Page MenuHomePhabricator
Create Task
Maniphest T340540

Update WikibaseMediaInfo for IP Masking
Closed, ResolvedPublic
Actions

Assigned To
Cparle
Authored By
Cparle
Jun 27 2023, 11:32 AM
Tags
Referenced Files
F43362404: Screen Shot 2024-03-25 at 12.57.15 PM.png
Mar 25 2024, 8:06 PM
F42554210: Screen Shot 2024-03-11 at 12.57.47 PM.png
Mar 11 2024, 8:19 PM
F41601761: image.png
Dec 15 2023, 2:44 PM
Subscribers
Aklapper
Cparle
Etonkovidova
matmarex
Niharika
Tchanders

Description

IP Masking means that we create a temporary account for any user that's editing without being logged in. More details on how temporary account work here, and more details on what to look for when adapting an extension to handle temporary accounts is here

Quick searches for relevant code in the WikibaseMediaInfo extension is here and here

We'll need to decide whether a temp user should get the constraint checks (probably not?)

To enable temporary accounts in your local dev env, add this to LocalSettings.php

$wgAutoCreateTempUser['enabled'] = true;

Before when you edited structured data anonymously the wikibase api calls recorded your IP address (to see this in action edit some SD on a file on commons, then look in RecentChanges to see your IP address). Since T349130 the wikibase api calls that we use create a temp user, and return it in the api response

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Only show constraint check results for actually logged in usersmediawiki/extensions/WikibaseMediaInfomaster+3 -4
Inform the user if a temp user has been created while they were editing structured datamediawiki/extensions/WikibaseMediaInfomaster+29 -7
Customize query in gerrit

Related Objects
Search...

Event Timeline

Cparle created this task.Jun 27 2023, 11:32 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 27 2023, 11:32 AM
Cparle added a parent task: T326884: [XL] Update Structured Data Team-owned products that may be affected by IP Masking.Jun 27 2023, 11:32 AM
Cparle added a project: Temporary accounts.Jun 28 2023, 10:11 AM
AUgolnikova-WMF moved this task from Triage to Current Work on the Structured-Data-Backlog board.Jul 3 2023, 4:34 PM
AUgolnikova-WMF edited projects, added Structured-Data-Backlog (Current Work); removed Structured-Data-Backlog.
AUgolnikova-WMF moved this task from Incoming to Ready for Estimation on the Structured-Data-Backlog (Current Work) board.Jul 3 2023, 4:38 PM
Cparle claimed this task.Jul 6 2023, 2:07 PM
Cparle moved this task from Ready for Estimation to Doing on the Structured-Data-Backlog (Current Work) board.
Cparle updated the task description. (Show Details)Jul 7 2023, 1:53 PM
Cparle updated the task description. (Show Details)
Cparle moved this task from Doing to Blocked on the Structured-Data-Backlog (Current Work) board.Jul 10 2023, 11:16 AM
Cparle mentioned this in T345212: [QA task] IP masking - testing temp user workflows on commons.Sep 18 2023, 3:48 PM
Tchanders added subscribers: matmarex, Tchanders.Sep 25 2023, 3:52 PM

Following a discussion with @Cparle, it seems clear we need to create a new temporary user when an anonymous user first edits structured data. This is an example of the need for T336187: [S] Investigate: Creating temp user on non-EditPage actions.

We're considering two approaches:

The first seems better to me, but I wonder if there's a general need for the second.

@matmarex As someone who has had to create temp users from a few different places (albeit action=edit), do you have any thoughts?

matmarex added a comment.Sep 26 2023, 11:36 PM
In T340540#9196051, @Tchanders wrote:

We're considering two approaches:

The first seems better to me, but I wonder if there's a general need for the second.

The first also seems more natural to me. The second one would work as well, it just makes different tradeoffs.

The tradeoffs are:

  1. With first approach, some logic has to be re-implemented in each API module: 1) accept "returnto" parameters 2) if logged-out, create an unsaved temp user at the start 3) use it for permission checks throughout 4) once you've checked everything and are sure that the action will go through, save the user 5) return whether a temp user was created, and the result of running the onTempUserCreatedRedirect() hook with the "returnto" parameters. However, a lot of this logic could probably be shared, using something similar to ApiWatchlistTrait.
  2. With second approach, this logic only goes into the core API module, but you instead need to figure out some anti-abuse mechanisms for the core module (like adding rate limits and log entries) that aren't needed otherwise because we just rely on the action itself (e.g. saving an edit) already having them. It also would introduce a small change to IP masking concepts, as temporary users with no recorded actions could now exist. Also, you would need to perform two API requests client-side in order and combine their results, which can be annoying to introduce in legacy code (but not a big deal if you use standard promises or async/await in modern code).
  3. With both approaches, you still need to change the client-side code in a similar way: if a temp user was created, it needs to redirect to the URL given by the API result to complete central login with the temp user name; when sending the API requests, it needs to set up the "returnto" parameters to allow the user to be redirected back to your interface; and once the user returns, it should show the user a confirmation that their action succeeded and that they're now using a temporary account. Implementing all of this was the most laborious part in my experience.

Overall, I would suggest the first approach, unless we discover that we have API modules that must support logged-out actions and for some reason absolutely can't be modified. The second approach may be slightly faster to implement, but it adds complexity for the users (patrollers) and in the site configuration.

Cparle added a comment.Sep 27 2023, 11:11 AM

FWIW the first seems more natural to me too.

Just want to make sure my mental model of this is correct:

  • user clicks "edit" in the structured data tab on the File page
  • they make a change and click "publish", which sends a request to a wikibase api endpoint
  • client side code checks the "returnto" param, and if it's populated loads that page (which will in this case just be the File page the user is already on)

Is that about right?

matmarex added a comment.Sep 29 2023, 12:27 AM

Yeah, pretty much.

Niharika subscribed.Oct 13 2023, 6:43 AM
Tchanders mentioned this in T349130: Create a temporary user from ApiSetClaim.Oct 17 2023, 6:26 PM
Tchanders mentioned this in T349223: [S] Make trait for APIs to create a temporary account.Oct 18 2023, 4:05 PM
Tchanders mentioned this in T336187: [S] Investigate: Creating temp user on non-EditPage actions.Oct 18 2023, 4:09 PM
Michael mentioned this in T326908: Update WMDE Engineering-owned products that may be affected by IP Masking.Nov 27 2023, 1:06 PM
Tchanders mentioned this in T349219: [M] Investigate: Which workflows create an IP actor?.Dec 11 2023, 1:09 PM
Cparle moved this task from Blocked to Doing on the Structured-Data-Backlog (Current Work) board.Dec 11 2023, 5:14 PM
gerritbot added a comment.Dec 15 2023, 2:36 PM

Change 983423 had a related patch set uploaded (by Cparle; author: Cparle):

[mediawiki/extensions/WikibaseMediaInfo@master] Inform the user is a tempuser has been created while they were editing structured data

https://gerrit.wikimedia.org/r/983423

gerritbot added a project: Patch-For-Review.Dec 15 2023, 2:36 PM
Cparle added a comment.Dec 15 2023, 2:44 PM

@matmarex ... are we sure we need the returnto? Would the little 'temporary account created' popup suffice? If it would that simplifies things quite a bit

image.png (184×420 px, 25 KB)

(I took the returnto part out of @Tchanders patch but I can put it back in if you feel strongly about it)

Cparle moved this task from Doing to Code Review on the Structured-Data-Backlog (Current Work) board.Dec 15 2023, 4:13 PM
Cparle updated the task description. (Show Details)Jan 23 2024, 2:52 PM
Cparle added a comment.Jan 23 2024, 2:59 PM

Ok the wikibase patch has been merged, so this is now ready for review

Note that:

  • when a temp user is created as a result of structured data edits we don't immediately add the black bar on top the user interface - we just show a popup informing the user (and the black bar will be displayed when they reload or navigate away from the page)
  • constraint checks are enabled for non-temporary logged-in users only
Cparle updated the task description. (Show Details)Jan 23 2024, 3:00 PM
matthiasmullie moved this task from Code Review to Needs QA on the Structured-Data-Backlog (Current Work) board.Feb 14 2024, 2:19 PM
gerritbot added a comment.Feb 14 2024, 2:47 PM

Change 983423 merged by jenkins-bot:

[mediawiki/extensions/WikibaseMediaInfo@master] Inform the user if a temp user has been created while they were editing structured data

https://gerrit.wikimedia.org/r/983423

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.19; 2024-02-20).Feb 14 2024, 3:00 PM
Maintenance_bot removed a project: Patch-For-Review.Feb 14 2024, 3:31 PM
Cparle moved this task from Needs QA to Doing on the Structured-Data-Backlog (Current Work) board.Feb 20 2024, 4:41 PM
Cparle moved this task from Doing to Needs QA on the Structured-Data-Backlog (Current Work) board.Mar 11 2024, 4:31 PM
Etonkovidova subscribed.EditedMar 11 2024, 8:19 PM

Checked on commons beta.
When a first edit is a Structured data edit following the steps below( the steps are from @Cparle's comment on the task)

- user clicks "edit" in the structured data tab on the File page
- they make a change and click "publish"

the result is

  • a temp user is created
  • the black bar on top of the user interface is not displayed (as per this comment;
  • the popup is displayed
  • an edit is successfully recorded in View History, Special:Contributions, and on ReceentChanges

However, the black bar never appears - reloading a page, navigating away, and doing more edits don't result in displaying it. The toolbar has "Exit session" link though:

Screen Shot 2024-03-11 at 12.57.47 PM.png (386×1 px, 42 KB)

Should it be resolved as a part of this task? Or a separate task should be filed?

Cparle added a comment.Mar 19 2024, 12:38 PM

@Etonkovidova I get the same behaviour on https://de.wikipedia.beta.wmflabs.org/ ... maybe it's just beta?

Etonkovidova added a comment.EditedMar 21 2024, 5:51 PM
In T340540#9641677, @Cparle wrote:

@Etonkovidova I get the same behaviour on https://de.wikipedia.beta.wmflabs.org/ ... maybe it's just beta?

Interesting - temp users handling is different on cswiki betalabs vs dewiki betalabs. I'll follow up on it, thx, @Cparle!

Etonkovidova added a comment.EditedMar 25 2024, 7:40 PM
In T340540#9651090, @Etonkovidova wrote:
In T340540#9641677, @Cparle wrote:

@Etonkovidova I get the same behaviour on https://de.wikipedia.beta.wmflabs.org/ ... maybe it's just beta?

Interesting - temp users handling is different on cswiki betalabs vs dewiki betalabs. I'll follow up on it, thx, @Cparle!

@Cparle - this is due to the Vector Legacy skin being default for some wiki (including commons); there is a task - T339377: Provide temporary accounts banner for legacy Vector
The list of wikis with Vector Legacy deafault: https://noc.wikimedia.org/conf/highlight.php?file=dblists/legacy-vector.dblist

Etonkovidova closed this task as Resolved.Mar 25 2024, 8:06 PM

The scope of the task is done - commmons beta displays the popup as per https://phabricator.wikimedia.org/T340540#9409417 and a temp user account is properly recorded in History, Contributions and Recent changes etc

Screen Shot 2024-03-25 at 12.57.15 PM.png (602×1 px, 112 KB)

In T340540#9481387, @Cparle wrote:

Note that:

  • when a temp user is created as a result of structured data edits we don't immediately add the black bar on top the user interface - we just show a popup informing the user (and the black bar will be displayed when they reload or navigate away from the page)
  • constraint checks are enabled for non-temporary logged-in users only

The dark baar behavior is blocked by T339377: Provide temporary accounts banner for legacy Vector.

Added this task to T341839: [QA task] IP masking - temp users testing in production.

gerritbot added a comment.Aug 14 2025, 1:35 PM

Change #1178877 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/WikibaseMediaInfo@master] Only show constraint check results for actually logged in users

https://gerrit.wikimedia.org/r/1178877

Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptAug 14 2025, 1:35 PM
gerritbot added a project: Patch-For-Review.Aug 14 2025, 1:35 PM
gerritbot added a comment.Aug 14 2025, 3:51 PM

Change #1178877 merged by jenkins-bot:

[mediawiki/extensions/WikibaseMediaInfo@master] Only show constraint check results for actually logged in users

https://gerrit.wikimedia.org/r/1178877

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.15; 2025-08-19).Aug 14 2025, 4:00 PM
Maintenance_bot removed a project: Patch-For-Review.Aug 14 2025, 4:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits