Change 823148 had a related patch set uploaded (by Stang; author: Stang):

[operations/mediawiki-config@master] jawiki: Restrict abusefilter log view to "abusefilter-modify" user

https://gerrit.wikimedia.org/r/823148

Hello @aokomoriuta,

Thank you for filling the task. @Stang asked me to deploy the patch to implement the requested change. I reviewed it, and based on my technical experience, I doubt that setting Special:Log/abusefilter to private will have the effect that you probably expect (concealing abuse filter history from non-privileged users, including long-term abusers). For that reason, I decided to not deploy it for the time being, and to explain my reasoning within this task, so it can be considered by ja.wikipedia community as part of the the decision-making process.

There are two main issues with the changes proposed here. The most important issue is that setting $wgLogRestrictions["abusefilter"] = 'abusefilter-modify' for jawiki will only affect the visibility of Special:Log/abusefilter itself. The visibility of the more thorough information source, Special:AbuseFilter/history will not be affected, as it does not make use of the logs (it uses abusefilter's own history information, stored in abuse_filter_history database table). As of writing, there is no way I'm aware of to restrict visibility of this information source.

The second issue is relevant to the cloud replicas. As you might already know, the Wikimedia Foundation operates public cloud replicas of the Wikimedia databases. The goal of the replicas is to provide tooling to community volunteers, who can build their own tools (on top of the released data), as well as make their own queries to get statistics or reports that are not provided for by MediaWiki interfaces themselves.

The cloud replicas include the logging table. To avoid leakage of private data, only defined log types are included in the publicly replicated version of the logging table. Unfortunately, the abusefilter log type is included in the allowlist. In addition to that, the cloud replicas also include the abuse_filter_history table, which backs up Special:AbuseFilter/history.

This means that anyone skilled enough would be able to get access to the concealed data (ie. Special:Log/abusefilter) by running a query via Quarry, Toolforge or PAWS. This also means that tools running on Toolforge (and consuming data from the cloud replicas, rather than via the API) will continue to have access to the information, and likely, will display the info to its users.

Based on the reasons described above, I don't believe the change will have the impact that ja.wikipedia community expects. I would like to ask the community to consider what I described above, to ensure that the community reaches an informed decision. In case you have any questions about the technical side of things, please feel free to ask them here -- I (or a fellow technical community member) will be happy to answer them.

I'd also like to ping @Daimona, one of active maintainers of Abuse Filter, in case they have any thoughts on how can we help ja.wikipedia community with the issue you're facing.

Thank you for your understanding and have a nice day,
Martin Urbanec

@Urbanecm Thanks for your comment.

Issue#1 is not a problem for us. We understand that $wgLogRestrictions["abusefilter"] won't hide [[Special:AbuseFilter/history]]. As I reported T314699, the problem we're facing is that [[Special:Log/abusefilter]] shows the filter's modification history even if it is private, whereas [[Special:AbuseFilter/history]] shows only public filters'. Since [[Special:AbuseFilter/history]] provides more detailed information about modification history, we can think we don't need [[Special:Log/abusefilter]] and substitutively use [[Special:AbuseFilter/history]] for public filters.

I'm anxious about Issue#2. Do you mean that the skillful any (including abuse) user can extract information about private filters from the cloud replica database? What kind of data is provided on the DB? Only the modification history we can see on [[Special:Log/abusefilter]]? Does it Include the private filter's main body (expressions and descriptions)? How about the filter's trigger log which could include the disallowed or revision-deleted edits due to legal problems?

If the DB leaks such information, the "private" is false on Wikimedia wikis and the DB provider (WMF?) has hindered our anti-vandalism activity via AbuseFilter.
In another problem, jawiki currently encounters an LTA user leaking private filters' expressions and we're investigating and fixing the leaking. I have been preparing the draft letter to request developers and sysadmins to help. Leaking from the DB could be the answer.

I will not share the leaking problem with jawiki community publically because of WP:BEANS, but only private group members (sysop and/or abusefilter editor).

Leaving that aside, hiding [[Special:Log/abusefilter]] is still effective for casual/unskilled abuse users. So, I'd like you to restrict $wgLogRestrictions["abusefilter"] even if issue#2 remains.

An example of DB entry:

MariaDB [jawiki_p]> select * from logging where log_type = 'abusefilter' order by log_timestamp desc limit 10;
+---------+-------------+------------+----------------+-----------+---------------+---------------------------------+----------------+-------------------------------------------------+-------------+----------+
| log_id  | log_type    | log_action | log_timestamp  | log_actor | log_namespace | log_title                       | log_comment_id | log_params                                      | log_deleted | log_page |
+---------+-------------+------------+----------------+-----------+---------------+---------------------------------+----------------+-------------------------------------------------+-------------+----------+
| 6089508 | abusefilter | modify     | 20220815185933 |       122 |            -1 | 不正利用フィルター/47           |              4 | a:2:{s:9:"historyId";i:6436;s:5:"newId";i:47;}  |           0 |        0 |
| 6089231 | abusefilter | modify     | 20220815132902 |       122 |            -1 | 不正利用フィルター/160          |              4 | a:2:{s:9:"historyId";i:6435;s:5:"newId";i:160;} |           0 |        0 |
| 6088861 | abusefilter | modify     | 20220815082428 |       122 |            -1 | 不正利用フィルター/160          |              4 | a:2:{s:9:"historyId";i:6434;s:5:"newId";i:160;} |           0 |        0 |
| 6088857 | abusefilter | modify     | 20220815082126 |       122 |            -1 | 不正利用フィルター/160          |              4 | a:2:{s:9:"historyId";i:6433;s:5:"newId";i:160;} |           0 |        0 |
| 6087999 | abusefilter | modify     | 20220814150449 |       122 |            -1 | 不正利用フィルター/156          |              4 | a:2:{s:9:"historyId";i:6432;s:5:"newId";i:156;} |           0 |        0 |
| 6085396 | abusefilter | modify     | 20220812184031 |       122 |            -1 | 不正利用フィルター/145          |              4 | a:2:{s:9:"historyId";i:6431;s:5:"newId";i:145;} |           0 |        0 |
| 6085247 | abusefilter | modify     | 20220812145736 |       122 |            -1 | 不正利用フィルター/160          |              4 | a:2:{s:9:"historyId";i:6430;s:5:"newId";i:160;} |           0 |        0 |
| 6084867 | abusefilter | modify     | 20220812090333 |       122 |            -1 | 不正利用フィルター/157          |              4 | a:2:{s:9:"historyId";i:6429;s:5:"newId";i:157;} |           0 |        0 |
| 6084634 | abusefilter | modify     | 20220812070421 |       122 |            -1 | 不正利用フィルター/147          |              4 | a:2:{s:9:"historyId";i:6428;s:5:"newId";i:147;} |           0 |        0 |
| 6084072 | abusefilter | modify     | 20220811192740 |       122 |            -1 | 不正利用フィルター/160          |              4 | a:2:{s:9:"historyId";i:6427;s:5:"newId";i:160;} |           0 |        0 |
+---------+-------------+------------+----------------+-----------+---------------+---------------------------------+----------------+-------------------------------------------------+-------------+----------+
10 rows in set (0.005 sec)

I found T284944 and understand that some information about private filters is leaking from the replica DB. I will comment on it.

In this ticket, as I wrote #8155509, please continue to discuss this.

hiding [[Special:Log/abusefilter]] is still effective for casual/unskilled abuse users. So, I'd like you to restrict $wgLogRestrictions["abusefilter"] even if issue#2 remains.

Hello @aokomoriuta,

The replica databases only provide information that's (normally) public. It doesn't include bodies of private filters, and the replica does respect the private checkbox when it's changed by an admin (in other words, if you make a public filter private, it will disappear from the replica; if you make a private filter public, it will appear in the replica). The replica doesn't include content of private filters (or any other information that isn't accessible via UI), you can count on that.

The issue is that the rules followed by the replicas are the same for all wikis (as we don't tend to restrict visibility of certain things per wiki), so that's why changing the visibility of Special:Log/abusefilter wouldn't help with the replica. I hope that makes sense.

Example of the entries available are at T315199#8155531, thank you @Stang.

Leaving that aside, hiding [[Special:Log/abusefilter]] is still effective for casual/unskilled abuse users. So, I'd like you to restrict $wgLogRestrictions["abusefilter"] even if issue#2 remains.

Personally speaking, I don't think this change will be effective (at the very least, an abusive user can learn about a filter when they save an edit, even without knowing about the replica), but as I said in my previous comment, we can do that anyway (I just want you to be aware). Let's try that change, and see what happens.

@Stang I've removed my temporary -2, please feel free to re-schedule when you have a while.

Change 823148 merged by jenkins-bot:

[operations/mediawiki-config@master] jawiki: Restrict abusefilter log view to "abusefilter-modify" user

https://gerrit.wikimedia.org/r/823148

Mentioned in SAL (#wikimedia-operations) [2022-08-16T13:40:49Z] <taavi@deploy1002> Synchronized wmf-config/InitialiseSettings.php: Config: [[gerrit:823148|jawiki: Restrict abusefilter log view to "abusefilter-modify" user (T315199)]] (duration: 03m 21s)

I confirmed [[Special:Log/abusefilter]] is hidden from public users, and I (abusefilter editor) can see it. Thank you!

Mentioned in SAL (#wikimedia-operations) [2022-08-16T13:55:29Z] <taavi@deploy1002> Synchronized wmf-config/InitialiseSettings.php: revert: Config: [[gerrit:823148|jawiki: Restrict abusefilter log view to "abusefilter-modify" user (T315199)]] (duration: 03m 12s)

Change 823715 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/mediawiki-config@master] jawiki: Restrict abusefilter log access (1)

https://gerrit.wikimedia.org/r/823715

Change 823716 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/mediawiki-config@master] jawiki: Restrict abusefilter log access (2)

https://gerrit.wikimedia.org/r/823716

Change 823715 merged by jenkins-bot:

[operations/mediawiki-config@master] jawiki: Restrict abusefilter log access (1)

https://gerrit.wikimedia.org/r/823715

Change 823716 merged by jenkins-bot:

[operations/mediawiki-config@master] jawiki: Restrict abusefilter log access (2)

https://gerrit.wikimedia.org/r/823716

Mentioned in SAL (#wikimedia-operations) [2022-08-17T15:50:12Z] <taavi@deploy1002> Synchronized wmf-config/InitialiseSettings.php: Config: [[gerrit:823715|jawiki: Restrict abusefilter log access (1) (T315199)]] (duration: 03m 25s)

Mentioned in SAL (#wikimedia-operations) [2022-08-17T15:54:49Z] <taavi@deploy1002> Synchronized wmf-config/CommonSettings.php: Config: [[gerrit:823716|jawiki: Restrict abusefilter log access (2) (T315199)]] (duration: 03m 47s)

Thanks for fixing!