Page MenuHomePhabricator
Create Task
Maniphest T373525

Write temporary account logs from AbuseFilter to CheckUser when CheckUser is enabled
Closed, ResolvedPublic
Actions

Description

The AbuseFilter follow-up to T373524: Support temporary account-related logs from other extensions in CheckUser.

AbuseFilter will begin logging temporary account IP views in T365743: Log when AbuseFilter user sees IP address associated with temp account via user_unnamed_ip variable trigger in its own log. It would be convenient and nice if all logs with regards to temporary account IPs were centralized in order to make it easier to review. Right now there's no way to use CheckUser's TemporaryAccountLogger to accurately record other IP viewing-related actions. Given that CheckUser is the holder of temporary account IP data, we should log to CheckUser whenever possible.

Acceptance criteria:

  • ProtectedVarsAccessLogger writes to CheckUser's temporary accounts log if CheckUser is enabled

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Write protected variables access logs to CheckUser if installedmediawiki/extensions/AbuseFiltermaster+150 -14
Update references from AbuseFilter's temp account logsmediawiki/extensions/CheckUsermaster+6 -6
Customize query in gerrit

Related Objects

Event Timeline

STran created this task.Aug 28 2024, 1:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 28 2024, 1:57 PM
kostajh edited projects, added Temporary accounts, Trust and Safety Product Team; removed Trust and Safety Tools Team Backlog.Aug 28 2024, 2:24 PM
STran claimed this task.Aug 29 2024, 2:03 PM
STran added a project: Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)).
STran moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)) board.
gerritbot added a comment.Aug 30 2024, 10:55 AM

Change #1069147 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/AbuseFilter@master] Write protected variables access logs to CheckUser if installed

https://gerrit.wikimedia.org/r/1069147

gerritbot added a project: Patch-For-Review.Aug 30 2024, 10:55 AM
kostajh moved this task from Inbox to Ready on the Temporary accounts board.Sep 2 2024, 12:35 PM
STran moved this task from In Progress to Needs review on the Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)) board.Sep 9 2024, 2:30 PM
gerritbot added a comment.Sep 13 2024, 1:24 PM

Change #1072750 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/CheckUser@master] Update references from AbuseFilter's temp account logs

https://gerrit.wikimedia.org/r/1072750

gerritbot added a comment.Sep 13 2024, 2:16 PM

Change #1072750 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Update references from AbuseFilter's temp account logs

https://gerrit.wikimedia.org/r/1072750

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.23; 2024-09-17).Sep 13 2024, 3:00 PM
Dreamy_Jazz moved this task from Sprint Theremin (Aug 26 - Sept. 6) to Sprint Beatboxing (Sept 16-27) on the Trust and Safety Product Sprint board.Sep 16 2024, 10:10 AM
Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)); removed Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)).
Dreamy_Jazz moved this task from Priority Backlog to Needs review on the Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)) board.
Dreamy_Jazz moved this task from Needs review to Needs QA on the Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)) board.Sep 19 2024, 10:36 AM
gerritbot added a comment.Sep 19 2024, 11:07 AM

Change #1069147 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] Write protected variables access logs to CheckUser if installed

https://gerrit.wikimedia.org/r/1069147

Maintenance_bot removed a project: Patch-For-Review.Sep 19 2024, 11:30 AM
ReleaseTaggerBot edited projects, added MW-1.43-notes (1.43.0-wmf.24; 2024-09-24); removed MW-1.43-notes (1.43.0-wmf.23; 2024-09-17).Sep 19 2024, 12:00 PM
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)) board.Sep 23 2024, 7:45 AM
dom_walden subscribed.

When I enable or disable Enable revealing IP addresses for temporary accounts in AbuseFilter in my Special:Preferences, I see an entry in the logging table:

  • with CheckUser disabled, it has the log_type of abusefilter-protected-vars and log_action either change-access-enable or change-access-disable
  • with CheckUser enabled, it has the log_type of checkuser-temporary-account and log_action either af-change-access-enable or af-change-access-disable

In the latter case, I also see it in Special:Log?type=checkuser-temporary-account.

I am not able to access Special:Log?type=abusefilter-protected-vars. I assume it has yet to be implemented. When I try to access it via the API (action=query&format=json&list=logevents&letype=abusefilter-protected-vars) it returns no results. Again, I assume it has not been implemented yet.

Test environment: local docker Abuse Filter – (4124d56) 21:40, 20 September 2024. CheckUser 2.5 (57fb32a) 21:51, 19 September 2024.

STran added a comment.Sep 23 2024, 12:11 PM

I am not able to access Special:Log?type=abusefilter-protected-vars. I assume it has yet to be implemented.

Huh that's weird. It should be there? It would show up if you have any logs written to that type so in the CheckUser disabled scenario, I would have expected it to show up:

image.png (1×1 px, 206 KB)

There was a bug where trying to view the specific subtype ('change-access) was wrong because I hadn't updated the logs under that subtype but I just fixed that in I53f22855e63d9e1339361a5c9ee7886e0f74714a.

kostajh moved this task from Done to Needs QA on the Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)) board.Sep 29 2024, 2:59 PM
kostajh subscribed.

Moving back to "Needs QA" to recheck this part:

In T373525#10166505, @dom_walden wrote:

I am not able to access Special:Log?type=abusefilter-protected-vars. I assume it has yet to be implemented. When I try to access it via the API (action=query&format=json&list=logevents&letype=abusefilter-protected-vars) it returns no results. Again, I assume it has not been implemented yet.>

kostajh moved this task from Ready to In progress on the Temporary accounts board.Sep 29 2024, 3:00 PM
dom_walden added a comment.Oct 7 2024, 7:25 AM

When I go to Special:Log?type=abusefilter-protected-vars, I get the message:

You do not have permission to view logs that reveal protected variables, for the following reason:
You are not allowed to execute the action you have requested.

No indication about what sort of permissions/rights I need to enable and I don't know how to find out.

STran added a comment.Oct 7 2024, 8:22 AM

No indication about what sort of permissions/rights I need to enable and I don't know how to find out.

Ah sorry, the rights you need are abusefilter-protected-vars-log and abusefilter-access-protected-vars.

dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)) board.Oct 7 2024, 8:37 AM
In T373525#10205796, @STran wrote:

No indication about what sort of permissions/rights I need to enable and I don't know how to find out.

Ah sorry, the rights you need are abusefilter-protected-vars-log and abusefilter-access-protected-vars.

OK, thanks, I can see the page now.

kostajh closed this task as Resolved.Oct 8 2024, 10:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits