Page MenuHomePhabricator

Special:CheckUser shows IP addresses successfully logging out when the user was not logged in to begin with
Closed, ResolvedPublic1 Estimated Story PointsBUG REPORT

Description

Rows in the CheckUser result tables appeared to suggest that logged out users were successfully performing a logout action. As an enwiki CU I was confused and decided to look at this today. I found that this was re-producable on my local wiki if I used the logout API when I was already logged out.

This is not possible to reproduce using Special:UserLogout as there is a check that outputs the success message early if the user is already logged out.

Example data from my local testing wiki (which therefore is not private data) with the problematic rows:

image.png (173×872 px, 39 KB)

Steps to replicate the issue
  1. Open Special:ApiSandbox while logged out
  2. Choose logout as the action, add the token for the request, and then click Make request
  3. Log into an account with the checkuser group
  4. Open Special:CheckUser, enter the IP address used to make the API request in step 2 as the username, and run a Get actions check

What happens?:
CheckUser shows rows for a IP address "successfully" logging out

What should have happened instead?:
No rows should appear as the user was not logged in, so cannot log out

Event Timeline

Change #1071605 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/core@master] Return early in ApiLogout if user not logged in

https://gerrit.wikimedia.org/r/1071605

Change #1071605 merged by jenkins-bot:

[mediawiki/core@master] Return early in ApiLogout if user not logged in

https://gerrit.wikimedia.org/r/1071605

Djackson-ctr subscribed.

QA has been completed and the new code is functioning and displaying as expected (No rows should appear as the user was not logged in, so cannot log out).