Page MenuHomePhabricator
Create Task
Maniphest T356148

Adjust EntitySchema Special Pages to not leak IPs when editing and IP masking is enabled
Closed, ResolvedPublic
Actions

Description

Problem:
We are currently leaking the IPs of users who are not logged in when making edits on EntitySchema Special Pages.

With temporary accounts are enabled on the repo, we must not leak the IPs of users who are not logged in and add entry with their temporary account name instead to the edit histories etc.

Affected EntitySchema SpecialPages

BDD
GIVEN a user who isn't logged in
AND Temporary Accounts are enabled
WHEN an edit is made on an EntitySchema Special Page
THEN an entry with their temporary account name is added to the edit history of the Item

Acceptance criteria:

  • IP is not leaked for users editing on the Create EntitySchema SpecialPage and IP masking is enabled on the repo
  • IP is not leaked for users editing on the Set label, description and aliases for EntitySchema SpecialPage and IP masking is enabled on the repo
  • IP is not leaked for users editing on the Edit EntitySchema text SpecialPage and IP masking is enabled on the repo

Details

SubjectRepoBranchLines +/-
Clean up MediaWikiRevisionEntitySchemaUpdaterTestmediawiki/extensions/EntitySchemamaster+100 -78
Revert "Temporarily disable IP Masking (temporary accounts) in CI"mediawiki/extensions/EntitySchemamaster+0 -23
Support temporary accountsmediawiki/extensions/EntitySchemamaster+722 -169
Make MediaWikiPageUpdaterFactory a servicemediawiki/extensions/EntitySchemamaster+156 -56
Use TempUserTestTrait instead of mocking TempUserConfigmediawiki/extensions/EntitySchemamaster+30 -46
Use EntitySchemaStatus in EntitySchemaUpdatermediawiki/extensions/EntitySchemamaster+180 -218
Make WatchlistUpdater a servicemediawiki/extensions/EntitySchemamaster+58 -38
Introduce EntitySchemaStatus, use in EntitySchemaInsertermediawiki/extensions/EntitySchemamaster+100 -92
Temporarily disable IP Masking (temporary accounts) in CImediawiki/extensions/EntitySchemamaster+23 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Arian_Bozorg created this task.Jan 30 2024, 5:49 AM
Arian_Bozorg mentioned this in T355076: Adjust Wikibase repo to not leak IPs when editing and IP masking is enabled.Jan 30 2024, 6:03 AM
Arian_Bozorg moved this task from Incoming to Product Backlog on the Wikidata Dev Team board.Jan 31 2024, 10:21 AM
Arian_Bozorg moved this task from Product Backlog to Incoming on the Wikidata Dev Team board.
Arian_Bozorg closed this task as Resolved.Jan 31 2024, 10:24 AM
Arian_Bozorg claimed this task.
Lucas_Werkmeister_WMDE reopened this task as Open.Jul 22 2024, 9:33 AM
Lucas_Werkmeister_WMDE mentioned this in T370577: EntitySchema CI broken: Cannot create an actor for an IP user when temporary accounts are enabled.
Lucas_Werkmeister_WMDE subscribed.

This isn’t done; all three special pages currently crash when you try to use them anonymously while IP Masking is enabled.

karapayneWMDE moved this task from Incoming to Unified DOT Backlog on the Wikidata Dev Team board.Jul 22 2024, 9:41 AM
karapayneWMDE added a subtask: T370577: EntitySchema CI broken: Cannot create an actor for an IP user when temporary accounts are enabled.
Lucas_Werkmeister_WMDE removed Arian_Bozorg as the assignee of this task.Jul 23 2024, 3:03 PM
Lucas_Werkmeister_WMDE claimed this task.
Lucas_Werkmeister_WMDE edited projects, added Wikidata Dev Team (Wikidata.org Slice); removed Wikidata Dev Team.
Lucas_Werkmeister_WMDE moved this task from In Task Breakdown to In Development on the Wikidata Dev Team (Wikidata.org Slice) board.
Lucas_Werkmeister_WMDE added a comment.Jul 23 2024, 3:11 PM

I think at this point it’s worth pursuing the Status approach after all, which was briefly discussed in this change for T365452 – and we can probably even just reuse Wikibase’s TempUserStatus, IMHO. (And make more custom subclasses of it to type-safely carry the EntitySchemaId or other relevant information.)

gerritbot added a comment.Jul 23 2024, 4:07 PM

Change #1056197 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/EntitySchema@master] Introduce EntitySchemaStatus, use in EntitySchemaInserter

https://gerrit.wikimedia.org/r/1056197

gerritbot added a project: Patch-For-Review.Jul 23 2024, 4:07 PM
Lucas_Werkmeister_WMDE added a comment.Jul 23 2024, 4:22 PM

Bleh, I wanted to do this in multiple commits that are nice and separate, but of course that means that CI will still be broken on the earlier commits…

How painful would it be to disable temp accounts in EntitySchema CI again?

Lucas_Werkmeister_WMDE added a comment.Jul 23 2024, 5:01 PM
In T356148#10007596, @Lucas_Werkmeister_WMDE wrote:

How painful would it be to disable temp accounts in EntitySchema CI again?

Well, it’s doable, but there are already other tests in the suite that start to fail if temp accounts are disabled 😩

1) MediaWiki\CheckUser\Tests\Integration\HookHandler\ToolLinksHandlerTest::testOnSpecialContributionsBeforeMainOutputArchive with data set "Can see archived contributions" (true, true)
Expectation failed for method name is "addSubtitle" when invoked 1 time(s).
Method was expected to be called 1 times, actually called 0 times.

2) MediaWiki\CheckUser\Tests\Integration\HookHandler\ToolLinksHandlerTest::testOnSpecialContributionsBeforeMainOutputForMobileView
Expectation failed for method name is "addSubtitle" when invoked 1 time(s).
Method was expected to be called 1 times, actually called 0 times.

They’ve only been enabled in CI for a week 😭

gerritbot added a comment.Jul 24 2024, 9:52 AM

Change #1056200 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/EntitySchema@master] Temporarily disable IP Masking (temporary accounts) in CI

https://gerrit.wikimedia.org/r/1056200

gerritbot added a comment.Jul 24 2024, 11:50 AM

Change #1056479 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/EntitySchema@master] Use EntitySchemaStatus in EntitySchemaUpdater

https://gerrit.wikimedia.org/r/1056479

Lucas_Werkmeister_WMDE added a comment.Jul 24 2024, 4:15 PM

End-of-day update: CI is green, and the status refactoring in EntitySchemaUpdater is also done. Now we need to actually make it create temp users… which I think will require a bit more refactoring, because we’re currently creating the PageUpdater relatively early, but the User is part of that – so we need to create the temp user before that point. (Or create the PageUpdater later? I’m not sure. We also use that for conflict resolution.)

kostajh subscribed.Jul 25 2024, 10:06 AM
In T356148#10011355, @Lucas_Werkmeister_WMDE wrote:

End-of-day update: CI is green, and the status refactoring in EntitySchemaUpdater is also done.

nice :)

Now we need to actually make it create temp users… which I think will require a bit more refactoring, because we’re currently creating the PageUpdater relatively early, but the User is part of that – so we need to create the temp user before that point. (Or create the PageUpdater later? I’m not sure. We also use that for conflict resolution.)

In case it helps, in T359405: Create temporary account early in edit cycle for all edit attempts we changed the creation of the temp account to happen early in the edit cycle (after some basic permission checks in core but before any hooks are invoked). Not sure about your code in particular but if there's a potential for any logs to be generated as part of the edit attempt (e.g. an AbuseFilter trip), the temporary account should be created before that happens, so it can be referenced in the logs.

Lucas_Werkmeister_WMDE added a comment.Jul 25 2024, 1:47 PM
In T356148#10014039, @kostajh wrote:

Now we need to actually make it create temp users… which I think will require a bit more refactoring, because we’re currently creating the PageUpdater relatively early, but the User is part of that – so we need to create the temp user before that point. (Or create the PageUpdater later? I’m not sure. We also use that for conflict resolution.)

In case it helps, in T359405: Create temporary account early in edit cycle for all edit attempts we changed the creation of the temp account to happen early in the edit cycle (after some basic permission checks in core but before any hooks are invoked). Not sure about your code in particular but if there's a potential for any logs to be generated as part of the edit attempt (e.g. an AbuseFilter trip), the temporary account should be created before that happens, so it can be referenced in the logs.

That’s actually good to know, thanks! I had been wondering yesterday why Wikibase’s MediaWikiEditEntity creates the temp account after checking edit filters while EditPage seemed to do it the other way around; I guess it was just written that way before T359405 changed it in core. (Or perhaps we were following Trust and Safety Product/Temporary Accounts/For developers § Creating a new temporary user, which currently still says to “create a temporary user […] as late as possible” – is that outdated now?) Let’s create the temp account earlier then, before checking EditFilterMergedContent.

Lucas_Werkmeister_WMDE added a comment.Jul 25 2024, 1:49 PM

(Also, does that mean we should change the order in Wikibase?)

kostajh added a comment.Jul 25 2024, 1:51 PM
In T356148#10014795, @Lucas_Werkmeister_WMDE wrote:
In T356148#10014039, @kostajh wrote:

Now we need to actually make it create temp users… which I think will require a bit more refactoring, because we’re currently creating the PageUpdater relatively early, but the User is part of that – so we need to create the temp user before that point. (Or create the PageUpdater later? I’m not sure. We also use that for conflict resolution.)

In case it helps, in T359405: Create temporary account early in edit cycle for all edit attempts we changed the creation of the temp account to happen early in the edit cycle (after some basic permission checks in core but before any hooks are invoked). Not sure about your code in particular but if there's a potential for any logs to be generated as part of the edit attempt (e.g. an AbuseFilter trip), the temporary account should be created before that happens, so it can be referenced in the logs.

That’s actually good to know, thanks! I had been wondering yesterday why Wikibase’s MediaWikiEditEntity creates the temp account after checking edit filters while EditPage seemed to do it the other way around; I guess it was just written that way before T359405 changed it in core. (Or perhaps we were following Trust and Safety Product/Temporary Accounts/For developers § Creating a new temporary user, which currently still says to “create a temporary user […] as late as possible” – is that outdated now?) Let’s create the temp account earlier then, before checking EditFilterMergedContent.

It is outdated, sorry about that. I've just updated the docs there https://www.mediawiki.org/w/index.php?title=Trust_and_Safety_Product%2FTemporary_Accounts%2FFor_developers&diff=6666952&oldid=6636682.

In T356148#10014800, @Lucas_Werkmeister_WMDE wrote:

(Also, does that mean we should change the order in Wikibase?)

I think so, yes. If there's a possibility that a log message would be generated, that log message will need to reference a temp account and not an IP actor, so you should create the temp user acocunt before that log message could be generated.

Lucas_Werkmeister_WMDE added a comment.Jul 25 2024, 2:43 PM

Alright, done in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/1056949.

Lucas_Werkmeister_WMDE mentioned this in T371085: AbuseFilter for Wikidata actions leaks IP address.Jul 26 2024, 9:48 AM
gerritbot added a comment.Jul 26 2024, 4:45 PM

Change #1057243 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/EntitySchema@master] Make WatchlistUpdater a service

https://gerrit.wikimedia.org/r/1057243

gerritbot added a comment.Jul 26 2024, 4:45 PM

Change #1057244 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/EntitySchema@master] Support temporary accounts

https://gerrit.wikimedia.org/r/1057244

gerritbot added a comment.Jul 29 2024, 10:51 AM

Change #1057836 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/EntitySchema@master] Clean up MediaWikiRevisionEntitySchemaUpdaterTest

https://gerrit.wikimedia.org/r/1057836

gerritbot added a comment.Jul 29 2024, 11:30 AM

Change #1057850 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/EntitySchema@master] Make MediaWikiPageUpdaterFactory a service

https://gerrit.wikimedia.org/r/1057850

Lucas_Werkmeister_WMDE moved this task from In Development to Ready for Peer Review on the Wikidata Dev Team (Wikidata.org Slice) board.Jul 30 2024, 2:55 PM
Lucas_Werkmeister_WMDE removed Lucas_Werkmeister_WMDE as the assignee of this task.Jul 30 2024, 3:06 PM
gerritbot added a comment.Jul 30 2024, 3:19 PM

Change #1058195 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/EntitySchema@master] Use TempUserTestTrait instead of mocking TempUserConfig

https://gerrit.wikimedia.org/r/1058195

gerritbot added a comment.Jul 31 2024, 3:32 PM

Change #1058628 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/extensions/EntitySchema@master] Revert "Temporarily disable IP Masking (temporary accounts) in CI"

https://gerrit.wikimedia.org/r/1058628

ArthurTaylor moved this task from Ready for Peer Review to In Peer Review on the Wikidata Dev Team (Wikidata.org Slice) board.Aug 5 2024, 9:53 AM
ArthurTaylor subscribed.Aug 5 2024, 9:59 AM

There's some feedback on Icfab8e5e5aeb1b057cf874f078d2f1b9febc59b2 and Id29f4fe01c92aaa187620264f279624bf706fc7f that should be addressed before this is merged. Besides those minor changes, the patches seem to work well in my local testing.

I don't want to +2 the earlier patches in the chain yet, because the first patch disables the tests in CI. I'll wait until @Lucas_Werkmeister_WMDE is back next week and available to address the feedback.

ArthurTaylor assigned this task to Lucas_Werkmeister_WMDE.Aug 5 2024, 10:00 AM
ArthurTaylor moved this task from In Peer Review to In Development on the Wikidata Dev Team (Wikidata.org Slice) board.
gerritbot added a comment.Aug 6 2024, 7:41 AM

Change #1056200 merged by jenkins-bot:

[mediawiki/extensions/EntitySchema@master] Temporarily disable IP Masking (temporary accounts) in CI

https://gerrit.wikimedia.org/r/1056200

ArthurTaylor mentioned this in T371030: Create temporary user on undo/restore in Wikibase.Aug 8 2024, 10:52 AM
Lucas_Werkmeister_WMDE added a comment.Aug 12 2024, 2:14 PM
In T356148#10041561, @ArthurTaylor wrote:

I don't want to +2 the earlier patches in the chain yet, because the first patch disables the tests in CI. I'll wait until @Lucas_Werkmeister_WMDE is back next week and available to address the feedback.

But you still +2ed that first patch itself? So now the tests have been disabled for almost a week…

Lucas_Werkmeister_WMDE added a comment.Aug 12 2024, 2:18 PM
In T356148#10041561, @ArthurTaylor wrote:

There's some feedback on Icfab8e5e5aeb1b057cf874f078d2f1b9febc59b2 and Id29f4fe01c92aaa187620264f279624bf706fc7f that should be addressed before this is merged.

I have seen the feedback and I don’t agree that it should block those changes. (I’ve marked both comments as resolved now.)

ArthurTaylor added a comment.Aug 13 2024, 7:16 AM

Yeah - I changed my mind and +2'd it in the end because there were other changes that needed to go into EntitySchema and I didn't want to have the component blocked for a week.

Thanks for resolving the comments on the patches. From my side it's good to go now.

gerritbot added a comment.Aug 13 2024, 7:39 AM

Change #1056197 merged by jenkins-bot:

[mediawiki/extensions/EntitySchema@master] Introduce EntitySchemaStatus, use in EntitySchemaInserter

https://gerrit.wikimedia.org/r/1056197

gerritbot added a comment.Aug 13 2024, 7:41 AM

Change #1056479 merged by jenkins-bot:

[mediawiki/extensions/EntitySchema@master] Use EntitySchemaStatus in EntitySchemaUpdater

https://gerrit.wikimedia.org/r/1056479

gerritbot added a comment.Aug 13 2024, 7:41 AM

Change #1057243 merged by jenkins-bot:

[mediawiki/extensions/EntitySchema@master] Make WatchlistUpdater a service

https://gerrit.wikimedia.org/r/1057243

gerritbot added a comment.Aug 13 2024, 7:42 AM

Change #1057850 merged by jenkins-bot:

[mediawiki/extensions/EntitySchema@master] Make MediaWikiPageUpdaterFactory a service

https://gerrit.wikimedia.org/r/1057850

gerritbot added a comment.Aug 13 2024, 7:42 AM

Change #1058195 merged by jenkins-bot:

[mediawiki/extensions/EntitySchema@master] Use TempUserTestTrait instead of mocking TempUserConfig

https://gerrit.wikimedia.org/r/1058195

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.19; 2024-08-20).Aug 13 2024, 8:00 AM
ArthurTaylor removed Lucas_Werkmeister_WMDE as the assignee of this task.Aug 13 2024, 9:24 AM
ArthurTaylor moved this task from In Development to In Peer Review on the Wikidata Dev Team (Wikidata.org Slice) board.
ArthurTaylor moved this task from In Peer Review to Waiting for Deployment Window on the Wikidata Dev Team (Wikidata.org Slice) board.
gerritbot added a comment.Aug 13 2024, 9:40 AM

Change #1057244 merged by jenkins-bot:

[mediawiki/extensions/EntitySchema@master] Support temporary accounts

https://gerrit.wikimedia.org/r/1057244

gerritbot added a comment.Aug 13 2024, 9:40 AM

Change #1057836 merged by jenkins-bot:

[mediawiki/extensions/EntitySchema@master] Clean up MediaWikiRevisionEntitySchemaUpdaterTest

https://gerrit.wikimedia.org/r/1057836

gerritbot added a comment.Aug 13 2024, 9:40 AM

Change #1058628 merged by jenkins-bot:

[mediawiki/extensions/EntitySchema@master] Revert "Temporarily disable IP Masking (temporary accounts) in CI"

https://gerrit.wikimedia.org/r/1058628

Lucas_Werkmeister_WMDE closed subtask T370577: EntitySchema CI broken: Cannot create an actor for an IP user when temporary accounts are enabled as Resolved.Aug 13 2024, 9:45 AM
Lucas_Werkmeister_WMDE moved this task from Waiting for Deployment Window to Product Verification on the Wikidata Dev Team (Wikidata.org Slice) board.
Maintenance_bot removed a project: Patch-For-Review.Aug 13 2024, 10:31 AM
Lucas_Werkmeister_WMDE mentioned this in T372626: Browser tests failing in EntitySchema secondary CI: “Schema Viewing Page accepts statements of entity schema data value type”.Aug 16 2024, 9:40 AM
Arian_Bozorg closed this task as Resolved.Aug 27 2024, 11:23 AM
Arian_Bozorg claimed this task.
Arian_Bozorg moved this task from Product Verification to Done on the Wikidata Dev Team (Wikidata.org Slice) board.

Looks good! Thank you

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits