Page MenuHomePhabricator

Investigate: Where does MW core save IP addresses
Closed, ResolvedPublic

Description

See also T352914: Investigate: Which extensions save IP addresses.

As part of the efforts to replace IP actors with temporary users, we should only store IP addresses in the CheckUser tables.

This is to investigate:

  • where MediaWiki core saves IP addresses
  • what they are used for
  • what we should do about it

Event Timeline

Where IP addresses are savedWhat they're used forWhat we should do
recentchanges.rc_ip, if $wgPutIPInRC is true. This is the case in WMF production, including for registered users. (Verified by querying the DB.)Was originally used instead of CheckUser but not any more. Rows are purged after $wgRCMaxAge, which is 30 days in WMF production.Check with Legal whether this is OK. Check if we technically need this still.
ip_changes tableOnly for IP actors. Used to make querying IP ranges more efficient. Won't be written to for temp account actors.No action needed.
user_newtalk.user_ipOnly for IP actors. Won't be written to for temp accounts.No action needed.
actor.actor_nameOnly for IP actors. IP won't be recorded for temp accounts.No action needed.
ipblocks tableWhich IP addresses are blocked. This is expected to stay the same: IP addresses are blocked; blocked IP addresses are visible to everyone; IP blocks linked to user account blocks are autoblocks; autoblock IP targets are hidden from everyone in the UI; autoblock IP targets are stored in the ipblocks table, and a reference to the user block they originate from is stored, so the IP can be linked to the user via the ipblocks table; autoblocks only last for as long as $wgAutoblockExpiry, which is 1 day in WMF production.Check with Legal whether this is OK.

Next steps

  • Do the follow-up work from the table above
  • We may need to make sure $wgRCMaxAge and $wgAutoblockExpiry are set explicitly in our config repo, and add comments that they should not be set to longer than $wgCUDMaxAge. (Just in case - it's unlikely they'd be set to anything longer.)
Where IP addresses are savedWhat they're used forWhat we should do
recentchanges.rc_ip, if $wgPutIPInRC is true. This is the case in WMF production, including for registered users. (Verified by querying the DB.)Was originally used instead of CheckUser but not any more. Rows are purged after $wgRCMaxAge, which is 30 days in WMF production.Check with Legal whether this is OK. Check if we technically need this still.

WMF production uses of recentchanges.rc_ip can be seen here: https://codesearch.wmcloud.org/deployed/?q=rc_ip

Autoblocks

recentchanges.rc_ip is checked when making an autoblock (checked here), if an autoblock was not already made by CheckUser (determined here).

Presumably that fallback is never needed in WMF production, where CheckUser is available.

Other

Other uses seem to be tests, maintenance scripts, and saving a recent change row.

Where IP addresses are savedWhat they're used forWhat we should do
recentchanges.rc_ip, if $wgPutIPInRC is true. This is the case in WMF production, including for registered users. (Verified by querying the DB.)Was originally used instead of CheckUser but not any more. Rows are purged after $wgRCMaxAge, which is 30 days in WMF production.Check with Legal whether this is OK. Check if we technically need this still.

This seems OK to leave is, without making any further changes. I'm saying that based on understanding the main goal of Temporary accounts to be to not publicly display IP addresses of anonymous contributors. As recentchanges.rc_ip is not publicly available, it seems OK to not make any changes related to it.

Tchanders claimed this task.

I'm saying that based on understanding the main goal of Temporary accounts to be to not publicly display IP addresses of anonymous contributors.

Based on that same understanding, I think we can close this task.