Ensure that checkusers and stewards do not have to check a preference for IP reveal right
Closed, ResolvedPublic2 Estimated Story Points
Actions

Assigned To

Authored By

	Tchanders
	Jan 31 2024, 5:43 PM

Description

Background

According to the IP reveal access policy, stewards and checkusers can automatically access IP reveal:

Steward and CheckUser
Access is automatically granted to users who are members of the steward and checkuser user groups. These users are expected to treat the IP addresses consistent with the Access to nonpublic data policy.

...as opposed to other groups, who need to check a preference:

Admin
Opt-in through Special:Preferences. [...]

However, the current implementation required everyone to check a preference, e.g. from AbstractTemporaryAccountHandler:

if (
	!$this->permissionManager->userHasRight(
		$this->getAuthority()->getUser(),
		'checkuser-temporary-account'
	) ||
	!$this->userOptionsLookup->getOption(
		$this->getAuthority()->getUser(),
		'checkuser-temporary-account-enable'
	)
) {
	throw new LocalizedHttpException(
		new MessageValue( 'checkuser-rest-access-denied' ),
		403
	);
}

What needs doing

Ideally, we shouldn't check the preference for users in groups who don't need it.

Rather than checking the group, which can get complicated as some a WMF-specific (see also T356294), perhaps we could define a new right that is given to groups who do not need to check the preference.

QA Results - Local

AC	Status	Details
1	✅	https://phabricator.wikimedia.org/T356304 here

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Allow checkusers to view temp account IPs without the preference	mediawiki/extensions/CheckUser	master	+57 -16

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
		Restricted Task
Resolved	kostajh	T294511 2021 Security Team wikireplicas audit
Declined	None	T284948 Raw IPs of logged-out users disclosed in wiki-replicas
Resolved	Niharika	T324492 Temporary accounts - MVP
In Progress	Niharika	T325451 [Epic] Users with right privileges are able to view IP addresses
Resolved	• Dreamy_Jazz	T356304 Ensure that checkusers and stewards do not have to check a preference for IP reveal right

Event Timeline

Tchanders created this task.Jan 31 2024, 5:43 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 31 2024, 5:43 PM

Tchanders added a parent task: T325451: [Epic] Users with right privileges are able to view IP addresses.Jan 31 2024, 5:45 PM

• Dreamy_Jazz claimed this task.Feb 3 2024, 1:03 AM

• Dreamy_Jazz added a project: Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)).

Rather than checking the group, which can get complicated as some a WMF-specific (see also T356294) ...

I would agree with this, especially as this config would need to follow any changes made to the groups that have checkuser-temporary-account.

For example, if a new user group is created that shouldn't have the preference then the developer needs to also remember to update it.

... perhaps we could define a new right that is given to groups who do not need to check the preference.

Would this right be given instead of checkuser-temporary-account or both rights be required? My thoughts:

If we require the user have both rights, it would make this new right do nothing unless it was granted with checkuser-temporary-account which could be confusing if someone was changing who has access to view temporary account IPs.
If they were configured such that you only have one of checkuser-temporary-account or this new right, then the rate limiting could get confusing (as there would be two rights to do the same action).
A separate right makes it easier to understand which groups have the ability to skip the preference checking on-wiki by looking at Special:ListGroupRights but the extra bullet point that is added may not be desired by the community if both rights would be required (as it makes that page more complicated).

I've claimed this and moved this into the current sprint as I will write a patch that uses the approach of two separate user rights.

I went with this initially because the description for the right in Special:ListGroupRights looks odd when a group has both the checkuser-temporary-account-no-preference (name WIP and can be changed) and checkuser-temporary-account rights.

Change 995378 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] [WIP] Allow checkusers to view temp account IPs without preference

https://gerrit.wikimedia.org/r/995378

gerritbot added a project: Patch-For-Review.Feb 3 2024, 1:48 AM

• Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)) board.Feb 3 2024, 1:48 AM

The patch is ready for review and feedback. As mentioned above, I chose the name as it was the first reasonable name I thought of. Happy to change it as desired.

• Dreamy_Jazz set the point value for this task to 2.Feb 5 2024, 10:29 AM

Tchanders added a subscriber: Urbanecm.Feb 5 2024, 11:20 AM

Some other groups with checkuser permissions includes ombuds and staffs, which can use checkuser by default (c.f. stewards can only perform checkuser after assigning checkuser flag themselves locally).

In T356304#9513120, @Bugreporter wrote:

Some other groups with checkuser permissions includes ombuds and staffs, which can use checkuser by default (c.f. stewards can only perform checkuser after assigning checkuser flag themselves locally).

Thanks for the comment. Assigning this ability to these groups will be done via WMF specific configuration at a later date (once temporary accounts are being deployed to production).

Change 995378 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Allow checkusers to view temp account IPs without the preference

https://gerrit.wikimedia.org/r/995378

• Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)) board.Feb 6 2024, 5:11 PM

Suggested QA steps:

Add the following to your LocalSettings.php:

$wgGroupPermissions['sysop']['checkuser-temporary-account'] = true;

Enable temporary accounts on your wiki if required.
Using a temporary account, make several testing edits to a page and then note down to the name of the page for future steps
Login to an account with the sysop (administrator) group but not the checkuser group
Go to Special:Preferences and make sure the checkbox in the Temporary account IP reveal section is unchecked
Load the history page for the page you edited in step 3 and verify that you see no Show IPs buttons next to the temporary account usernames
Go back to Special:Preferences and check the checkbox in the Temporary account IP reveal section
Load the history page ffor the page you edited in step 3 and verify that you see Show IPs buttons next to the temporary account usernames
Click these buttons and verify that an IP address is displayed for each edit
Login to an account with the checkuser group
Load Special:Preferences and verify that no section with the title Temporary account IP reveal exists
Load the history page for the page you edited in step 3 and verify that you see Show IPs buttons next to the temporary account usernames
Click these buttons and verify that an IP address is displayed for each edit

Maintenance_bot removed a project: Patch-For-Review.Feb 6 2024, 5:30 PM

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.18; 2024-02-13).Feb 6 2024, 10:01 PM

@Dreamy_Jazz Checkusers do not have to check a preference for IP reveal right as seen in the screenshots and .webm below. This will move to Done. Thanks for all your work and the awesome steps!

Status: ✅PASS
Environment: Local: 1.42.0-alpha (0b66d1b)22:23, 6 February 2024
OS: macOS Sonoma 14.2.1
Browser: Chrome 121
Skins. Vector 2022
Device: MBA M2
Emulated Device:: n/a
Test Links:
https://en.m.wikipedia.beta.wmflabs.org/wiki/Cat#