Page MenuHomePhabricator
Create Task
Maniphest T329072

IP Masking: Admins that are blocked have the Show IP button still visible
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To
AGueyte
Authored By
GMikesell-WMF
Feb 7 2023, 4:15 PM
Tags
Referenced Files
F36867111: T329072_IPMasking_Testuserone_Unblock_ViewHistory_FF_ShowIPError2.png
Feb 23 2023, 8:42 PM
F36867097: T329072_IPMasking_Testuserone_Unblock_ViewHistory_ShowIPError2.png
Feb 23 2023, 8:29 PM
F36866924: image.png
Feb 23 2023, 6:09 PM
F36864224: T329072_IPMasking_Testuserone_Unblock_Watchlist_ShowIPError.png
Feb 21 2023, 8:27 PM
F36864222: T329072_IPMasking_Testuserone_Unblock_ViewHistory_ShowIPError.png
Feb 21 2023, 8:27 PM
F36864218: T329072_IPMasking_Testuserone_SpecialContributions_Unblock.png
Feb 21 2023, 8:27 PM
F36864216: T329072_IPMasking_Testuserone_Unblock AutoBlock.png
Feb 21 2023, 8:27 PM
F36864214: T329072_IPMasking_Testuserone_Rights.png
Feb 21 2023, 8:27 PM
View All 14 Files
Subscribers
AGueyte
Aklapper
GMikesell-WMF
Niharika
Tchanders

Description

Steps to replicate the issue (include links if applicable):

  • Edit any article with a temp account in Local
  • Block a user that has an Admin account
  • Go to View History or Diff or I'm sure any other pages that would have the Show IP button

What happens?:
The Show IP button is visible even when the user is blocked but can't reveal the IP address on the current date. If you created older temp account edits from a few days ago, if you are blocked, you can still reveal the IP address.

What should have happened instead?:
Show IP button should not be visible when a user is blocked

Other information (browser name/version, screenshots, etc.):
This is best tested along with {T326415: Add (show IP) buttons next to temporary account user name links}: Add (show IP) buttons next to temporary account user name links, which adds the buttons.

It should be tested locally, since it requires $wgAutoCreateTempUser['enabled'] = true; (only available on Beta) and the CheckUser extension (not available on Beta).

OS: macOS 13.0
Browsers: Chrome 109 and FireFox 109
Environment: Local

Admin users that are blocked

T326397_IPMasking_AdminBlock24hrs_Diff.png (963×2 px, 282 KB)

T326397_IPMasking_AdminBlock24hrs_History.png (889×2 px, 368 KB)

Details

SubjectRepoBranchLines +/-
Don't Show IP button to blocked Adminsmediawiki/extensions/CheckUsermaster+5 -0
Customize query in gerrit

Related Objects

Event Timeline

GMikesell-WMF created this task.Feb 7 2023, 4:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 7 2023, 4:15 PM
GMikesell-WMF renamed this task from IP Masking: Admins that are blocked have Show IP visible but the button is locked to IP Masking: Admins that are blocked have the Show IP button still visible.Feb 7 2023, 4:16 PM
GMikesell-WMF updated the task description. (Show Details)Feb 7 2023, 4:18 PM
GMikesell-WMF mentioned this in T326397: IP Address Reveal on Diff page.Feb 7 2023, 5:35 PM
AGueyte claimed this task.Feb 8 2023, 6:20 PM
AGueyte moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (AHaT Sprint 24: The Toque Blanche Hat) board.
gerritbot added a comment.Feb 9 2023, 6:09 PM

Change 888069 had a related patch set uploaded (by AGueyte; author: AGueyte):

[mediawiki/extensions/CheckUser@master] Don't Show IP button to blocked Admins

https://gerrit.wikimedia.org/r/888069

gerritbot added a project: Patch-For-Review.Feb 9 2023, 6:09 PM
AGueyte moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment (AHaT Sprint 24: The Toque Blanche Hat) board.Feb 9 2023, 6:37 PM
Dreamy_Jazz moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment (AHaT Sprint 24: The Toque Blanche Hat) board.Feb 10 2023, 5:59 PM
gerritbot added a comment.Feb 10 2023, 6:10 PM

Change 888069 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Don't Show IP button to blocked Admins

https://gerrit.wikimedia.org/r/888069

Maintenance_bot removed a project: Patch-For-Review.Feb 10 2023, 6:30 PM
ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.23; 2023-02-13).Feb 10 2023, 7:00 PM
GMikesell-WMF added a comment.Feb 13 2023, 7:23 PM

@AGueyte Looks like the patch removed the ShowIP when you are blocked. I did get a couple of possible different issues as seen in the screenshots below. If you wanted me to create a new ticket for that since the actual ticket is resolved, please let me know. Thanks!

OS: macOS 13.0
Browsers: Chrome 109 and FireFox 109
Environment: Local

The Good- When an Admin gets blocked, ShowIP does not show up anymore

T329072_IPMasking_AdminBlock_ShowIPNotVisible_Good.png (821×3 px, 394 KB)

Unblocking Yourself -Is it suitable as a blocked Admin, if I go to Special:Contributions, I can unblock myself?

T329072_IPMasking_AdminBlock_Contributions_CanUnlockYourself.png (756×3 px, 324 KB)

ShowIP not revealing - After I unblock myself when that account is supposed to be blocked, ShowIP does show but now it does not reveal the IP addresses when you click on it.

T329072_IPMasking_AdminBlock_UnblockedMyself_ShowIPStuck.png (697×3 px, 349 KB)

AGueyte added a comment.EditedFeb 14 2023, 2:44 PM

Hi George, thanks for this.

After an admin unblocked itself, the admin cannot see the IP appearing from View History despite the button showing.

It seems the behavior is related to an active autoblock generated from the original block.
Once removing the autoblock against the Admin's IP, the admin can see the IP appearing when clicking on the Show IP Button from a View History page.

Even with the autoblock, the ex-blocked admin can see the IP address after clicking the Show IP button from Special:Log (etc).

Guidance from Product on how we want to operate in this specific scenario.
Available to demonstrate the situation if needed.

cc @Niharika @Tchanders

AGueyte added a subscriber: Niharika.Feb 14 2023, 5:09 PM
ARamirez_WMF edited projects, added Anti-Harassment (AHaT Sprint 25: The Tengai Hat); removed Anti-Harassment (AHaT Sprint 24: The Toque Blanche Hat).Feb 14 2023, 5:54 PM
ARamirez_WMF moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to QA/Testing 🐞 on the Anti-Harassment (AHaT Sprint 25: The Tengai Hat) board.
Tchanders added a comment.Feb 20 2023, 6:01 PM

Thanks @GMikesell-WMF and @AGueyte!

Unblocking Yourself -Is it suitable as a blocked Admin, if I go to Special:Contributions, I can unblock myself?

There's an unblockself right, so it sounds like your admin has this right. Otherwise, they wouldn't be able to unblock themselves.

ShowIP not revealing - After I unblock myself when that account is supposed to be blocked, ShowIP does show but now it does not reveal the IP addresses when you click on it.

After an admin unblocked itself, the admin cannot see the IP appearing from View History despite the button showing.

Hmm, I couldn't reproduce either of these - the unblocked admin could see the buttons and access IP addresses, as expected (including ones that were definitely not cached because they hadn't been accessed before).

Re: autoblocks:

  • unblocking the admin should remove their autoblock at the same time
  • if there's still an autoblock against the unblocked admin's IP address, it's probably an autoblock from another user's block
  • the admin may or may not be affected by the autoblock, depending on their rights and the parameters of the autoblock, but they should either (a) see the buttons and the buttons work, or (b) not see the buttons, and the API doesn't work.

Re: different behaviour on history pages and Special:Log - in general the behaviour should be consistent throughout, and in general if buttons are present, they should reveal IP addresses. Looking at the code, the check for showing the buttons and the check for returning API results is the same, so it looks like it should work as expected.

@GMikesell-WMF Would it be possible to try again as an unblocked admin? If it still doesn't work, could you post a screenshot of Special:BlockList and also the error in the network tab, something like this, so we can see what the error key is?

image.png (307×1 px, 85 KB)

GMikesell-WMF added a comment.Feb 21 2023, 8:27 PM

@Tchanders and @AGueyte I'm still getting the issue of being unable to reveal IP address when I unblock myself. I can demonstrate whenever you are available if needed.

Before starting this, I did an empty cache and a hard reboot.

OS: macOS 13.0
Browsers: Chrome 109
Environment: Local

Steps

  • 1. Under my Admin account I went to Special:Block and did a sitewide block on Testuserone which also has Admin rights
  • 2. I went to Special:Blocklist and unblock the Autoblock so it was just a regular block on Testuserone in Special:Blocklist
  • 3. I log in as Testuserone and go to Special:Contributions and click on unblock
  • 4. Now I got to View History and click on Show IP on the Temp account which was *Unregistered 25
  • 5. It does nothing. I am unable to reveal the IP address.

1. Testuserone Rights

T329072_IPMasking_Testuserone_Rights.png (727×1 px, 127 KB)

2. Blocked Testuserone- I then unblocked Autoblock #73, which left just the regular sitewide block for 10 minutes time span in Special:BlockList

T329072_IPMasking_Testuserone_Unblock AutoBlock.png (902×3 px, 276 KB)

3. Logged in as Testuserson- I now went to Contributions and selected unblock

T329072_IPMasking_Testuserone_SpecialContributions_Unblock.png (669×3 px, 296 KB)

4 & 5. Show IP button unable to reveal IP address- When I click on the Show IP button, under Console, I get this highlighted error. This is the case in View history, Watchlist and I'm sure with the others.

T329072_IPMasking_Testuserone_Unblock_ViewHistory_ShowIPError.png (1×3 px, 487 KB)

T329072_IPMasking_Testuserone_Unblock_Watchlist_ShowIPError.png (1×3 px, 504 KB)

Tchanders added a comment.Feb 23 2023, 6:09 PM

Thanks @GMikesell-WMF this is very helpful. I'm wondering if this is because the API response was cached in your browser (i.e. the user is still getting the response they got when blocked). Could you try checking this box in developer tools so that the cache is disabled for each new request?

image.png (88×332 px, 10 KB)

GMikesell-WMF added a comment.EditedFeb 23 2023, 8:29 PM

@Tchanders I started a new tab and prior to logging in as an Admin about to start step 1, I disabled the cache and repeated the steps from above. I am still having the same error though. I wouldn't be surprised if this has to do something with my local configurations though since you can't repeat it. Maybe I can show you when you are free so you might be able to pinpoint why this is happening better? According to Inspect, every time I click on Show IP after unblocking Testuserone, looks like I get that 403 Forbidden status error.

I also tried it on FireFox 109 on macOS 13.0 and got the same error as seen in the 2nd screenshot.

CheckUser and core are up to date.

macOS 13.0 w/ Chrome 109

T329072_IPMasking_Testuserone_Unblock_ViewHistory_ShowIPError2.png (1×3 px, 574 KB)

macOS 13.0 w/ FireFox 109

T329072_IPMasking_Testuserone_Unblock_ViewHistory_FF_ShowIPError2.png (911×1 px, 336 KB)

GMikesell-WMF mentioned this in T330684: IP Masking: Temporary account IP reveal unchecked & still revealing the Show IP button.Feb 27 2023, 5:49 PM
GMikesell-WMF added a comment.Feb 27 2023, 5:57 PM

After going through the issue with @Tchanders earlier, we found out this issue was happening since Temporary account IP reveal was unchecked. I created T330684: IP Masking: Temporary account IP reveal unchecked & still revealing the Show IP button for this bug since it was still showing the Show IP button when it is unchecked. Since the original issue has been resolved, I will move this current ticket to Done. Thanks for all your help @AGueyte and @Tchanders !

GMikesell-WMF moved this task from QA/Testing 🐞 to Done Q2 2022-2023 on the Anti-Harassment (AHaT Sprint 25: The Tengai Hat) board.Feb 27 2023, 6:00 PM
Tchanders closed this task as Resolved.Mar 21 2023, 2:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits