User story: As an administrator, I want to delete all pages created by an individual using a single IP address who used multiple temporary accounts, so that I can easily remove bad pages from my Wikimedia project.
When a temporary account is created for a user, a one-year cookie is created, during which time their contributions will be associated with this temporary account. Clearing the cookie will give the user a new temporary account on their next edit. Changing IP address will not change the user's temporary account. As such, a temporary account can be associated with multiple IP addresses over its lifespan (T325456).
Nuke is an extension which enables administrators to delete all pages created by a specific user or IP address and/or matching a particular page name pattern. This is used when a user - often a vandal - has created a large number of pages which need to be deleted, saving administrators time compared to deleting them individually. Per T341564, 33% of Nuke deletions target an unregistered user. On many wikis this is as high as 40-50%.
With IP masking and the introduction of per-user cookies, Nuke will actually be more effective against users who do not delete their cookies, as simply changing IP address will not move the user to a new 'account'. However, it also opens up a new attack vector for bad actors on our wikis. Preventing/deleting cookies is considerably easier for most users than cycling IP addresses, especially on a regular cadence or after each edit. It takes a very short amount of time to add Wikipedia to your browser's cookie-blocking list, at which point every edit will come from a new temporary account.
As such, we want to ensure that if a user disables cookies from Wikipedia, or clears them on a regular basis, and they vandalise a project by creating a large number of new pages, Nuke is still able to delete those pages. This will not be effective if the user also cycles their IP address, but this is already true.
Since administrators will need to opt-in to view the IP addresses associated with a temporary account, we should not allow them to use Nuke on an IP address until they have opted-in. This will only cause legacy-IP issues for ~30 days after IP masking is deployed, since IP page creations will no longer be in the recentchanges table after then.
Proposed (Illustrative, not final)
TODO - design for what happens when an admin who hasn't opted-in to the IP policy attempts to run Nuke on an IP address.
We will need to add CheckUser as a dependency so that we can look up temporary account IP addresses. See subtasks.
When IP Masking is enabled on a project ...
- Entering an IP address into Special:Nuke should fetch pages created by all temporary accounts used by that IP address.
- Pages should be listed without explicitly linking them to an IP address or temporary account.
- In this case the default edit summary should be "Mass deletion of pages added by temporary accounts."
- The default nuke-tools message should be changed to "This tool allows for mass deletions of pages recently added by a given user or temporary account. Input the username to get a list of pages to delete, or leave blank for all users. Entering an IP address will get all pages created by temporary accounts used from that IP address."
- The default nuke-list message should be changed to "The following pages were recently created by temporary accounts which were used from the IP address $1; put in a comment and hit the button to delete them. Do not write the IP address in the edit summary."
- In T337089: [Epic] Implement global user contributions feature there is discussion/exploration of a feature to list all edits made from temporary accounts used from an IP address.