Page MenuHomePhabricator

Oversighter can unsuppress hidden username by accident/lack of concentration
Open, Needs TriagePublicBUG REPORT

Description

List of steps to reproduce (step by step, including full links if applicable):

  • A sysop revision-delete 3 revisions of a page with 3 different actors
  • A oversighter block + hide one of the actor
  • Another oversighter goes to un-revision-delete the 3 revisions

What happens?:

  • The username of the hidden user gets unsuppressed as well without extra warning
  • The username of the revision is show on action=history

What should have happened instead?:

  • The unsuppression of the username in the history should not happen when the actor is hidden. This avoids leaking the user name by accident or showing the revision on Special:Contributions along with the information that the username does not exists.
  • This is not like T275960, which seems an inital revision-deletion problem, but the maintenance script of that bug could also fix issues like happen here.
  • The risk may lower than before T23272, because that bold the one suppressed user name
  • This can happen if only the user bit is adjust
  • This can also happen if only the restricted bit is adjust (but the user bit is kept), than it is only shown to other sysops.
  • This is not a security task, because only a privileged user can do the action. It can leaks security relevant information.

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc: MediaWiki1.38