Page MenuHomePhabricator
Create Task
Maniphest T327437

The CheckUser extension should provide IP addresses of a temporary account user, given a list of revision IDs
Closed, ResolvedPublic
Actions

Assigned To
Tchanders
Authored By
Tchanders
Jan 19 2023, 6:34 PM
Tags
Referenced Files
F36703747: T327437_IPMasking_NonAdminBlocking.png
Feb 3 2023, 5:47 PM
F36703751: T327437_IPMasking_NonAdmin.png
Feb 3 2023, 5:47 PM
F36703734: T327437_IPMasking_AdminBlocking_Result.png
Feb 3 2023, 5:47 PM
F36703732: T327437_IPMasking_AdminBlocking.png
Feb 3 2023, 5:47 PM
F36578246: T327437_IPMasking_TempAcct_AllSuppress_nonAdmin_Results.png
Feb 2 2023, 2:24 AM
F36578244: T327437_IPMasking_TempAcct_AllSuppress_nonAdmin.png
Feb 2 2023, 2:24 AM
F36578242: T327437_IPMasking_TempAcct_IPAddresses_Result11.png
Feb 2 2023, 2:24 AM
F36578240: T327437_IPMasking_TempAcct_IPAddresses.png
Feb 2 2023, 2:24 AM
Subscribers
Aklapper
DAbad
DannyH
GMikesell-WMF
Izno
kostajh
Naike
View All 13 Subscribers

Description

Background

This task is spun out from its sibling task: T324603: The CheckUser extension should provide IP addresses of temporary account users, for IP Masking

From the sibling task:

What needs to be done

We need CheckUser to be able to return, for users with a permission other than checkuser (name of new permission tbc):

  • All IP addresses (up to a configurable limit), given a temporary account name (e.g. for T324602: SpecialBlock: Once a temporary account is selected, below the username field display IP addresses associated with the account)
  • An IP address, given a temporary account name and a revision ID (for e.g. T326392: IP Address Reveal on History page)
  • An IP address, given a temporary account name and a timestamp (e.g. for T326393: IP Address Reveal on Log page)

This task is specifically for:

  • An IP address, given a temporary account name and a revision ID (for e.g. T326392: IP Address Reveal on History page)

The API will take a user name and a list of revision IDs, and return IP addresses for any of the revision IDs that are associated with that user

Testing notes
  • To use this API, you'll need the checkuser-temporary-account right
  • The URL is rest.php/checkuser/v0/temporaryaccount/{name}/revisions/{ids} (see RestRoutes in extension.json)
    • {name} is the user name you want to look up
    • {ids} is a list of 1 or more revision IDs associated with the user (e.g. as obtained from a history page list). The list can be formatted as documented in ParamValidator::PARAM_ISMULTI
  • In case you have been switching $wgAutoCreateTempUser['enabled'] on and off locally, it needs to be true to avoid a nonexistent account error

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add API endpoint for temp account IP addresses, given revision IDsmediawiki/extensions/CheckUsermaster+253 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tchanders created this task.Jan 19 2023, 6:34 PM
Tchanders moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to Code Review 🔍 on the Anti-Harassment-Team (AHaT Sprint 23: Penguit Santa Hat) board.Jan 19 2023, 6:37 PM
gerritbot added a comment.Jan 19 2023, 6:38 PM

Change 881692 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/extensions/CheckUser@master] Add API endpoint for temp account IP addresses, given revision IDs

https://gerrit.wikimedia.org/r/881692

gerritbot added a project: Patch-For-Review.Jan 19 2023, 6:38 PM
Niharika moved this task from Inbox to Ready on the Temporary accounts board.Jan 25 2023, 7:01 PM
gerritbot added a comment.Jan 26 2023, 7:22 PM

Change 881692 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Add API endpoint for temp account IP addresses, given revision IDs

https://gerrit.wikimedia.org/r/881692

Maintenance_bot removed a project: Patch-For-Review.Jan 26 2023, 7:30 PM
ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.21; 2023-01-30).Jan 26 2023, 8:00 PM
Tchanders moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment-Team (AHaT Sprint 23: Penguit Santa Hat) board.Jan 30 2023, 2:14 PM
ARamirez_WMF edited projects, added Anti-Harassment-Team (AHaT Sprint 24: The Toque Blanche Hat); removed Anti-Harassment-Team (AHaT Sprint 23: Penguit Santa Hat).Jan 31 2023, 4:49 PM
ARamirez_WMF moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to QA/Testing 🐞 on the Anti-Harassment-Team (AHaT Sprint 24: The Toque Blanche Hat) board.
GMikesell-WMF subscribed.Feb 2 2023, 2:24 AM

@Tchanders After testing the following below with different permissions and rights, only when I was a Non-Admin did I get a "you do not have permission" as seen in the last screenshot below whether if one was checked or all of them under Suppress Visibility Restrictions. I was able to pull the correct IP address as a Non-Admin when I was blocked via Global, Sitewide, or partial though. As an Admin, I had no issues pulling up the correct IP address with any of the testings. Thanks!

OS: macOS 13.0
Browser: Chrome 109
Environment: Local

Tested:
User: Admin & Non-Admin
Suppress Visibility Restrictions
a. Revision text
b. Edit Summary
c. Editor's username/IP address
d. Suppress data from administrators as well as others
Global Blocking
Sitewide Blocking
Partial Blocking

Admin

T327437_IPMasking_TempAcct_IPAddresses.png (1×1 px, 250 KB)

Similar results of pulling the IP address, just with different revision IDs

T327437_IPMasking_TempAcct_IPAddresses_Result11.png (206×903 px, 29 KB)

Non-Admin - Only had Suppressor and checkuser-temporary-account rights

T327437_IPMasking_TempAcct_AllSuppress_nonAdmin.png (1×1 px, 297 KB)

Did not pull an IP address with any of the choices in Suppress Visibility Restrictions

T327437_IPMasking_TempAcct_AllSuppress_nonAdmin_Results.png (184×1 px, 44 KB)

Tchanders added a comment.Feb 3 2023, 10:26 AM

Thanks for the screenshots @GMikesell-WMF! Just trying to understand - am I right in thinking the following points are true?

  • Config set to: $wgGroupPermissions['sysop']['checkuser-temporary-account'] = true; (and nobody else has 'checkuser-temporary-account')
  • Admin could see the IP address
  • Blocked admin could not see the IP address
  • Non-admin could not see the IP address
  • Blocked non-admin could not see the IP address
GMikesell-WMF added a comment.Feb 3 2023, 5:47 PM

@Tchanders Sorry for any confusion. Please see the results below. Thanks!

* Config set to: `$wgGroupPermissions['sysop']['checkuser-temporary-account'] = true;` (and nobody else has 'checkuser-temporary-account')

That is correct

* Admin could see the IP address

That is correct

* Blocked admin could not see the IP address

That is correct. I now switched the Testuserone to have admin rights and used my Admin account to block Testuserone. It does have the "Show IP" but ti doesn't reveal since the account is blocked. 2nd screenshot is what I got when I plugged in http://localhost:8080/w/rest.php/checkuser/v0/temporaryaccount/*Unregistered 20/revisions/42

T327437_IPMasking_AdminBlocking.png (993×1 px, 167 KB)

T327437_IPMasking_AdminBlocking_Result.png (218×1 px, 44 KB)

* Non-admin could not see the IP address

That is correct. I then took the admin rights off of Testuserone to test.

T327437_IPMasking_NonAdmin.png (218×1 px, 44 KB)

* Blocked non-admin could not see the IP address

That is correct

T327437_IPMasking_NonAdminBlocking.png (255×2 px, 79 KB)

GMikesell-WMF mentioned this in T326397: IP Address Reveal on Diff page.Feb 6 2023, 11:57 PM
GMikesell-WMF moved this task from QA/Testing 🐞 to Done Q2 2022-2023 on the Anti-Harassment-Team (AHaT Sprint 24: The Toque Blanche Hat) board.Feb 7 2023, 3:27 PM
dom_walden mentioned this in T324603: The CheckUser extension should provide IP addresses of temporary account users, for IP Masking.Feb 7 2023, 3:37 PM
Tchanders closed this task as Resolved.Mar 3 2023, 5:44 PM
Tchanders edited parent tasks, added: T325662: Allow IPInfo's infobox widget to display data from more than one IP address; removed: T325456: [Epic] Display IP addresses for temp users in IP Info .Feb 7 2024, 2:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits