Page MenuHomePhabricator
Create Task
Maniphest T370292

REST API requests for temporary account IPs are made multiple times for the same revision IDs on Special:Contributions
Closed, ResolvedPublicBUG REPORT
Actions

Description

The CheckUser extension allows lookup of temporary account IP addresses using REST APIs. However, when the same temporary account has made more than one edit the REST API allows specifying more than one revision ID for the lookup of IPs.

When these REST API calls are made on Special:Contributions, the code incorrectly makes the request the number of times equal to the number of edits made by the temporary account.

Steps to replicate the issue
  1. Make a number of edits to a page using a temporary account (at least more than one edit)
  2. Log into an account with the checkuser-temporary-account right
  3. Load Special:Contributions for the temporary account used in step 1
  4. Open the developer console (F12)
  5. Reveal the IP addresses for the temporary account you used to make the edits in step 1

What happens?:
Multiple requests for the same revision ID are shown in the console which all have the same response JSON.

What should have happened instead?:
Either a separate request should be made for each revision ID or only one request should have been made.

Example screenshot

image.png (166×1 px, 34 KB)

Details

SubjectRepoBranchLines +/-
Stop performing duplicate IP reveal API requests on Special:Contributionsmediawiki/extensions/CheckUsermaster+54 -31
Customize query in gerrit

Event Timeline

Dreamy_Jazz created this task.Jul 17 2024, 2:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 17 2024, 2:00 PM
Tchanders claimed this task.Jul 17 2024, 2:34 PM
Tchanders moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Koto (July 15 - July 26)) board.Jul 17 2024, 6:25 PM
Dreamy_Jazz moved this task from Inbox to Temporary account IP reveal on the CheckUser board.Jul 22 2024, 10:26 AM
Tchanders moved this task from Ready to In Progress on the Trust and Safety Product Sprint (Sprint Koto (July 15 - July 26)) board.Jul 22 2024, 10:52 AM
gerritbot added a comment.Jul 22 2024, 11:08 AM

Change #1055892 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/extensions/CheckUser@master] WIP Stop performing duplicate IP reveal API requests on Special:Contributions

https://gerrit.wikimedia.org/r/1055892

gerritbot added a project: Patch-For-Review.Jul 22 2024, 11:09 AM
Tchanders moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Koto (July 15 - July 26)) board.Jul 22 2024, 4:50 PM
gerritbot added a comment.Jul 22 2024, 7:29 PM

Change #1055892 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Stop performing duplicate IP reveal API requests on Special:Contributions

https://gerrit.wikimedia.org/r/1055892

Maintenance_bot removed a project: Patch-For-Review.Jul 22 2024, 7:30 PM
ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.15; 2024-07-23).Jul 22 2024, 8:00 PM
Tchanders moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Koto (July 15 - July 26)) board.Jul 23 2024, 6:37 AM
Djackson-ctr subscribed.Jul 24 2024, 5:38 AM

I have verified the new code has been implemented and is functioning and displaying as expected.

image.png (55×1 px, 5 KB)

Djackson-ctr moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Koto (July 15 - July 26)) board.Jul 24 2024, 5:38 AM
kostajh closed this task as Resolved.Jul 24 2024, 7:37 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits