Page MenuHomePhabricator

Epic: IP Info access
Open, MediumPublic

Description

In the context of IP Info, "access" covers:

Rights

IP Info has two separate sets of MediaWiki rights:

  1. The right that allows the user to enable the tool, ipinfo
  2. The rights that control the user's access to the information provided by the tool – T292626: Create and implement IP Info viewing rights [L]

and the right to use the tool, which is gated by #1 above and the user having enabled the tool and agreed to its terms of use – T291582: Implement condition agreements in Special:Preferences [M] and T264150: User needs to request access to IP information [L]

Access will work as follows for the MVP version:

  • "Full" access: Limited to sysop, bureaucrat, checkuser, oversight and steward user groups.
  • "Basic" access: All other registered users

image.png (754×1 px, 461 KB)

Logging and reporting

@STran and @Niharika met with members of the Legal and Trust & Safety teams today to iron out the logging requirements. Here are the discussed upon requirements:

  1. The logs should capture:
    • Who performed the IP information check
    • Access of the performer (limited or full)
    • Against which IP address
    • Whether it was the popup or the accordion
    • Timestamp of the check
  2. To avoid the problem of log spam, only one log entry will be captured if multiple checks are made by the same user against the same IP over a period of 24 hours (rolling or one UTC day). Note that we will have a separate log entry for popup check versus accordion check but each of them will be captured only once every 24 hours.
    • This time period needs to be configurable to allow flexibility in the future.
  3. Retention: Logs will be retained forever.
  4. For now, the WMF 'staff' group will have access. This will need to be configurable to allow flexibility in the future.
  5. The users will be informed that their checks will be logged when they accept the terms of access. (Ticket TBD)
 Revocation

From T264150: User needs to request access to IP information [L] only:

  • T&S/Legal reserve the right to revoke a user’s access permissions in case of abuse
  • If a user’s permission is revoked by us, they should not be able to activate it again
  • There is a possibility that users might need to regain access periodically (TBD)

While estimating T291854: Create revoke user access maintenance script, we also discussed:

  • The user's access should be revoked across all wikis

Related Objects

StatusSubtypeAssignedTask
OpenNone
ResolvedSTran
ResolvedSTran
OpenNone
OpenNone
OpenNone
ResolvedNiharika
ResolvedDzahn
OpenBUG REPORTNone
OpenSpikeNone
OpenNone
ResolvedSTran
ResolvedNiharika
ResolvedTchanders
InvalidNone
InvalidNone
InvalidNone
ResolvedSTran
ResolvedSTran
ResolvedSpikephuedx
ResolvedSTran
ResolvedTThoabala
Resolvedphuedx
DeclinedTchanders
ResolvedSTran
ResolvedSTran
ResolvedTchanders
ResolvedTchanders
Resolvedsbassett
ResolvedDec 15 2020Tchanders
ResolvedTchanders
ResolvedTchanders
InvalidNone
ResolvedSep 22 2020Tchanders
ResolvedSep 22 2020Tchanders
ResolvedTchanders
Resolveddbarratt
ResolvedTchanders
Resolveddbarratt
ResolvedTchanders
Resolvedsbassett
ResolvedNiharika
InvalidNone

Event Timeline

Niharika triaged this task as Medium priority.Oct 8 2021, 11:02 PM
Niharika updated the task description. (Show Details)
JJMC89 renamed this task from Epic: Access to Epic: IP Info access.Nov 19 2021, 4:16 PM