Page MenuHomePhabricator
Create Task
Maniphest T336187

[S] Investigate: Creating temp user on non-EditPage actions
Closed, ResolvedPublic
Actions

Description

Background

Currently, a temporary user is created if the first action performed by an anonymous user is edit (more specifically, if the action is performed via EditPage).

However, any other action performed first could cause an anonymous user to be created, stored in the actor table using the IP address as their name. If the action is a logged action, their IP address will still appear in the UI.

An example from core is uploading; an example from an extension is posting to a Flow board.

What should we do

We should specify the other actions in the configuration AutoCreateTempUser['actions'].

However, we also need to implement creating a temp user where these actions are performed. There is a TempUserCreator service which is called from EditPage, but EditPage also does a lot of other work, such as creating unsaved and placeholder temp users for permissions checks etc, for workflow prior to save (e.g. preview).

Questions:

  • What other actions should we create a temp user from? (Loggable actions should be flagged by searching for ManualLogEntry.)
  • Do the other actions need to do much more than calling TempUserCreator::create? Anything that we should factor out to somewhere common?
  • Do we need to re-implement temp user creation for each action, or is there somewhere common we should do this from?
  • Can we provide an API for creating temporary users, for JS-only features that need to create a new user?

Details

SubjectRepoBranchLines +/-
PermissionManager: Check autocreate actions against temporary usermediawiki/coremaster+4 -3
DNM Demo: Creating a temporary user for 'upload' actionmediawiki/coremaster+29 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tchanders created this task.May 8 2023, 5:09 PM
Tchanders mentioned this in T336195: Don't set an anonymous user's name to their IP address if IP Masking is enabled.May 8 2023, 6:33 PM
Tchanders updated the task description. (Show Details)Jul 7 2023, 1:12 PM
Tchanders claimed this task.Jul 7 2023, 1:15 PM
Cparle mentioned this in T340540: Update WikibaseMediaInfo for IP Masking.Jul 7 2023, 1:53 PM
Cparle subscribed.Jul 12 2023, 10:01 AM
Tchanders edited projects, added Anti-Harassment (AHaT Sprint 32 - Baseball Cap); removed Anti-Harassment.Aug 14 2023, 4:36 PM
Tchanders moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.Aug 15 2023, 4:57 PM
Tchanders added a comment.Aug 16 2023, 5:31 PM

EditPage also does a lot of other work, such as creating unsaved and placeholder temp users for permissions checks etc, for workflow prior to save (e.g. preview).

Expanding a bit on what EditPage does:

  1. For permissions checks, creates a placeholder temporary user (UserFactor::newTempPlaceholder)
  2. For displaying a temporary user name in a preview, acquires a name (TempUserCreator::acquireAndStashName) and creates a temporary user without saving it (UserFactory::newUnsavedTempUser)
  3. On saving an edit, saves a temporary user (TempUserCreator::create, using the acquired name)
  4. Alters the post edit cookie, so that an explanatory popup can be added (mediawiki.action.view.postEdit)

Note that (1) is necessary if the following are set:

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['temp']['edit'] = true;

...otherwise permissions checks will fail on the IP user before a temporary user is ever created.

Editing APIs

They will probably at least need to do (1), e.g. T342770: Can't edit any page via visual editor while not logged into an account or a temporary account was caused by VisualEditor not doing (1). As part of that task ApiEditPage was updated to do (1).

If there are any editing APIs that don't fall through to EditPage, they would also need to do (3).

All actions

All actions will probably need to do at least (1) and (3).

If there are associated previews that display a user name, they would need (2).

Depending on the feature, (4) may be required for a better user experience.

Is there anything we can do to centralise some of this?

  • EditPage and ApiEditPage currently create a new unsaved temp user to check permissions. Does this need repeating everywhere? PermissionManager::getPermissionErrorsInternal will create a placeholder temporary user for permissions checks of actions that cause temp user autocreation, but only currently for RIGOR_QUICK.
  • The temp user popup is implemented in mediawiki.action.view.postEdit.js - maybe we should put it somewhere reusable.
Tchanders mentioned this in T326816: [Epic] Update features for temporary accounts.Aug 28 2023, 9:37 AM
kostajh subscribed.Aug 28 2023, 9:45 AM
Lucas_Werkmeister_WMDE subscribed.Aug 28 2023, 10:07 AM
Lucas_Werkmeister_WMDE mentioned this in T343799: [8 hr] Investigate places where Wikibase distinguishes between anonymous and registered users.Aug 28 2023, 10:11 AM
gerritbot added a comment.Sep 4 2023, 4:21 PM

Change 954721 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/core@master] DNM Demo: Creating a temporary user for 'upload' action

https://gerrit.wikimedia.org/r/954721

gerritbot added a project: Patch-For-Review.Sep 4 2023, 4:21 PM
Tchanders added a comment.EditedSep 4 2023, 4:31 PM
In T336187#9140870, @gerritbot wrote:

Change 954721 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/core@master] DNM Demo: Creating a temporary user for 'upload' action

https://gerrit.wikimedia.org/r/954721

This is an example of what I think is the minimum that would need to be done to auto-create a temporary user for a non-edit action (using the example of upload). Note that:

  • This assumes that permissions checks are centralised (see T336187#9140953)
  • This doesn't display any indication after the upload has finished that a temporary account was created

Testing this example:

  1. Set config:
$wgAutoCreateTempUser['enabled'] = true;
$wgAutoCreateTempUser['actions'][] = 'upload';
$wgEnableUploads = true;
$wgGroupPermissions['temp']['upload'] = true;
$wgGroupPermissions['*']['upload'] = true;
  1. Log out
  2. Upload a file, e.g. via Special:Upload (note that UploadWizard will fail with UploadStashNotLoggedInException)
  3. Observe that a new temporary user is created
Tchanders added a subscriber: tstarling.EditedSep 4 2023, 4:44 PM

Is there anything we can do to centralise some of this?

  • EditPage and ApiEditPage currently create a new unsaved temp user to check permissions. Does this need repeating everywhere? PermissionManager::getPermissionErrorsInternal will create a placeholder temporary user for permissions checks of actions that cause temp user autocreation, but only currently for RIGOR_QUICK.

Permissions checks are made complicated by this situation:

$wgAutoCreateTempUser['actions'][] = 'someaction';
$wgGroupPermissions['*']['someaction'] = false;
$wgGroupPermissions['temp']['someaction'] = true;

Currently, if someaction is in the list $wgAutoCreateTempUser['actions'], then an anonymous user (i.e. in group * but not temp) is allowed to do it. However, when doing full checks via the PermissionManager, we check the anonymous user's rights. EditPage must therefore create a placeholder temporary user for permissions checks, to pass to the PermissionManager for full checks, and so must the other actions too. This seems like a fairly complicated step to ask each action to take.

We could do away with the placeholder temporary user for permission checks with either of the following:

  • Insist that $wgGroupPermissions['*']['someaction'] be set to true, otherwise a temporary account can't be created by performing that action
  • Have the PermissionManager always check against a temporary user for actions in the list $wgAutoCreateTempUser['actions'] (when checking for an anon user)

@Niharika @tstarling Would you have concerns about either of those approaches, or a preference for either?

Tchanders moved this task from In Progress 💪 to Needs Design/Product 🎨 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.Sep 5 2023, 12:46 PM
Michael subscribed.Sep 6 2023, 9:16 AM
Tchanders added a comment.Sep 6 2023, 12:21 PM
In T336187#9140953, @Tchanders wrote:

We could do away with the placeholder temporary user for permission checks with either of the following:

  • Insist that $wgGroupPermissions['*']['someaction'] be set to true, otherwise a temporary account can't be created by performing that action
  • Have the PermissionManager always check against a temporary user for actions in the list $wgAutoCreateTempUser['actions'] (when checking for an anon user)

@Niharika @tstarling Would you have concerns about either of those approaches, or a preference for either?

Spoke with @Niharika, who is happy with either option, with a preference for the second one.

Michael mentioned this in T328454: [TECH][IPM] Investigate ramifications of IP masking on Wikidata related extensions.Sep 6 2023, 12:36 PM
drochford unsubscribed.Sep 6 2023, 2:14 PM
gerritbot added a comment.Sep 8 2023, 5:36 PM

Change 955979 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/core@master] PermissionManager: Check autocreate actions against temporary user

https://gerrit.wikimedia.org/r/955979

Tchanders mentioned this in T346166: Create a temporary account explicitly.Sep 19 2023, 4:42 PM
Tchanders moved this task from Needs Design/Product 🎨 to In Progress 💪 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.Oct 16 2023, 10:27 AM
karapayneWMDE subscribed.Oct 17 2023, 12:49 PM
Tchanders renamed this task from Create temp user on non-edit actions to Investigate: Creating temp user on non-EditPage actions.Oct 17 2023, 5:17 PM
Tchanders updated the task description. (Show Details)
Tchanders mentioned this in T349129: [Epic] Workflows that create an IP (anon) actor should create a temporary user actor instead.Oct 17 2023, 6:14 PM
Tchanders added a subscriber: matmarex.Oct 18 2023, 4:09 PM
  • What other actions should we create a temp user from? (Loggable actions should be flagged by searching for ManualLogEntry.)

Filed as a subtask: T349219: [M] Investigate: Which workflows create an IP actor?

Do the other actions need to do much more than calling TempUserCreator::create? Anything that we should factor out to somewhere common?

Do we need to re-implement temp user creation for each action, or is there somewhere common we should do this from?
Can we provide an API for creating temporary users, for JS-only features that need to create a new user?

As discussed in T340540#9201679, each workflow should create a temporary account. This should be done via the PHP handler that's performing the update.

If we discover any JS-only workflows that handle the logic of doing whatever database update the action performs, and creating the actor, etc, then they might need a temporary account creator API. @matmarex Does such a workflow sound likely/possible?

Tchanders added subscribers: STran, Dreamy_Jazz.Oct 18 2023, 4:10 PM
matmarex added a comment.Oct 18 2023, 6:16 PM
In T336187#9262568, @Tchanders wrote:

If we discover any JS-only workflows that handle the logic of doing whatever database update the action performs, and creating the actor, etc, then they might need a temporary account creator API. @matmarex Does such a workflow sound likely/possible?

Sounds possible but unlikely.

Tchanders edited projects, added Trust and Safety Tools Team Backlog (Kanban); removed Anti-Harassment (AHaT Sprint 32 - Baseball Cap).Oct 19 2023, 2:44 PM
Tchanders edited projects, added Anti-Harassment (AHaT Sprint 32 - Baseball Cap); removed Trust and Safety Tools Team Backlog (Kanban).Oct 19 2023, 2:56 PM
Tchanders added a comment.Oct 20 2023, 2:20 PM

This can almost be closed (or stalled pending the tasks in T336187#9262568).

I think the only outstanding thing to figure out is what to do about checking permissions for an anon attempting to perform an action that would make them a temporary account (described in T336187#9140953). This is being discussed on https://gerrit.wikimedia.org/r/c/mediawiki/core/+/955979/

Tchanders edited projects, added Trust and Safety Product Sprint; removed Anti-Harassment (AHaT Sprint 32 - Baseball Cap).Oct 27 2023, 11:57 AM
Tchanders renamed this task from Investigate: Creating temp user on non-EditPage actions to [S] Investigate: Creating temp user on non-EditPage actions.Oct 30 2023, 4:26 PM
Tchanders edited projects, added Trust and Safety Product Sprint (Sprint Bodhrán); removed Trust and Safety Product Sprint.
kostajh moved this task from Priority Backlog to Needs review on the Trust and Safety Product Sprint (Sprint Bodhrán) board.Oct 30 2023, 4:37 PM
Tchanders added a comment.EditedNov 17 2023, 6:53 PM

Following further discussion, here's what we'll do:

  1. To allow features that need to create temporary accounts to keep their existing permissions checks and rights config, we''ll do this (from T336187#9140953):

Insist that $wgGroupPermissions['*']['someaction'] be set to true, otherwise a temporary account can't be created by performing that action

  1. To guard against accidentally creating an IP actor (because IP actors will now pass permissions checks), do the following:
    • Ensure an IP actor can't be created if temp accounts are enabled (T345578)
    • Proactively look for workflows that create an IP actor (T349219)
    • Look for workflows that save the IP address other than through the actor table (e.g. like Flow: T345578#9290889) (T352914)
  2. Allow importing to create an IP actor, as a special case, for old edits assigned to IP actors from before temporary accounts were enabled (T350155#9341746)
Tchanders closed this task as Resolved.Nov 17 2023, 6:54 PM
Tchanders moved this task from Needs review to Done on the Trust and Safety Product Sprint (Sprint Bodhrán) board.

We can close this investigation. Follow-up work is filed (or referenced and about to be filed) in the links in the comments above.

gerritbot added a comment.Nov 17 2023, 6:56 PM

Change 955979 abandoned by Tchanders:

[mediawiki/core@master] PermissionManager: Check autocreate actions against temporary user

Reason:

We're going in the opposite direction: T336187#9341749, and don't want to check anon permissions against temporary accounts at higher rigor levels

https://gerrit.wikimedia.org/r/955979

Tchanders mentioned this in T350116: Block messages duplicated for anonymous user with IP Masking enabled.Nov 27 2023, 1:03 PM
Michael mentioned this in T326908: Update WMDE Engineering-owned products that may be affected by IP Masking.Nov 27 2023, 1:06 PM
Tchanders mentioned this in T352914: Investigate: Which extensions save IP addresses.Dec 6 2023, 8:51 PM
Tchanders mentioned this in T353565: Investigate: Do we still need to use a placeholder temporary account for permissions checks in EditPage?.Dec 15 2023, 10:51 PM
Tchanders mentioned this in T342880: Decide what the rate limit should be for temporary account creations.Jan 17 2024, 10:43 AM
kostajh closed subtask T349219: [M] Investigate: Which workflows create an IP actor? as Resolved.Sep 11 2024, 2:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits