What is the problem?
As pointed out by @Dreamy_Jazz in T342790#9073530:
To combat the time that a user has to investigate whether a deleted revision was made by them, the check that ensures the API call was made within the last 30 minutes (T342134) could be placed before the check if the performer of the action is deleted.
Otherwise, if you didn't have permission to see the editor of a revision, you could infer whether or not it was created by you (or someone using the same IP as you) depending on what error you got back from the server. If the editor was not you (or your IP) you would fail the permission check and be told you were not the creator of the revision. If the editor was you, you would pass the permission check but fail the timeout check.
Steps to reproduce problem
- Install CheckUser (client hints will be enabled by default)
- In your LocalSettings.php, add $wgCheckUserClientHintsRestApiMaxTimeLag = 5;
- Make two edits to a page with Firefox, one logged out and one logged in
- Record the revision IDs of the two edits
- Login as an admin, go to the history of the page you just edited
- Check the checkboxes next to the two edits and click "Change visibility of selected revisions"
- Next to "Editor's username/IP address" check the "Hidden" radio button and submit
- Run these two commands, replacing <rev id logged out> and <rev id logged in> with the IDs you found in step 4
curl 'http://localhost:8080/w/rest.php/checkuser/v0/useragent-clienthints/revision/<rev id logged out>' -H 'Content-Type: application/json' --data-raw '{"architecture":"","bitness":"64","brands":[{"version":"24","brand":"Not)A;Brand"},{"brand":"Chromium","version":"116"}],"fullVersionList":[{"version":"24.0.0.0","brand":"Not)A;Brand"},{"brand":"Chromium","version":"116.0.5845.96"}],"mobile":false,"model":"","platform":"Linux","platformVersion":"5.10.0"}' curl 'http://localhost:8080/w/rest.php/checkuser/v0/useragent-clienthints/revision/<rev id logged in>' -H 'Content-Type: application/json' --data-raw '{"architecture":"","bitness":"64","brands":[{"version":"24","brand":"Not)A;Brand"},{"brand":"Chromium","version":"116"}],"fullVersionList":[{"version":"24.0.0.0","brand":"Not)A;Brand"},{"brand":"Chromium","version":"116.0.5845.96"}],"mobile":false,"model":"","platform":"Linux","platformVersion":"5.10.0"}'
Expected behavior: Both should return The revision <rev id> is too old to allow recording client hints data
Observed behavior:
- The <rev id logged out> command returns The revision <rev id> is too old to allow recording client hints data
- The <rev id logged in> command returns User 0 is not the author of revision <rev id>
Environment
Wiki(s): CheckUser 2.5 (999417f) 13:47, 28 August 2023.
QA Results - Local
AC | Status | Details |
---|---|---|
1 | ✅ | https://phabricator.wikimedia.org/T345165 |