Page MenuHomePhabricator
Create Task
Maniphest T361291

If the reason provided for a log entry is hidden, it is not hidden in the checkuser API response for an actions request
Closed, ResolvedPublic2 Estimated Story PointsBUG REPORT
Actions

Description

If a user does not have the rights to see the reason provided for a log entry, then it is not hidden in the response from the API.

Note: The reason associated with a log action was already not properly hidden before T341827 (so that refactor is not to blame), but this issue has been made more frequent by T361263.

For example:

The hidden state of the log entryThe log comment shown in the results
image.png (1×1 px, 184 KB)
image.png (266×803 px, 62 KB)
Steps to reproduce
  1. Perform a log action
  2. Load Special:RevisionDelete for the log
  3. Hide the Edit summary for that log action with the suppression option also checked
  4. Log into an account with the checkuser group but not suppressor
  5. Open Special:ApiSandbox and select action as query, list as checkuser, and then curequest as actions
  6. Enter the username that performed the log action in step 2 as the target and run the check
  7. Search for the log action in the results list

Details

SubjectRepoBranchLines +/-
Apply log_deleted to entries in CheckUser API 'actions' typemediawiki/extensions/CheckUsermaster+104 -49
Add CheckUserLookupUtils::getRevisionRecordFromRowmediawiki/extensions/CheckUsermaster+131 -96
Add CheckUserLookupUtils::getManualLogEntryFromRowmediawiki/extensions/CheckUsermaster+177 -51
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.Mar 28 2024, 7:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 28 2024, 7:38 PM
Dreamy_Jazz changed the subtype of this task from "Task" to "Bug Report".Mar 28 2024, 7:39 PM

This does not need to be a security bug, as this is already a known public issue (as it was not possible to find the deleted status of the log comment before T324907).

Dreamy_Jazz mentioned this in T341827: Add read new support to the CheckUser API.Mar 28 2024, 7:46 PM
Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)); removed Trust and Safety Product Sprint (Sprint Gangan (11th - 22nd March)).Mar 28 2024, 8:16 PM
Dreamy_Jazz updated the task description. (Show Details)Mar 28 2024, 8:33 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)Mar 28 2024, 8:40 PM
Dreamy_Jazz mentioned this in T361263: Combine the action text and comment if both are defined in the results of the 'actions' request to the CheckUser API.Mon, Apr 1, 1:53 PM
Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Fri, Apr 5, 10:38 AM
Dreamy_Jazz set the point value for this task to 2.
gerritbot added a comment.Fri, Apr 5, 1:19 PM

Change #1017286 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Add CheckUserLookupUtils::getManualLogEntryFromRow

https://gerrit.wikimedia.org/r/1017286

gerritbot added a project: Patch-For-Review.Fri, Apr 5, 1:19 PM
gerritbot added a comment.Fri, Apr 5, 2:19 PM

Change #1017294 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Apply log_deleted to entries in CheckUser API 'actions' type

https://gerrit.wikimedia.org/r/1017294

gerritbot added a comment.Fri, Apr 5, 2:24 PM

Change #1017290 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Add CheckUserLookupUtils::getRevisionRecordFromRow

https://gerrit.wikimedia.org/r/1017290

Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Fri, Apr 5, 3:32 PM
gerritbot added a comment.Mon, Apr 8, 5:48 PM

Change #1017286 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Add CheckUserLookupUtils::getManualLogEntryFromRow

https://gerrit.wikimedia.org/r/1017286

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.26; 2024-04-09).Mon, Apr 8, 6:00 PM
gerritbot added a comment.Tue, Apr 9, 5:27 PM

Change #1017290 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Add CheckUserLookupUtils::getRevisionRecordFromRow

https://gerrit.wikimedia.org/r/1017290

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.1; 2024-04-16).Tue, Apr 9, 6:00 PM
gerritbot added a comment.Tue, Apr 9, 7:43 PM

Change #1017294 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Apply log_deleted to entries in CheckUser API 'actions' type

https://gerrit.wikimedia.org/r/1017294

Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Tue, Apr 9, 9:16 PM
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Wed, Apr 10, 8:29 AM
dom_walden subscribed.

I set all the log events to have the same edit summary (which is easily searchable), hid all the log event edit summaries and did an ApiQueryCheckUser query for all the users and IPs in the cu_changes table. I then did a search for the edit summary. I could not find any references to it in any of the API responses.

I did this for hidden but not suppressed log entries for a checkuser without sysop rights and for hidden and suppressed entries for a checkuser with sysop but not suppressor rights.

Test environment: Local docker CheckUser 2.5 (eda557a) 19:43, 9 April 2024.

Dreamy_Jazz closed this task as Resolved.Wed, Apr 10, 8:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL