Page MenuHomePhabricator

Allow users to see their own stored private information ("self-CheckUser")
Closed, DuplicatePublic

Description

Users should be able to see what a particular wiki is storing about them using the CheckUser tool or some equivalent. This would include stored IP addresses and user-agents, namely. I think this would be mostly interesting to users, but it might have other use-cases as well.


Version: unspecified
Severity: enhancement
URL: https://www.mediawiki.org/wiki/Requests_for_comment/Retained_account_data_self-discovery

Details

Reference
bz27242

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 11:18 PM
bzimport set Reference to bz27242.
bzimport added a subscriber: Unknown Object (MLST).

Don't we make an effort *not* to store information? Wouldn't this sort of extension require us to store the information we don't store? Or, at least, copy the information that is currently only kept in log files?

I think what is being requested is to just be able to see the information currently available to checkusers, not to store new information.

(In reply to comment #1)

Don't we make an effort *not* to store information? Wouldn't this sort of
extension require us to store the information we don't store? Or, at least,
copy the information that is currently only kept in log files?

Information such as past used IP addresses and user agents is already stored (for 30 days, by default). It can be queried via the CheckUser extension without extending the storage duration or even altering the database (except updating the CheckUser log). You don't need to store the results of the query (the CheckUser extension doesn't, for example). For self-checks, you probably don't even need to log the queries, but that's debatable, I suppose.

No, this is a terrible idea. If we really wanted to make it super easy for inexperienced sockers to game the CU system, we would have replaced the Main Page with your Guide To Socking.

Changed priority to low not due to its merits but because of the nature of this enhancement (it is a wanted extra feature, not an improvement requiring urgency).

Isn't this a duplicate of some other wontfixed bug?

I do like the 'freedom of information act' feel of being able to look up whatever data is recorded... Recommend at least keeping it under consideration.

We could make it a config option to disable the feature for sites that don't want it

Possibly related: https://gerrit.wikimedia.org/r/53683.

Instead of only storing last login time, we could also store IP addresses and User-Agent strings of logins, for account security purposes. I think Gmail and others do this.

pgehres wrote:

In re Extension:AccountAudit, maybe. The goal of this extension is to finalize the SUL migration and then un-deploy the extension. There is also talk of adding the last login table to core.

I like the idea of allowing self-CU, but I think that should be part of Extension:CheckUser.

For a variety of reasons (not least that this kind of feature is *expected* of large websites today), I would withdraw my earlier opposition to this feature request.

This needs a mock. I'll see what I can do about getting one made.

[[mw:Extension:AccountInfo]] does this, supporting both the $wgPutIPinRC option (enabled by default) and CheckUser.

"Let's teach serial sock abusers how to be better sock puppets by tipping our hand at them and showing them what we know."

"Let's teach serial sock abusers how to be better sock puppets by tipping our hand at them and showing them what we know."

I imagine most serial sock abusers are capable of looking up (or spoofing) their own IP address and User-Agent. :-)

T387#1182228 is related.

That's not an argument for making it easier for them to see where they goofed up in their bad behavior.

EddieGP added a subscriber: tstarling.

Seems to be a duplicate of T387

Declining after architecture committee discussion, due to rationale given by csteipp.

That's why I'm closing here, feel free to overrule when this impression was wrong.