM
dbarratt moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment (The Letter Song) board.Oct 10 2020, 4:46 PM
Tchanders subscribed.Oct 12 2020, 8:55 PM

Thanks for the thorough notes @dom_walden. I think proposal 3 looks the most correct - here's why...

The equivalent deleted state as it appears in English:
DELETED_ACTION = "Hide target and parameters"
DELETED_USER = "Editor's username/IP address"
DELETED_RESTRICTED = "Suppress data from administrators as well as others"

DELETED_RESTRICTED appears to mean "suppress whatever it is you deleted", rather than "suppress the whole log entry". E.g. attempting to submit the form (see task description screenshot) with only DELETED_RESTRICTED selected results in an error.

It makes sense to show as much as is allowed and no more, so if DELETED_USER & DELETED_RESTRICTED means the user is suppressed, then the target should still be visible.

Tchanders added a comment.Oct 13 2020, 10:17 AM

@dbarratt For a better example of how DELETED_RESTRICTED works, here's what ApiQueryLogEvents does. TL;DR, as above, it suppresses whatever was deleted, rather than the full log entry. The full log entry is only hidden in some specific circumstances (example below).

With no user param in the query:

no deleted log rightsdeletedhistory onlydeletedhistory and viewsuppressed
log entry with DELETED_USERSees most of entry, but without the performerSees full entrySees full entry
log entry with DELETED_USER + DELETED_RESTRICTEDSees most of entry, but without the performerSees most of entry, but without the performerSees full entry

If user param was specified in the query:

no deleted log rightsdeletedhistory onlydeletedhistory and viewsuppressed
log entry with DELETED_USERSees no entrySees full entrySees full entry
log entry with DELETED_USER + DELETED_RESTRICTEDSees no entrySees no entrySees full entry

(The log entries with a hidden user don't show up at all if the user param is set, to avoid deducing the hidden users - T19342.)

Tchanders moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment (The Letter Song) board.Oct 19 2020, 5:26 PM
gerritbot added a comment.Oct 19 2020, 5:52 PM

Change 633313 merged by jenkins-bot:
[mediawiki/extensions/IPInfo@master] Control access to log target

https://gerrit.wikimedia.org/r/633313

Maintenance_bot removed a project: Patch-For-Review.Oct 19 2020, 6:10 PM
dom_walden added a comment.EditedNov 5 2020, 3:16 PM

Based on testing locally:

Deleted Stateipinfoipinfo + deletedhistoryipinfo + viewsuppressed
Performer + TargetPerformer + TargetPerformer + Target
DELETED_ACTIONPerformerPerformer + TargetPerformer + Target
DELETED_USERTargetPerformer + TargetPerformer + Target
DELETED_RESTRICTED + DELETED_ACTIONPerformerPerformerPerformer + Target
DELETED_RESTRICTED + DELETED_USERTargetTargetPerformer + Target

Which I believe is consistent with Proposal 3. I made a mistake in the description. The correct right is viewsuppressed (as Thalia notes), not suppressionlog.

Also:

Deleted Stateipinfoipinfo + deletedhistoryipinfo + viewsuppressed
DELETED_ACTION + DELETED_USERYour account does not have access...Performer + TargetPerformer + Target
DELETED_RESTRICTED + DELETED_ACTION + DELETED_USERYour account does not have access...Your account does not have access...Performer + Target

A user cannot see logs of an action unless they have the appropriate rights to see the action. For example, to use IPInfo on a log of a suppress action, the user needs the suppressionlog right.

A blocked user can still use IPInfo. I don't know if this should be changed. I will probably raise a bug, just in case.

Test Environment: MediaWiki 1.36.0-alpha (4db4fa3), IP Info 0.0.0 (5e4e994).

dbarratt removed dbarratt as the assignee of this task.Nov 5 2020, 3:26 PM
dbarratt subscribed.
dom_walden moved this task from QA/Testing 🐞 to Done: Q2 (2020-2021) ✅ on the Anti-Harassment (The Letter Song) board.Nov 5 2020, 3:34 PM
Tchanders closed this task as Resolved.Dec 3 2020, 1:16 PM
Tchanders claimed this task.
dbarratt unsubscribed.Dec 3 2020, 1:30 PM
Niharika moved this task from Backlog to Closed on the IP Info board.Aug 8 2022, 8:02 PM
AGueyte mentioned this in T263442: Display API failure errors in the IPInfo popup.Aug 12 2022, 3:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL