Page MenuHomePhabricator

Log when AbuseFilter user sees IP address associated with temp account via user_unnamed_ip variable trigger
Open, Stalled, Needs TriagePublic

Description

Context

See the parent task for context about the user_unnamed_ip variable and the need to restrict access to it: T363906.

Scope

This does not concern logging access to the IPs visible to users via the abusefilter-privatedetails right (which already exists and is independent to the new work we are doing on temporary accounts).

This concerns access to IP addresses by users with the abusefilter-access-protected-vars. This right will be given to a subset of users who are able to reveal IP addresses, in accordance with the IP address access policy, introduced for temporary accounts.

The log

What do we need to log?

As described in more detail in T364902: How should access to IPs of temporary accounts be logged?, we are supposed to log whenever a user with the right to reveal IP addresses for temporary accounts actually chooses to reveal one.

The ability to reveal an IP is already implemented via the CheckUser extension. Here's a screenshot of what is logged:

image.png (195×924 px, 85 KB)

The log is debounced by 24 hours.

We need something similar in AbuseFilter, whenever a user sees the precise IP address for a temporary user who triggered a filter.

How should we log?

The screenshot above shows an on-wiki log, which is the current implementation in CheckUser (at the time of writing). We hope to log via the event platform instead.

This conversation with Legal is ongoing, and tracked via T364902. That task is a dependency of this one.

When should we log?

We would need to do something like one of the following:

  • Log whenever a user with the right to see an IP address loads a page that contains that IP address
    • Special:AbuseFilter/examine/log/
    • Are there any other pages?
  • Don't show the IP address by default on these pages; instead show a "reveal IP" button, and make the log when the user clicks on it

Event Timeline

kostajh renamed this task from Ensure that access to an IP address via the user_unnamed_ip variable is logged to Log when AbuseFilter user sees IP address associated with temp account via user_unnamed_ip variable trigger.Jun 11 2024, 11:11 AM
kostajh updated the task description. (Show Details)
Tchanders changed the task status from Open to Stalled.Tue, Jul 9, 10:35 AM
Tchanders added a subscriber: Madalina.

Stalled on legal conversations. FAO @Madalina

We need something similar in AbuseFilter, whenever a user sees the precise IP address for a temporary user who triggered a filter.

I think this is the question for legal-- do we actually need something similar to temp account IP reveal logging in AbuseFilter, or is it OK to not log anything in this scenario?