Page MenuHomePhabricator

The CheckUser extension should provide IP addresses of a temporary account user, given a list of revision IDs
Closed, ResolvedPublic

Description

Background

This task is spun out from its sibling task: T324603: The CheckUser extension should provide IP addresses of temporary account users, for IP Masking

From the sibling task:

What needs to be done

We need CheckUser to be able to return, for users with a permission other than checkuser (name of new permission tbc):

  • All IP addresses (up to a configurable limit), given a temporary account name (e.g. for T324602: SpecialBlock: Once a temporary account is selected, below the username field display IP addresses associated with the account)
  • An IP address, given a temporary account name and a revision ID (for e.g. T326392: IP Address Reveal on History page)
  • An IP address, given a temporary account name and a timestamp (e.g. for T326393: IP Address Reveal on Log page)

This task is specifically for:

  • An IP address, given a temporary account name and a revision ID (for e.g. T326392: IP Address Reveal on History page)

The API will take a user name and a list of revision IDs, and return IP addresses for any of the revision IDs that are associated with that user

Testing notes
  • To use this API, you'll need the checkuser-temporary-account right
  • The URL is rest.php/checkuser/v0/temporaryaccount/{name}/revisions/{ids} (see RestRoutes in extension.json)
    • {name} is the user name you want to look up
    • {ids} is a list of 1 or more revision IDs associated with the user (e.g. as obtained from a history page list). The list can be formatted as documented in ParamValidator::PARAM_ISMULTI
  • In case you have been switching $wgAutoCreateTempUser['enabled'] on and off locally, it needs to be true to avoid a nonexistent account error

Event Timeline

Change 881692 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/extensions/CheckUser@master] Add API endpoint for temp account IP addresses, given revision IDs

https://gerrit.wikimedia.org/r/881692

Change 881692 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Add API endpoint for temp account IP addresses, given revision IDs

https://gerrit.wikimedia.org/r/881692

@Tchanders After testing the following below with different permissions and rights, only when I was a Non-Admin did I get a "you do not have permission" as seen in the last screenshot below whether if one was checked or all of them under Suppress Visibility Restrictions. I was able to pull the correct IP address as a Non-Admin when I was blocked via Global, Sitewide, or partial though. As an Admin, I had no issues pulling up the correct IP address with any of the testings. Thanks!

OS: macOS 13.0
Browser: Chrome 109
Environment: Local

Tested:
User: Admin & Non-Admin
Suppress Visibility Restrictions
a. Revision text
b. Edit Summary
c. Editor's username/IP address
d. Suppress data from administrators as well as others
Global Blocking
Sitewide Blocking
Partial Blocking

Admin

T327437_IPMasking_TempAcct_IPAddresses.png (1ร—1 px, 250 KB)

Similar results of pulling the IP address, just with different revision IDs

T327437_IPMasking_TempAcct_IPAddresses_Result11.png (206ร—903 px, 29 KB)

Non-Admin - Only had Suppressor and checkuser-temporary-account rights

T327437_IPMasking_TempAcct_AllSuppress_nonAdmin.png (1ร—1 px, 297 KB)

Did not pull an IP address with any of the choices in Suppress Visibility Restrictions

T327437_IPMasking_TempAcct_AllSuppress_nonAdmin_Results.png (184ร—1 px, 44 KB)

Thanks for the screenshots @GMikesell-WMF! Just trying to understand - am I right in thinking the following points are true?

  • Config set to: $wgGroupPermissions['sysop']['checkuser-temporary-account'] = true; (and nobody else has 'checkuser-temporary-account')
  • Admin could see the IP address
  • Blocked admin could not see the IP address
  • Non-admin could not see the IP address
  • Blocked non-admin could not see the IP address

@Tchanders Sorry for any confusion. Please see the results below. Thanks!

* Config set to: `$wgGroupPermissions['sysop']['checkuser-temporary-account'] = true;` (and nobody else has 'checkuser-temporary-account')

That is correct

* Admin could see the IP address

That is correct

* Blocked admin could not see the IP address

That is correct. I now switched the Testuserone to have admin rights and used my Admin account to block Testuserone. It does have the "Show IP" but ti doesn't reveal since the account is blocked. 2nd screenshot is what I got when I plugged in http://localhost:8080/w/rest.php/checkuser/v0/temporaryaccount/*Unregistered 20/revisions/42

T327437_IPMasking_AdminBlocking.png (993ร—1 px, 167 KB)

T327437_IPMasking_AdminBlocking_Result.png (218ร—1 px, 44 KB)

* Non-admin could not see the IP address

That is correct. I then took the admin rights off of Testuserone to test.

T327437_IPMasking_NonAdmin.png (218ร—1 px, 44 KB)

* Blocked non-admin could not see the IP address

That is correct

T327437_IPMasking_NonAdminBlocking.png (255ร—2 px, 79 KB)