Page MenuHomePhabricator

Grant certain groups the ipinfo-view-full right
Closed, ResolvedPublic2 Estimated Story Points

Description

Background

From T292755: Epic: IP Info access:

Access will work as follows for the MVP version:

  • "Full" access: Limited to sysop, bureaucrat, checkuser, oversight and steward user groups.
AC
  • sysops, bureaucrats, checkusers, oversight members, and stewards all have the ipinfo, ipinfo-view-basic and ipinfo-view-full rights, e.g.
operations/mediawiki-config/wmf-config/CommonSettings.php
// See https://gerrit.wikimedia.org/g/operations/mediawiki-config/+/944b45a6d4a47f00d7dcdafbc7ddb5e5a88a5f67/wmf-config/CommonSettings.php#4012
if ( $wmgUseIPInfo ) {
  wfLoadExtension( 'IPInfo' );

  $wgGroupPermissions['sysop']['ipinfo-view-full'] = true;
  // etc
}
  • The staffgroup is assigned the ipinfo-view-log right, as above
Notes
  1. See the MediaWiki manual entry for $wgGroupPermissions

Related Objects

StatusSubtypeAssignedTask
OpenNone
OpenNone
ResolvedNiharika
ResolvedTchanders
ResolvedNiharika
ResolvedDzahn
ResolvedBUG REPORTClement_Goubert
ResolvedSpikeNiharika
ResolvedNiharika
ResolvedSTran
ResolvedTchanders
ResolvedTchanders
Resolvedsbassett
ResolvedDec 15 2020Tchanders
ResolvedTchanders
ResolvedTchanders
InvalidNone
ResolvedSep 22 2020Tchanders
ResolvedSep 22 2020Tchanders
ResolvedTchanders
Resolveddbarratt
ResolvedTchanders
Resolveddbarratt
ResolvedTchanders
Resolvedsbassett
ResolvedNiharika
InvalidNone

Event Timeline

Tchanders renamed this task from Grant certain groups the ipinfo-view-full right to Grant certain groups the ipinfo-view-full right [2].Jan 25 2022, 6:15 PM
Tchanders renamed this task from Grant certain groups the ipinfo-view-full right [2] to Grant certain groups the ipinfo-view-full right.Jan 25 2022, 6:18 PM
Tchanders set the point value for this task to 2.

Change 766882 had a related patch set uploaded (by STran; author: STran):

[operations/mediawiki-config@master] Add IPInfo viewing rights for certain groups

https://gerrit.wikimedia.org/r/766882

@phuedx Do we also want to assign ipinfo and ipinfo-view-basic to these groups here too, or are we intending to rely on the autopromote mechanism in T296184? (Though I guess they don't really need ipinfo-view-basic if they have ipinfo-view-full...)

@Niharika Just wanted to confirm - do we not want to grant these groups the ipinfo-view-log right? We discussed giving it to the staff group, but I wondered whether these groups would expect it too (and it might take the burden off T&S staff if more people can see the logs).

@Niharika Just wanted to confirm - do we not want to grant these groups the ipinfo-view-log right? We discussed giving it to the staff group, but I wondered whether these groups would expect it too (and it might take the burden off T&S staff if more people can see the logs).

Queuing this up to ask Legal. I agree it might be a fine thing to do but I want to confirm with Legal first.

Thanks @Niharika.

@STran I'm updating the AC of this task to include giving the ipinfo-view-log right to the staff group

@phuedx Do we also want to assign ipinfo and ipinfo-view-basic to these groups here too, or are we intending to rely on the autopromote mechanism in T296184? (Though I guess they don't really need ipinfo-view-basic if they have ipinfo-view-full...)

I think it might be best to grant them all the rights that they need in one go. It's less prone to timing/coordination issues.

Change 766882 merged by jenkins-bot:

[operations/mediawiki-config@master] Add IPInfo viewing rights for certain groups

https://gerrit.wikimedia.org/r/766882

Mentioned in SAL (#wikimedia-operations) [2022-03-09T14:27:26Z] <taavi@deploy1002> Synchronized wmf-config/CommonSettings.php: Config: [[gerrit:766882|Add IPInfo viewing rights for certain groups (T296499)]] (no-op on prod) (duration: 00m 50s)

dom_walden subscribed.

I cannot really test this as IPInfo has not been enabled on testwiki yet. I can check this once T260598 is deployed.

The code looks good to me, as far as I can tell. We have assigned the rights ipinfo, ipinfo-view-full and ipinfo-view-log to the groups sysop and checkuser.

Apparently, the staffand steward groups have their permissions managed globally on-wiki. I don't know who we need to coordinate with to make it happen after the testwiki deploy. I guess the global stewards.

Apparently, the staff and steward groups have their permissions managed globally on-wiki. I don't know who we need to coordinate with to make it happen after the testwiki deploy. I guess the global stewards.

@Niharika @STei-WMF Is there a plan to co-ordinate with the community on this?

It looks like the global group modifications never happened. I have granted ipinfo, ipinfo-view-full, and ipinfo-view-log to staff and steward. T309318 has been created to clarify that global sysops should also be given access.