Page MenuHomePhabricator

Private filters should not be visible in recent changes
Open, NormalPublic

Description

When a vandal is active, and someone creates/changes a private abusefilter to stop him, there will be a log event in recent changes, available for the vandal to see. This can draw unwanted attention to the feature. Such log events should be hidden from users without the abusefilter-viewprivate right.

Details

Reference
bz32959

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 22 2014, 12:00 AM
bzimport added a project: AbuseFilter.
bzimport set Reference to bz32959.
bzimport added a subscriber: Unknown Object (MLST).
Tgr created this task.Dec 11 2011, 8:39 AM
Pine added a comment.Jun 5 2012, 4:31 AM

How would we prevent the vandal from seeing logs that are set to public? This is the nature of public abusefilters.

I'm not sure this is a bug. If you look at [[Special:Log/abusefilter]], you can't see any information besides timestamp, user, and filter number for a private filter. None of that information should be private really.

(In reply to comment #2)

How would we prevent the vandal from seeing logs that are set to public? This
is the nature of public abusefilters.

I think the bug only covers private filters.

Tgr added a comment.Dec 14 2012, 7:48 PM

The point is that a vandal who, until then, maybe did not even know that there are such things as edit filters, will easily realize that he is being tracked by such a filter by looking at the Recent Changes page. Vandals usually do not look at system logs, but they do look at RC.

(In reply to comment #4)

The point is that a vandal who, until then, maybe did not even know that
there
are such things as edit filters, will easily realize that he is being
tracked
by such a filter by looking at the Recent Changes page.

How would the vandal know that that specific filter was for xyr if they can only see the filter #? And wouldn't a vandal know they are being tracked as soon as they see that their edits are being blocked by the filter?

Vandals usually do
not
look at system logs, but they do look at RC.

I'm not seeing how hiding this information in once place but not in another is advantageous, and will prevent exploitation of the filters.

Tgr added a comment.Dec 14 2012, 9:23 PM

(In reply to comment #5)

How would the vandal know that that specific filter was for xyr if they can
only see the filter #?

From the timing, especially on smaller wikis. If you are vandalizing, your edits are refused, you change your pattern, you get through, but after a few edits you are refused again, and the same time an RC entry appears about abuse filter changes, that is kind of obvious.

And wouldn't a vandal know they are being tracked as
soon as they see that their edits are being blocked by the filter?

Sure, but the filter messages in themselves do not give you much information about what is going on (not enough to abuse it, anyway). Pointing them to the AbuseFilter page, which further points them to the documentation, with details of how exactly the tool works, is unhelpful.

I'm not seeing how hiding this information in once place but not in another
is advantageous, and will prevent exploitation of the filters.

Ideally it should be hidden everywhere (given that the log does not say anything useful, and all the links do not work if you have no privileges, there is no point to showing them anyway - it is bad UX design to put links before the user and only notify him after he clicks that he is not allowed to use them), but hiding it on the page which abusers are reading is more important than hiding it on pages they are not reading.

Ok, I think it makes enough sense to work on this.

I looked into it, and MediaWiki itself doesn't support hiding log entries to a certain usergroup, so a patch to MediaWiki core would needed to support this.

Luis150902 moved this task from Backlog to Filter privacy on the AbuseFilter board.Apr 2 2018, 5:10 PM
Daimona updated the task description. (Show Details)May 5 2018, 5:53 PM
Daimona added a subscriber: Daimona.May 5 2018, 5:56 PM

This is actually doable, we only need to set a LogRestriction on abusefilter log (the one in Special:Log for creations/edits). The question is: who should be able to see it? To me abusefilter-view-private sounds like an exaggeration, while abusefilter-view may be reasonable.

Vedmaka added a subscriber: Vedmaka.Sep 9 2018, 6:21 PM
DannyS712 added a subscriber: DannyS712.

This is actually doable, we only need to set a LogRestriction on abusefilter log (the one in Special:Log for creations/edits). The question is: who should be able to see it? To me abusefilter-view-private sounds like an exaggeration, while abusefilter-view may be reasonable.

Claiming to add the requirement that users have abusefilter-view in order to be able to view abusefilter log entries (log entries in Special:Log, not in Special:AbuseLog)

Restricted Application added a project: User-DannyS712. · View Herald TranscriptSun, Sep 15, 10:35 PM

This is actually doable, we only need to set a LogRestriction on abusefilter log (the one in Special:Log for creations/edits). The question is: who should be able to see it? To me abusefilter-view-private sounds like an exaggeration, while abusefilter-view may be reasonable.

Claiming to add the requirement that users have abusefilter-view in order to be able to view abusefilter log entries (log entries in Special:Log, not in Special:AbuseLog)

Yes, probably. Sounds like the best choice. However, with regard to my first comment, I should note that it won't really solve the problem described in this task. Restricting Special:Log/abusefilter to abusefilter-view is IMHO necessary, and will help mitigate the issue (especially for anons). But there's no way (AFAIK) to specify different visibility levels for different log entries.