Page MenuHomePhabricator
Create Task
Maniphest T324036

Investigate: How can we ensure all WMF wikis have access to IP addresses after IP Masking
Open, Needs TriagePublic
Actions

Description

Following the deployment of T300263: [IP Masking] Create temporary account on first edit, IP addresses will be available via the CheckUser extension, specifically the cu_changes table.

We will need to use this information for revealing information about IP addresses to trusted users, via features such as T300289: [IP Masking] IPViewer roles views temporary account users.

However, CheckUser is not deployed to all our production wikis.

We need to know:

  • Where is CheckUser not deployed?
  • On these wikis, do IP addresses need to be revealed to trusted users in order to fight vandalism, etc?
  • If yes, are there any risks with deploying CheckUser on these wikis? How can we mitigate these risks?

Related Objects

Event Timeline

Tchanders created this task.Nov 29 2022, 4:36 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 29 2022, 4:36 PM
JJMC89 subscribed.Nov 29 2022, 4:58 PM

Where is CheckUser not deployed?

Beta Cluster, which shouldn't have it.

InitialiseSettings.php
// On in all Production, disabled in all Labs; varied for Labs only.
'wmgUseCheckUser' => [
	'default' => true,
],
Tchanders moved this task from Backlog to Ready / In Progress (TSP) on the Temporary accounts board.Dec 1 2022, 6:04 PM
Niharika moved this task from Untriaged to Triage/To be Estimated on the Anti-Harassment board.Dec 5 2022, 10:15 PM
Dreamy_Jazz subscribed.Dec 7 2022, 10:17 PM

@JJMC89: Is there a reason why the Beta Cluster does not have checkuser enabled? I've always seen people saying it's deliberately disabled, but I have no idea why this is the case.

JJMC89 added a comment.Dec 7 2022, 10:32 PM
In T324036#8452525, @Dreamy_Jazz wrote:

Is there a reason why the Beta Cluster does not have checkuser enabled?

Users could access PII without the necessary NDAs. Permissions are basically handed out on request, and the infrastructure doesn't have the same restricted access as the production cluster.

Dreamy_Jazz added a comment.EditedDec 7 2022, 10:33 PM

Ah, okay. That makes sense. I guess it's not really possible to disable the ability to assign rights to someone / remove certian rights from existence, so unless that could happen I can see why.

Dreamy_Jazz mentioned this in T321391: Add new column cu_log.cul_reason_id and cu_log.cul_reason_plaintext_id to wmf wikis.Dec 8 2022, 12:04 AM
Niharika subscribed.Dec 14 2022, 7:42 PM

@JJMC89 I heard that there are other WMF production wikis that may not have checkuser installed. Do you know if that is the case?

Reedy subscribed.Dec 14 2022, 7:47 PM
In T324036#8468925, @Niharika wrote:

@JJMC89 I heard that there are other WMF production wikis that may not have checkuser installed. Do you know if that is the case?

Only beta (because elevated access is given out more widely, and so is shell/DB access)

https://noc.wikimedia.org/conf/highlight.php?file=InitialiseSettings.php

// On in all Production, disabled in all Labs; varied for Labs only.
'wmgUseCheckUser' => [
	'default' => true,
],

https://noc.wikimedia.org/conf/highlight.php?file=InitialiseSettings-labs.php

		'wmgUseCheckUser' => [
			'default' => false,
		],`
Niharika added a comment.Dec 15 2022, 5:55 PM
In T324036#8468937, @Reedy wrote:
In T324036#8468925, @Niharika wrote:

@JJMC89 I heard that there are other WMF production wikis that may not have checkuser installed. Do you know if that is the case?

Only beta (because elevated access is given out more widely, and so is shell/DB access)

https://noc.wikimedia.org/conf/highlight.php?file=InitialiseSettings.php

// On in all Production, disabled in all Labs; varied for Labs only.
'wmgUseCheckUser' => [
	'default' => true,
],

https://noc.wikimedia.org/conf/highlight.php?file=InitialiseSettings-labs.php

		'wmgUseCheckUser' => [
			'default' => false,
		],`

Thanks @Reedy!

Bugreporter subscribed.Dec 19 2022, 4:29 PM

See T214820: Enable CheckUser for beta cluster.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL