Page MenuHomePhabricator
Create Task
Maniphest T355430

Allow temporary accounts to be blocked with 'hideuser'
Closed, ResolvedPublic1 Estimated Story PointsSecurity
Actions

Assigned To
Dreamy_Jazz
Authored By
Dreamy_Jazz
Jan 19 2024, 2:57 PM
Tags
Referenced Files
F41714876: 2024-01-24_12-31-47.png
Jan 24 2024, 10:39 PM
F41714874: 2024-01-24_12-15-17.png
Jan 24 2024, 10:39 PM
F41714872: 2024-01-24_12-14-36.png
Jan 24 2024, 10:39 PM
F41714870: 2024-01-24_12-13-26.png
Jan 24 2024, 10:39 PM
F41714868: 2024-01-24_12-10-37.png
Jan 24 2024, 10:39 PM
Subscribers
Aklapper
Djackson-ctr
dom_walden
Dreamy_Jazz
GMikesell-WMF
Johannnes89
kostajh
View All 11 Subscribers

Description

In T343705: Ensure temporary accounts cannot be suppressed via "hideuser", changes were made so that temporary accounts could not be blocked with hideuser enabled. This was done so that they would be similar to IP addresses (which cannot be blocked with hideuser).

However, if a user was to accidentally log out they could make edits using a temporary account. While this does not immediately display their IP address, the CheckUser extension allows users to reveal the IP used by a given temporary account. Therefore, by allowing temporary accounts to be blocked with hideuser enabled the IP address associated with the temporary account can be hidden from all but users with the ability to see suppressed information.

Investigation

  • Should the ability to block a temporary account with hideuser enabled be dependent on a configuration setting or be allowed in all situations.
Acceptance criteria
  • It should be possible to block temporary users with the hideuser option enabled, either by allowing in all cases or when a configuration setting is set.

QA Results - Local

ACStatusDetails
1https://phabricator.wikimedia.org/T355430 here

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Allow temporary accounts to be blocked with 'hideuser' enabledmediawiki/coremaster+2 -59
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.Jan 19 2024, 2:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 19 2024, 2:57 PM
Dreamy_Jazz mentioned this in T343705: Ensure temporary accounts cannot be suppressed via "hideuser".Jan 19 2024, 2:57 PM
Dreamy_Jazz set Security to Software security bug.EditedJan 19 2024, 3:16 PM
Dreamy_Jazz added projects: Security, Security-Team.
Dreamy_Jazz changed the visibility from "Public (No Login Required)" to "Custom Policy".
Dreamy_Jazz changed the subtype of this task from "Task" to "Security Issue".

Marked as a security issue because it discusses what is filed in T355434. This ticket in itself does not need to have a security fix or have a security fix be backported.

Dreamy_Jazz added subscribers: Tchanders, STran, kostajh, Urbanecm_WMF.Jan 19 2024, 3:18 PM
Tchanders added a subscriber: Madalina.Jan 19 2024, 6:40 PM
Tchanders added a project: Trust and Safety Product Sprint (Sprint Northumbrian smallpipes (8th Jan.‘24 - 19th Jan.'24)).Jan 19 2024, 7:03 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Jan 22 2024, 5:13 PM
Dreamy_Jazz added a comment.EditedJan 22 2024, 6:05 PM

I've uploaded a public patch for this as the task of this ticket isn't security protectable, but some of the description here is.

I went with allowing suppression in all cases because the extra complication added by configuration seemed to be unnecessary.

Dreamy_Jazz set the point value for this task to 1.Jan 22 2024, 6:18 PM
Dreamy_Jazz moved this task from Priority Backlog to Needs review on the Trust and Safety Product Sprint (Sprint Northumbrian smallpipes (8th Jan.‘24 - 19th Jan.'24)) board.
Dreamy_Jazz claimed this task.Jan 23 2024, 12:42 AM
Dreamy_Jazz moved this task from Needs review to Needs QA on the Trust and Safety Product Sprint (Sprint Northumbrian smallpipes (8th Jan.‘24 - 19th Jan.'24)) board.Jan 23 2024, 12:53 PM
Dreamy_Jazz added subscribers: GMikesell-WMF, dom_walden, Djackson-ctr.
Dreamy_Jazz added a comment.Jan 23 2024, 1:09 PM

Suggested QA steps (can be performed on patchdemo or a local wiki):

  1. Enable temporary account creation
    1. On Patch Demo this is done by checking the IP Masking checkbox when creating the wiki for the test
    2. On a local wiki add $wgAutoCreateTempUser['enabled'] = true; to your LocalSettings.php (if this is not already enabled).
  2. Make a few testing edits using a temporary account, and note down the username for later use
  3. Log into an account with suppressor group
    1. If you do not have these rights, then log into an account with the bureaucrat group (patch demo user Patch Demo has this right)
      1. If you do not have the bureaucrat group on an account, then use run the following maintenance script: createAndPromote.php <username> --force --bureaucrat where <username> is replaced with the username of an existing account that you want to give this group to
    2. After granting logging into an account with the bureaucrat group, then go to Special:UserRights and use the form to add the suppressor group to the account to be used for the test
  4. Go to Special:Block and enter the username for the temporary account used in step 2
  5. Set the block duration to infinite.
  6. Verify that you can see a checkbox with the label Hide username from edits and lists and that it is not disabled.
  7. Check the Hide username from edits and lists checkbox.
  8. Click Block this user
  9. If asked to confirm, check the Confirm block checkbox and click Block this user again
  10. Go to Special:BlockList and verify that the temporary account username from step 2 is listed there with the block parameters including username hidden
Jdforrester-WMF added a project: MW-1.42-notes (1.42.0-wmf.16; 2024-01-30).Jan 23 2024, 2:09 PM
Dreamy_Jazz moved this task from Inbox to Ready on the Temporary accounts board.Jan 24 2024, 4:19 PM
GMikesell-WMF added a comment.Jan 24 2024, 10:39 PM

@Dreamy_Jazz I was able to block temporary users with the hideuser option enabled as seen below and works as designed. I will move this to Done. Thanks for all your work and QA steps!

Status: ✅PASS
Environment: Local: 1.42.0-alpha (148bfa0) 17:17, 24 January 2024
OS: macOS Sonoma 14.2.1
Browser: Chrome 120, Firefox 121, Safari 17.2, Edge 120
Skins. Vector 2022, 2010, Minerva, Monobook, Timeless
Device: MBA M2
Emulated Device:: n/a
Test Links:
http://localhost:8080/w/index.php?title=Special:Block

✅AC1: https://phabricator.wikimedia.org/T355430

Special:BlockConfirm BlockSpecial:BlocklistRevison historyPartial Block Warning
2024-01-24_12-10-37.png (1×1 px, 228 KB)
2024-01-24_12-13-26.png (1×2 px, 267 KB)
2024-01-24_12-14-36.png (748×3 px, 187 KB)
2024-01-24_12-15-17.png (552×3 px, 212 KB)
2024-01-24_12-31-47.png (583×984 px, 111 KB)
GMikesell-WMF updated the task description. (Show Details)Jan 24 2024, 10:40 PM
GMikesell-WMF moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Northumbrian smallpipes (8th Jan.‘24 - 19th Jan.'24)) board.
Dreamy_Jazz closed this task as Resolved.Jan 29 2024, 1:09 PM
Johannnes89 subscribed.Apr 26 2024, 3:09 PM
Dreamy_Jazz added a comment.Sep 2 2024, 8:05 PM
This comment was removed by Dreamy_Jazz.
Dreamy_Jazz added a comment.Sep 18 2024, 5:27 PM

Can this be be made public now that T355434 is resolved?

Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 24 2024, 12:23 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits