Page MenuHomePhabricator
Create Task
Maniphest T340146

Prevent temporary users from being able to submit incident reports
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

When Temporary accounts rolls out, making an edit as an anonymous user will grant you a temporary user account, which you can then use to make more edits. Temporary users can be harassed just like full account users, so it might make sense to allow temporary user accounts to submit reports as well.

But for now, we do not want to enable temporary accounts to submit reports, to limit potential for abusing the system. We currently deny temporary accounts at the end of ReportHandler::validateUserCanSubmitReport by checking ot see if the user has a confirmed email. But we should change the !$user->isRegistered() check at the beginning to look for !$user->isNamed()

Details

SubjectRepoBranchLines +/-
Precondition to check if the user initating a report is a temp usermediawiki/extensions/ReportIncidentmaster+149 -18
Customize query in gerrit

Related Objects

Event Timeline

JKieserman created this task.Jun 22 2023, 4:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 22 2023, 4:56 PM
kostajh updated the task description. (Show Details)Jul 5 2023, 3:48 PM
kostajh added subscribers: JSengupta-WMF, Madalina, kostajh.Sep 18 2023, 6:42 PM

cc @Madalina @JSengupta-WMF to think about.

kostajh added a comment.Sep 18 2023, 6:49 PM

See also T346680: Determine if users can report IP editors and temporary users, which is about the opposite situation: if registered users can report and reference comments made by temporary user accounts.

JayCano edited projects, added Trust and Safety Product Team; removed Trust and Safety Tools Team Backlog.Aug 28 2024, 3:11 PM
kostajh mentioned this in T378778: Finalize permissions for submitting emergency reports.Nov 6 2024, 9:52 AM
kostajh renamed this task from Validate if temporary users should be able to submit incident reports to Prevent temporary users from being able to submit incident reports.Nov 6 2024, 2:20 PM
kostajh updated the task description. (Show Details)
kostajh set the point value for this task to 1.
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15), Incident-Reporting-System (Pilot wiki release December 2024); removed Incident-Reporting-System.
kostajh removed a subscriber: JKieserman.
Madalina added a comment.EditedNov 7 2024, 11:40 AM

For the December MVP we do not want temporary accounts to submit reports. We should revisit this after pilot wiki releases.

Let's go ahead with this.

kostajh assigned this task to hector.arroyo.Nov 7 2024, 1:30 PM
kostajh moved this task from Backlog to In progress on the Incident-Reporting-System (Pilot wiki release December 2024) board.Nov 13 2024, 8:53 AM
hector.arroyo changed the task status from Open to In Progress.Nov 13 2024, 11:00 AM
hector.arroyo triaged this task as Medium priority.
hector.arroyo raised the priority of this task from Medium to Needs Triage.
gerritbot added a comment.Nov 13 2024, 12:02 PM

Change #1090833 had a related patch set uploaded (by Harroyo-wmf; author: Harroyo-wmf):

[mediawiki/extensions/ReportIncident@master] Precondition to check if the user initating a report is a temp user in ReportHandler

https://gerrit.wikimedia.org/r/1090833

gerritbot added a project: Patch-For-Review.Nov 13 2024, 12:02 PM
hector.arroyo moved this task from Priority Backlog to Needs review on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.Nov 14 2024, 12:05 PM
hector.arroyo added a comment.Nov 14 2024, 12:09 PM

Changes are already in review: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ReportIncident/+/1090833

gerritbot added a comment.Nov 14 2024, 1:35 PM

Change #1090833 merged by jenkins-bot:

[mediawiki/extensions/ReportIncident@master] Precondition to check if the user initating a report is a temp user

https://gerrit.wikimedia.org/r/1090833

hector.arroyo mentioned this in rEREIe4651e34e437: Precondition to check if the user initating a report is a temp user.Nov 14 2024, 1:36 PM
kostajh closed this task as Resolved.Nov 14 2024, 1:53 PM
kostajh moved this task from Needs review to Done on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.

In the interests of reducing the QA backlog, I think this can skip QA. There's no functional change in behavior from how things were before.

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.4; 2024-11-19).Nov 14 2024, 2:00 PM
Maintenance_bot removed a project: Patch-For-Review.Nov 14 2024, 2:30 PM
mszabo moved this task from In progress to Done / QA on the Incident-Reporting-System (Pilot wiki release December 2024) board.Dec 12 2024, 1:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits