Page MenuHomePhabricator

Enable Nuking of pages created by all temporary accounts which were used by an IP address
Open, Needs TriagePublic

Description

User story: As an administrator, I want to delete all pages created by an individual using a single IP address who used multiple temporary accounts, so that I can easily remove bad pages from my Wikimedia project.

Background

T340631: Does Nuke need substantial feature changes to retain current functionality with IP Masking?

When a temporary account is created for a user, a one-year cookie is created, during which time their contributions will be associated with this temporary account. Clearing the cookie will give the user a new temporary account on their next edit. Changing IP address will not change the user's temporary account. As such, a temporary account can be associated with multiple IP addresses over its lifespan (T325456).

Nuke is an extension which enables administrators to delete all pages created by a specific user or IP address and/or matching a particular page name pattern. This is used when a user - often a vandal - has created a large number of pages which need to be deleted, saving administrators time compared to deleting them individually. Per T341564, 33% of Nuke deletions target an unregistered user. On many wikis this is as high as 40-50%.

With IP masking and the introduction of per-user cookies, Nuke will actually be more effective against users who do not delete their cookies, as simply changing IP address will not move the user to a new 'account'. However, it also opens up a new attack vector for bad actors on our wikis. Preventing/deleting cookies is considerably easier for most users than cycling IP addresses, especially on a regular cadence or after each edit. It takes a very short amount of time to add Wikipedia to your browser's cookie-blocking list, at which point every edit will come from a new temporary account.

As such, we want to ensure that if a user disables cookies from Wikipedia, or clears them on a regular basis, and they vandalise a project by creating a large number of new pages, Nuke is still able to delete those pages. This will not be effective if the user also cycles their IP address, but this is already true.

Since administrators will need to opt-in to view the IP addresses associated with a temporary account, we should not allow them to use Nuke on an IP address until they have opted-in. This will only cause legacy-IP issues for ~30 days after IP masking is deployed, since IP page creations will no longer be in the recentchanges table after then.

Mockups

Current

Frame 1 (2).png (721×4 px, 124 KB)

Proposed (Illustrative, not final)

Frame 2.png (725×4 px, 153 KB)

TODO - design for what happens when an admin who hasn't opted-in to the IP policy attempts to run Nuke on an IP address.

Technical approach

We will need to add CheckUser as a dependency so that we can look up temporary account IP addresses. See subtasks.

Acceptance criteria

When IP Masking is enabled on a project ...

  • Entering an IP address into Special:Nuke should fetch pages created by all temporary accounts used by that IP address.
  • Pages should be listed without explicitly linking them to an IP address or temporary account.
  • In this case the default edit summary should be "Mass deletion of pages added by temporary accounts."
  • The default nuke-tools message should be changed to "This tool allows for mass deletions of pages recently added by a given user or temporary account. Input the username to get a list of pages to delete, or leave blank for all users. Entering an IP address will get all pages created by temporary accounts used from that IP address."
  • The default nuke-list message should be changed to "The following pages were recently created by temporary accounts which were used from the IP address $1; put in a comment and hit the button to delete them. Do not write the IP address in the edit summary."

Notes

Event Timeline

Samwalton9-WMF changed the task status from Open to Stalled.Jul 31 2023, 2:15 PM

Just noting that this is blocked awaiting Legal review.

Samwalton9-WMF changed the task status from Stalled to Open.Sep 19 2023, 2:00 PM
Samwalton9-WMF updated the task description. (Show Details)

We've received an OK for the mockups here and the mitigations we've placed on linking of IP addresses to temporary accounts.

We did find one new feature we need to consider, which I've documented in the task. Once we've got clarity on it we can finalise our designs.