Page MenuHomePhabricator
Create Task
Maniphest T331750

Investigate: Update SecurePoll for IP Masking
Closed, ResolvedPublic2 Estimated Story Points
Actions

Assigned To
AGueyte
Authored By
Tchanders
Mar 10 2023, 9:03 PM
Tags
Referenced Files
F36947161: Screenshot 2023-04-11 at 11.53.14 AM.png
Apr 11 2023, 3:56 PM
F36946387: Screenshot 2023-04-10 at 3.04.03 PM.png
Apr 11 2023, 3:33 PM
F36946389: Screenshot 2023-04-10 at 3.08.16 PM.png
Apr 11 2023, 3:33 PM
F36946384: Screenshot 2023-04-10 at 3.05.14 PM.png
Apr 11 2023, 3:33 PM
Subscribers
Aklapper
ARamirez_WMF
Base
drochford
Niharika
STran
Tchanders

Description

Background

We need to investigate how SecurePoll may need updating for IP Masking.

From a product perspective, read the documentation and try out the product. Consider whether any changes may need making for temporary account users.

From a technical perspective, check where the search terms from T326759 appear, and consider whether these places appear to need updating.

These instructions are left intentionally vague to avoid biasing the investigation.

Outcome of this investigation
  • Write up a summary of findings
  • Raise any questions
  • File tasks if there is anything obvious to file

Related Objects
Search...

Event Timeline

Tchanders created this task.Mar 10 2023, 9:03 PM
JJMC89 added a project: MediaWiki-extensions-SecurePoll.Mar 10 2023, 9:16 PM
Tchanders mentioned this in T326869: Update TSP-owned products that may be affected by IP Masking.Mar 10 2023, 9:17 PM
Tchanders edited projects, added Anti-Harassment (AHaT Sprint 27: The Big Yellow Hat); removed Anti-Harassment.Mar 23 2023, 5:28 PM
AGueyte claimed this task.Apr 10 2023, 3:14 PM
AGueyte moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (AHaT Sprint 27: The Big Yellow Hat) board.Apr 10 2023, 3:40 PM
AGueyte added a comment.EditedApr 11 2023, 3:33 PM

Noticing the display of IPs in http://localhost:8080/w/index.php?title=Special:SecurePollLog
I gave rights to all of my users to create Polls. An anon user was able to create a poll.
Nonetheless, the user wasn't able to vote in the poll as it's required to log in.

Screenshot 2023-04-10 at 3.05.14 PM.png (1×1 px, 148 KB)

Screenshot 2023-04-10 at 3.08.16 PM.png (1×1 px, 121 KB)

Therefore, the poll creation was logged and shown on Special:Log even to my unregistered user.

Screenshot 2023-04-10 at 3.04.03 PM.png (1×1 px, 249 KB)

LocalAuth::autoLogin()
Uses $user->isAnon to prevent logged out users to vote.
As for now, a temp account user can vote.
Suggestion: change to $user->isNamed

APIStrikeVote::execute()
Uses !$user->isRegistered() to prevent logged out users to vote
As for now, a temp account user can vote.
Suggestion: change to $user->isNamed

Election::isAdmin()
Uses $user->getName() and returns true if the user is an admin of the current election.

SecurePollLogPager::formatRow()
Uses $user->getName() to create a link to the user's username

MakeMailingList::execute()
Uses $user->getName() for debug log lines

MakeMailingList::writeUser()
Uses $user->getName() to write a mailing list entry for the given user.

VotePage::logVote()
Uses IPutils to store the IP into table 'securepoll_votes' and column 'vote_ip'
'vote_ip' => IPUtils::toHex( $request->getIP() )
Concerns about keeping the voter's IP in DB

ListPager::formatValue()
Uses IPUtils to format the 'vote_ip' value from table 'securepoll_votes'
case 'vote_ip':

if ( $this->election->endDate < wfTimestamp( TS_MW, time() - ( $securePollKeepPrivateInfoDays * 24 * 60 * 60 ) ) ) {
	return '';
} else {
      return IPUtils::formatHex( $value );
}

DetailsPage::execute()
Uses IPUtils to format an IP
$vote_ip = IPUtils::formatHex( $row->vote_ip );

SecurePollLogPager::formatRow()
Uses ::userLink from class Linker to create a user link

StrikePager::formatValue()
Uses ::userLink from class Linker to create a user link

AGueyte added a comment.Apr 11 2023, 3:56 PM

The voter's IP appears on the Details Page Special:SecurePoll/details/267
Visible to any "admins"
$this->election->isAdmin

Screenshot 2023-04-11 at 11.53.14 AM.png (660×1 px, 95 KB)

ARamirez_WMF edited projects, added Anti-Harassment (AHaT Sprint 28: The Mad Hatter Hat); removed Anti-Harassment (AHaT Sprint 27: The Big Yellow Hat).Apr 11 2023, 5:07 PM
ARamirez_WMF moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (AHaT Sprint 28: The Mad Hatter Hat) board.
AGueyte moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment (AHaT Sprint 28: The Mad Hatter Hat) board.Apr 11 2023, 6:47 PM
Tchanders added a comment.Apr 12 2023, 1:40 PM

@Niharika Do we know if Legal is happy with these?

VotePage::logVote()
Uses IPutils to store the IP into table 'securepoll_votes' and column 'vote_ip'
'vote_ip' => IPUtils::toHex( $request->getIP() )
Concerns about keeping the voter's IP in DB

(This is configured to be kept for 90 days by default - SecurePollKeepPrivateInfoDays)

In T331750#8771982, @AGueyte wrote:

The voter's IP appears on the Details Page Special:SecurePoll/details/267
Visible to any "admins"
$this->election->isAdmin

Screenshot 2023-04-11 at 11.53.14 AM.png (660×1 px, 95 KB)

Tchanders added a comment.Apr 12 2023, 1:43 PM

LocalAuth::autoLogin()
Uses $user->isAnon to prevent logged out users to vote.
As for now, a temp account user can vote.
Suggestion: change to $user->isNamed

APIStrikeVote::execute()
Uses !$user->isRegistered() to prevent logged out users to vote
As for now, a temp account user can vote.
Suggestion: change to $user->isNamed

These make sense to me, since @Niharika is following the principle of parity between anon and temp users to begin with. @AGueyte Would you be happy to file a task for this?

AGueyte added a comment.Apr 12 2023, 1:53 PM

Absolutely, T334597 created and point estimated.

Niharika added a subscriber: drochford.Apr 12 2023, 6:28 PM
In T331750#8775991, @Tchanders wrote:

@Niharika Do we know if Legal is happy with these?

VotePage::logVote()
Uses IPutils to store the IP into table 'securepoll_votes' and column 'vote_ip'
'vote_ip' => IPUtils::toHex( $request->getIP() )
Concerns about keeping the voter's IP in DB

(This is configured to be kept for 90 days by default - SecurePollKeepPrivateInfoDays)

I haven't checked with them yet but if the data stays for 90 days only then I don't think it would be an issue. I can double check with Madi.
I think it is also worth thinking about whether there is a user case for storing the user's temp username in the table alongside the IP address. Typically the purpose for storing IPs is to weed out sockpuppets. So it may not be necessary to store temporary usernames. I will suggest we stick to this assumption unless @drochford or someone else suggests otherwise.

In T331750#8771982, @AGueyte wrote:

The voter's IP appears on the Details Page Special:SecurePoll/details/267
Visible to any "admins"
$this->election->isAdmin

Screenshot 2023-04-11 at 11.53.14 AM.png (660×1 px, 95 KB)

This should be okay. Admins have the ability to view IPs under the new system. We can keep this as is.

Niharika added a comment.Apr 12 2023, 6:29 PM
In T331750#8776002, @Tchanders wrote:

LocalAuth::autoLogin()
Uses $user->isAnon to prevent logged out users to vote.
As for now, a temp account user can vote.
Suggestion: change to $user->isNamed

APIStrikeVote::execute()
Uses !$user->isRegistered() to prevent logged out users to vote
As for now, a temp account user can vote.
Suggestion: change to $user->isNamed

These make sense to me, since @Niharika is following the principle of parity between anon and temp users to begin with. @AGueyte Would you be happy to file a task for this?

+1 to what @Tchanders said.

Tchanders moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment (AHaT Sprint 28: The Mad Hatter Hat) board.Apr 13 2023, 4:02 PM
Tchanders moved this task from QA/Testing 🐞 to Code Review 🔍 on the Anti-Harassment (AHaT Sprint 28: The Mad Hatter Hat) board.
AGueyte set the point value for this task to 2.Apr 13 2023, 5:17 PM
Base subscribed.Apr 13 2023, 5:29 PM
Tchanders moved this task from Code Review 🔍 to Done Q2 2022-2023 on the Anti-Harassment (AHaT Sprint 28: The Mad Hatter Hat) board.Apr 13 2023, 5:59 PM
Tchanders closed this task as Resolved.Jun 20 2023, 1:42 PM
Tchanders closed subtask T334421: BUG FIX: Display of SecurePoll logs as Resolved.
Tchanders closed subtask T334490: SecurePoll Vote Details returns SQL Error as Resolved.
Tchanders closed subtask T334597: Update User access to polls on SecurePoll as Resolved.Jun 20 2023, 1:44 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits