Page MenuHomePhabricator

IP Info shouldn't be aware of revision if user doesn't have access to it
Open, HighPublicBUG REPORT

Event Timeline

Prtksxna triaged this task as High priority.Nov 1 2022, 3:57 AM
Tchanders added a subscriber: Tchanders.

@Prtksxna I was talking with @Cyndymediawiksim about pinning down the requirements for this task, and came across a couple of things I wanted to ask about. (Also @STran may have a bit more context here.)

My understanding is that this task is to fix what was found in the original investigation (the bug is in the final bullet point):

Tested with the following scenario:

  1. Made an edit with an IP that has never contributed to the wiki otherwise
  2. Confirmed that the revision shows up on the Special:Contributions page for the IP
  3. Reverted the edit (so that it's no longer the current revision) and deleted the revision, hiding every piece of information about it but not from admins

Confirmed that:

  • The admin who deleted the revision can still see IPInfo from the Special:Contributions page
  • Another admin could view IPInfo from the Special:Contributions page
  • Calling the API directly successfully returned data from both users
  • The revision is not considered a revision on Special:DeletedContributions
  1. Hid the edit from other admins

Confirmed that:

  • The admin who deleted the revision can still see IPInfo from the Special:Contributions page
  • Another admin could not view IPInfo from the Special:Contributions page
  • Calling the API directly successfully returned data from both users

However, I couldn't reproduce this. Was there any more to this task?