Steps to replicate the issue (include links if applicable):
Unsure of the exact steps, however I think it would probably occur using the following:
- Create a "wiki farm" (using CentralAuth or other method) that has shared accounts with at least two wikis.
- Create an AbuseFilter that targets usernames on a wiki 1 and logs when a hit occurs.
- Create an account on wiki 2 that would match the AbuseFilter on wiki 1
- Open a page on wiki 1 to cause an autocreation.
What happens?:
The AbuseFilter entry shows the performer as an account, but the action as shown in the CheckUser tool is marked as being performed by the IP address that created the account.
What should have happened instead?:
The log should be consistent between what is shown in the AbuseFilter log and what is shown in CheckUser. There is no need to show the IP as the performer in CheckUser, as the IP would already be shown just below as is done for logged in users.
Software version (skip for WMF-hosted wikis like Wikipedia):
English Wikipedia
Other information (browser name/version, screenshots, etc.):
I found this on the English Wikipedia. The example I found was https://en.wikipedia.org/wiki/Special:AbuseLog/35622396 (I found this while running CheckUser on the account for https://en.wikipedia.org/wiki/Wikipedia:Sockpuppet_investigations/Oli2000s). The account creation log entry appears before the AbuseFilter log entry in the CheckUser results which suggests that the account was created before the AbuseFilter log entry was sent to CheckUser.