Page MenuHomePhabricator
Create Task
Maniphest T375115

Automatically revoke temporary-account-viewer group from users when they have not made an edit or logged action in the last year
Closed, ResolvedPublic2 Estimated Story Points
Actions

Description

Background

Per the foundation policy users granted rights to see temporary account IP addresses through autopromotion should have these removed if they have made no edits or logged actions over the last year:

In order to maintain access to the IP addresses of temporary accounts, users in this category must edit or take a logged action to the local project at least once within a 365-day period.

Specification
  • A user who has been manually granted Temporary Account IP Viewer right will lose their access after 365 days of inactivity
    • Inactivity is defined as no edits or logged actions (not including private actions)
    • A log entry is created in the user rights log with the comment as follows: Temporary Account IP address access for [[User:...]] was revoked due to inactivity.
Acceptance criteria
  • The inactivity removal has been implemented in line with the specifications
  • cron job runs

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Respect user language in temp account viewer autorevoke policy linkmediawiki/extensions/WikimediaMessagesmaster+1 -1
Override `checkuser-temporary-account-autorevoke-userright-reason`mediawiki/extensions/WikimediaMessagesmaster+4 -0
mediawiki: Run CheckUser/revokeTemporaryAccountViewerGroup.phpoperations/puppetproduction+16 -0
Clean up revokeTemporaryAccountViewerGroup maint scriptmediawiki/extensions/CheckUsermaster+28 -40
Auto-remove IP reveal rights from inactive users via maintenance scriptmediawiki/extensions/CheckUsermaster+363 -1
Add logs for when the system autorevokes a user's IPInfo accessmediawiki/extensions/IPInfomaster+18 -0
Auto-remove IP reveal rights from inactive users via maintenance scriptmediawiki/coremaster+201 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Dreamy_Jazz removed Niharika as the assignee of this task.Sep 18 2024, 5:13 PM
Dreamy_Jazz removed a project: Epic.
Dreamy_Jazz removed subscribers: Niharika, Izno, Aklapper and 7 others.
Niharika subscribed.Sep 19 2024, 8:31 AM
kostajh moved this task from Inbox to Backlog on the Temporary accounts board.Oct 1 2024, 10:35 AM
kostajh added a project: Trust and Safety Product Team.
sgrabarczuk subscribed.Nov 7 2024, 11:08 AM
Steenth subscribed.Nov 7 2024, 11:10 AM
Tchanders changed the task status from Open to Stalled.Nov 25 2024, 2:47 PM

Awaiting on legal discussion with @Niharika to see if we can drop this requirement

Niharika edited projects, added Temporary accounts (Global wiki rollout); removed Temporary accounts.Dec 9 2024, 5:22 PM
Tchanders added a project: Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).Apr 30 2025, 4:58 PM
kostajh changed the task status from Stalled to Open.May 5 2025, 6:48 AM

This is needed per the revised policy https://foundation.wikimedia.org/wiki/Policy:Wikimedia_Access_to_Temporary_Account_IP_Addresses_Policy#Patrollers_and_other_users

We can use a maintenance script that checks for edits in the last calendar year, and add it to the list of cron jobs.

kostajh moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.May 5 2025, 6:48 AM
kostajh removed a project: Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).May 6 2025, 1:16 PM

Doesn't need to happen for a few months at least, so removing from current sprint.

Dreamy_Jazz renamed this task from Automatically revoke checkuser-temporary-account-viewer from users when they have not made an edit or logged action in the last year to Automatically revoke temporary-account-viewer group from users when they have not made an edit or logged action in the last year.May 21 2025, 11:02 AM
Dreamy_Jazz updated the task description. (Show Details)May 21 2025, 11:07 AM
Tchanders moved this task from To triage to Ready on the Temporary accounts (Global wiki rollout) board.Jun 10 2025, 3:08 PM
Johannnes89 subscribed.Jun 12 2025, 1:50 PM
DerHexer subscribed.Jun 22 2025, 8:23 AM
Niharika updated the task description. (Show Details)Jul 8 2025, 2:42 PM
Dreamy_Jazz updated the task description. (Show Details)Jul 8 2025, 7:16 PM

@Niharika should the user have to re-accept the use agreements if they are given access again? Alternatively, is it okay if the use agreement checkboxes are kept checked so the user does not have to re-accept the agreement?

Niharika added a subscriber: Dreamy_Jazz.Jul 9 2025, 4:15 AM
In T375115#10985959, @Dreamy_Jazz wrote:

@Niharika should the user have to re-accept the use agreements if they are given access again? Alternatively, is it okay if the use agreement checkboxes are kept checked so the user does not have to re-accept the agreement?

Good question. I think the proper thing to do would be to have them re-accept the agreements. If someone has been inactive for a long time, they may not remember the terms they agreed to.
I'll update the task description.

Niharika updated the task description. (Show Details)Jul 9 2025, 4:17 AM
Niharika edited projects, added Temporary accounts; removed Temporary accounts (Global wiki rollout).Jul 22 2025, 11:03 AM
Niharika moved this task from Backlog to Q2 FY25-26 candidates on the Temporary accounts board.
kostajh added a comment.Jul 22 2025, 12:59 PM

Inactivity is defined as no edits or logged actions (any actions, including private ones)

We only track private actions for 90 days (via CheckUser tables) so I think this part of the specs would need to be reworded. I would suggest we change it to:

Inactivity is defined as no edits or publicly logged actions

cc @Niharika

Tchanders set the point value for this task to 2.Aug 1 2025, 10:06 AM
OKryva-WMF triaged this task as High priority.Aug 1 2025, 1:40 PM
OKryva-WMF added a project: Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)).
OKryva-WMF moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.
STran claimed this task.Aug 4 2025, 8:00 AM
STran moved this task from Ready to In Progress on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.
gerritbot added a comment.Aug 5 2025, 12:45 PM

Change #1175891 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/CheckUser@master] Add logging support for automatic inactive group membership removal

https://gerrit.wikimedia.org/r/1175891

gerritbot added a project: Patch-For-Review.Aug 5 2025, 12:45 PM
gerritbot added a comment.Aug 5 2025, 12:50 PM

Change #1175894 had a related patch set uploaded (by STran; author: STran):

[mediawiki/core@master] Auto-remove IP reveal rights from inactive users via maintenance script

https://gerrit.wikimedia.org/r/1175894

gerritbot added a comment.Aug 5 2025, 2:28 PM

Change #1175894 abandoned by STran:

[mediawiki/core@master] Auto-remove IP reveal rights from inactive users via maintenance script

Reason:

prefer I11ff6ddc1b697ddac2b2b1528ed90fd6fc72b2f2

https://gerrit.wikimedia.org/r/1175894

STran moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 5 2025, 3:08 PM
Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.Aug 6 2025, 10:45 AM
STran moved this task from Needs Review to In Progress on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 6 2025, 11:17 AM
STran added a comment.Aug 6 2025, 3:50 PM

@Niharika Could you answer a few questions about how we want/expect this to work in these cases?

In T375115#11023981, kostajh wrote:

Inactivity is defined as no edits or logged actions (any actions, including private ones)

We only track private actions for 90 days (via CheckUser tables) so I think this part of the specs would need to be reworded. I would suggest we change it to:

Inactivity is defined as no edits or publicly logged actions

cc @Niharika

Additionally, for IPInfo, the tos agreement preference can be set globally and this overrides local value setting. Should we:

  • add a local exception
  • not unset the preference at all
  • attempt to ascertain if the user is globally inactive (feels like scope creep, do not recommend)
Dreamy_Jazz added a comment.Aug 6 2025, 6:23 PM

Additionally, for IPInfo,

Just to note that this also applies to the IP reveal preference. It can be set globally in the same way, so we would need to answer that for this one too.

Niharika added a subscriber: kostajh.Aug 12 2025, 12:06 PM
In T375115#11023981, @kostajh wrote:

Inactivity is defined as no edits or logged actions (any actions, including private ones)

We only track private actions for 90 days (via CheckUser tables) so I think this part of the specs would need to be reworded. I would suggest we change it to:

Inactivity is defined as no edits or publicly logged actions

Sounds OK to me.

Additionally, for IPInfo, the tos agreement preference can be set globally and this overrides local value setting. Should we:

  • add a local exception
  • not unset the preference at all
  • attempt to ascertain if the user is globally inactive (feels like scope creep, do not recommend)

Between the first two options, I think adding a local exception seems like the more logical step. I think it is better to unset the preference so the user can re-review the ToS before accepting them. @Dreamy_Jazz I'd welcome your thoughts on this (with your CU hat on!).

Niharika moved this task from Q2 FY25-26 candidates to Global wiki rollout on the Temporary accounts board.Aug 12 2025, 12:09 PM
Niharika edited projects, added Temporary accounts (Global wiki rollout); removed Temporary accounts.
STran added a comment.Aug 13 2025, 6:47 AM

This might be out of scope but this script doesn't inform the user that their access has been revoked and should it? I guess if you're gone without notice for a year you're not coming back or you should expect to have privileged revoked but an indicator/notification might be nice regardless in case you do? It might make setting the local exception clearer, as @Dreamy_Jazz did note on the task:

I think it would be confusing because it would be not clear how a user would re-enable the preference locally.

Dreamy_Jazz added a comment.Aug 13 2025, 9:42 AM

Between the first two options, I think adding a local exception seems like the more logical step. I think it is better to unset the preference so the user can re-review the ToS before accepting them.

Adding a local exception could be confusing IMO because:

  • The user may be inactive on only one wiki and so they may still be using access elsewhere
  • We don't provide a route for users to see that the local preference is disabled, so they may be unable to see why

Could we alternatively consider just unsetting the preference globally if the user is inactive on all wikis? Tbh I don't see why we would need to differentiate between a user agreeing to the preference on multiple wikis, because agreeing to the preference appears to be agreeing to the policy that applies globally.

STran added a comment.Aug 13 2025, 12:19 PM

Some notes from a quick discussion we had off-band:

  • In the interest of unblocking myself, I'm going to move forward with "Do nothing" wrt to the ip info preferences for now. We have time to decide how we want to treat this, as no one's access will be expiring any time soon. If we resolve it differently before the patch goes in, that's fine but we shouldn't mind a follow-up patch if necessary.
  • We should decide if "because agreeing to the preference appears to be agreeing to the policy that applies globally." is true. If it is, the local exception could cause a mismatch in ToS agreement if the global agreement still stands but no longer counts locally.
  • Expiring a global preference based on on global inactivity is a different ask than expiring a local preference based on local inactivity and imo should be a follow-up/different thing regardless.
STran moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 13 2025, 6:05 PM
STran added a comment.Aug 14 2025, 8:18 AM

We've been discussing this on-patch and @Dreamy_Jazz brought up this point. @Niharika could you take a look and give your opinion on how to move forward? I'm not sure what the call is, given there are legal obligations etc.

Personally I think we should use the rights log to indicate removal and not create a log in the temporary account reveal log.

This is because:

  • If we create the log but then don't create one if the user gets access again, we risk users being confused (because the IP reveal log says that they had access removed for inactivity)
  • The user rights log for the group change should be enough to indicate removal and we will need to create it anyway.
  • No reason in the user rights log will be confusing for users who cannot see the IP reveal log (i.e. most users), as they will see no reason for the removal provided in any associated log.

For context, the specs don't ask for a log in the user rights change log but for consistency/clarity we added it there since it would be confusing if someone looked at Special:UserRights and didn't see why someone's group membership was revoked. As of writing, this means the same action is logged to both the rights log and the temp accounts log.

STran moved this task from Needs Review to In Progress on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 14 2025, 8:18 AM
OKryva-WMF added a project: OKR-Work.Aug 14 2025, 9:55 AM
STran updated the task description. (Show Details)Aug 18 2025, 5:56 AM
gerritbot added a comment.Aug 18 2025, 7:53 AM

Change #1179638 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/IPInfo@master] Add logs for when the system autorevokes a user's IPInfo access

https://gerrit.wikimedia.org/r/1179638

STran moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 18 2025, 11:46 AM
Tchanders added a comment.Aug 18 2025, 1:31 PM
In T375115#11084841, @STran wrote:

We've been discussing this on-patch and @Dreamy_Jazz brought up this point. @Niharika could you take a look and give your opinion on how to move forward? I'm not sure what the call is, given there are legal obligations etc.

Personally I think we should use the rights log to indicate removal and not create a log in the temporary account reveal log.

This is because:

  • If we create the log but then don't create one if the user gets access again, we risk users being confused (because the IP reveal log says that they had access removed for inactivity)
  • The user rights log for the group change should be enough to indicate removal and we will need to create it anyway.
  • No reason in the user rights log will be confusing for users who cannot see the IP reveal log (i.e. most users), as they will see no reason for the removal provided in any associated log.

For context, the specs don't ask for a log in the user rights change log but for consistency/clarity we added it there since it would be confusing if someone looked at Special:UserRights and didn't see why someone's group membership was revoked. As of writing, this means the same action is logged to both the rights log and the temp accounts log.

It makes sense to me only to log it in the user rights log.

In T375115#11082366, @STran wrote:

Some notes from a quick discussion we had off-band:

  • In the interest of unblocking myself, I'm going to move forward with "Do nothing" wrt to the ip info preferences for now. We have time to decide how we want to treat this, as no one's access will be expiring any time soon. If we resolve it differently before the patch goes in, that's fine but we shouldn't mind a follow-up patch if necessary.
  • We should decide if "because agreeing to the preference appears to be agreeing to the policy that applies globally." is true. If it is, the local exception could cause a mismatch in ToS agreement if the global agreement still stands but no longer counts locally.
  • Expiring a global preference based on on global inactivity is a different ask than expiring a local preference based on local inactivity and imo should be a follow-up/different thing regardless.

I would support leaving the preferences alone, as this makes the logic and the user experience simpler. I don't think it makes sense to regard them as no longer agreeing to the agreement if they lose their access automatically, as they have taken no action to imply that this is the case. If they ever need to re-enable their access, it would be a confusing experience to need to discover that they need to disable a local override that was automatically made to disable their preference.

OKryva-WMF edited projects, added Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)); removed Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)).Aug 19 2025, 10:05 AM
OKryva-WMF moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.
gerritbot added a comment.Aug 19 2025, 11:05 AM

Change #1179638 abandoned by STran:

[mediawiki/extensions/IPInfo@master] Add logs for when the system autorevokes a user's IPInfo access

Reason:

product specs updated, no longer needed

https://gerrit.wikimedia.org/r/1179638

Dreamy_Jazz moved this task from Needs Review to In Progress on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.Aug 19 2025, 2:47 PM

(Moving out of Needs Review as the associated patch is marked as WIP)

Dreamy_Jazz moved this task from Ready to In progress on the Temporary accounts (Global wiki rollout) board.Aug 20 2025, 10:25 AM
STran moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.Aug 21 2025, 10:25 AM
STran updated the task description. (Show Details)Aug 21 2025, 5:30 PM
STran added a comment.Aug 21 2025, 5:33 PM

The maintenance script patch was +2ed but I'm moving this back into In Progress because it also needs an accompanying cron job setup so it actually runs. I've updated acceptance criteria to reflect this and also what we agreed on wrt to local preference modifications (don't).

STran moved this task from Needs Review to In Progress on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.Aug 21 2025, 5:33 PM
gerritbot added a comment.Aug 21 2025, 6:13 PM

Change #1175891 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Auto-remove IP reveal rights from inactive users via maintenance script

https://gerrit.wikimedia.org/r/1175891

Maintenance_bot removed a project: Patch-For-Review.Aug 21 2025, 6:30 PM
ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.16; 2025-08-26).Aug 21 2025, 7:00 PM
gerritbot added a comment.Aug 25 2025, 9:42 AM

Change #1181654 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/CheckUser@master] Condense query used in revokeTemporaryAccountViewerGroup maint script

https://gerrit.wikimedia.org/r/1181654

gerritbot added a project: Patch-For-Review.Aug 25 2025, 9:42 AM
gerritbot added a comment.Aug 25 2025, 10:26 AM

Change #1181662 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/WikimediaMessages@master] Override `checkuser-temporary-account-autorevoke-userright-reason`

https://gerrit.wikimedia.org/r/1181662

gerritbot added a comment.Aug 25 2025, 12:36 PM

Change #1181689 had a related patch set uploaded (by STran; author: STran):

[operations/puppet@production] mediawiki: Run CheckUser/revokeTemporaryAccountViewerGroup.php

https://gerrit.wikimedia.org/r/1181689

STran moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.Aug 25 2025, 12:41 PM
gerritbot added a comment.Aug 25 2025, 2:08 PM

Change #1181654 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Clean up revokeTemporaryAccountViewerGroup maint script

https://gerrit.wikimedia.org/r/1181654

gerritbot added a comment.Aug 25 2025, 2:08 PM

Change #1181662 merged by jenkins-bot:

[mediawiki/extensions/WikimediaMessages@master] Override `checkuser-temporary-account-autorevoke-userright-reason`

https://gerrit.wikimedia.org/r/1181662

gerritbot added a comment.Aug 28 2025, 6:38 PM

Change #1181689 merged by JHathaway:

[operations/puppet@production] mediawiki: Run CheckUser/revokeTemporaryAccountViewerGroup.php

https://gerrit.wikimedia.org/r/1181689

Maintenance_bot removed a project: Patch-For-Review.Aug 28 2025, 7:31 PM
Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.Aug 29 2025, 4:08 PM
Dreamy_Jazz added a comment.Aug 29 2025, 4:17 PM

First run on WMF wikis should have happened and it looks like it didn't remove any users (as expected) per https://pl.wikipedia.org/wiki/Specjalna:U%C5%BCytkownicy?username=&group=temporary-account-viewer&wpsubmit=&wpFormIdentifier=mw-listusers-form&limit=50&uselang=en having users still.

We may want to grant access to an inactive test account on test.wikipedia.org and see if the script removes access from them to be sure that it is working.

gerritbot added a comment.Sep 2 2025, 11:05 AM

Change #1184049 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/WikimediaMessages@master] Respect user language in temp account viewer autorevoke policy link

https://gerrit.wikimedia.org/r/1184049

gerritbot added a project: Patch-For-Review.Sep 2 2025, 11:05 AM
gerritbot added a comment.Sep 2 2025, 11:43 AM

Change #1184049 merged by jenkins-bot:

[mediawiki/extensions/WikimediaMessages@master] Respect user language in temp account viewer autorevoke policy link

https://gerrit.wikimedia.org/r/1184049

ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.18; 2025-09-09); removed MW-1.45-notes (1.45.0-wmf.16; 2025-08-26).Sep 2 2025, 12:01 PM
Maintenance_bot removed a project: Patch-For-Review.Sep 2 2025, 12:31 PM
OKryva-WMF edited projects, added Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)); removed Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)).Sep 4 2025, 3:10 PM
OKryva-WMF moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)) board.Sep 4 2025, 4:05 PM
OKryva-WMF moved this task from In Progress to Needs QA on the Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)) board.
OKryva-WMF edited projects, added Product Safety and Integrity; removed Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)).Sep 26 2025, 12:43 PM
OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)); removed Product Safety and Integrity.Sep 26 2025, 12:48 PM
OKryva-WMF moved this task from Priority backlog to Needs QA on the Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)) board.Sep 26 2025, 12:48 PM
Tchanders closed this task as Resolved.Sep 30 2025, 10:40 AM
Tchanders moved this task from Needs QA to Done on the Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)) board.
In T375115#11132529, @Dreamy_Jazz wrote:

First run on WMF wikis should have happened and it looks like it didn't remove any users (as expected) per https://pl.wikipedia.org/wiki/Specjalna:U%C5%BCytkownicy?username=&group=temporary-account-viewer&wpsubmit=&wpFormIdentifier=mw-listusers-form&limit=50&uselang=en having users still.

We may want to grant access to an inactive test account on test.wikipedia.org and see if the script removes access from them to be sure that it is working.

It would be nice to test, but I don't have an account that would meet the criteria for the group, and I'd be concerned about adding the right to an account that we didn't own, even temporarily.

Since the script logs errors and successes, perhaps we can rely on spotting problems in the logs. (I checked and found none since the script started running.)

Moving to Done, since QA is overloaded and we have QA'ed this in review.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits