| Niharika | |
| Sep 30 2024, 6:03 AM |
| F57784616: image.png | |
| Dec 6 2024, 3:28 PM |
| F57784620: image.png | |
| Dec 6 2024, 3:28 PM |
| F57779263: image.png | |
| Dec 4 2024, 7:54 PM |
Any user who has had their IP Reveal permission revoked for reasons of abuse:
We want to add a mechanism for doing the above.
@Dreamy_Jazz and @Urbanecm recommended we use partial blocks (at global and local levels) for implementing this.
See slack thread for details. (Sorry the link is private to WMF staff only)
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Restricted Task | |||||
| Resolved | kostajh | T294511 2021 Security Team wikireplicas audit | |||
| Declined | None | T284948 Raw IPs of logged-out users disclosed in wiki-replicas | |||
| Resolved | Niharika | T324492 Temporary accounts - MVP | |||
| In Progress | Niharika | T325451 [Epic] Users with right privileges are able to view IP addresses | |||
| Invalid | None | T375579 Allow stewards to prevent auto-promotion into specified groups globally | |||
| Invalid | None | T375992 Design the workflow to prevent access to IP Reveal for specified users | |||
| Invalid | None | T382082 Investigate: How would global partial blocks for IP reveal interact with other types of block? |
Should not be auto-promoted to any groups that give them the right(s) to reveal IPs
Alternatively we can have a global equivalent of $wgRevokePermissions (such feature does not yet exist), so even if users are in such groups, they can not use their reveal right. See also T337189: Add ability to centrally revoke IP reveal permissions from users who do not need them for safety reasons
Let's not do that, please. Checking a new checkbox at Special:Userrights is (almost exclusively) used for granting new rights, the only exception being IP Info. Normally, we use Special:Block (or Special:GlobalBlock) for access revocation (or Special:UserRights, if we want to demote an user). I think we should keep those workflows, rather than introducing new ones.
+1 to this comment. We have received feedback from stewards that using a group to revoke rights is confusing. I'd rather extend the GlobalBlocking tools to support partial action blocks, such that stewards can globally partially block a user from the tool. This has been seen as much less confusing from a user point of view.
And we can also replace the no-ipinfo group too. Also,
I haven't heard any objections to using partial blocks for implementing this workflow from stewards over Discord. I think this can go into the design phase now. CC @KColeman-WMF
We can add an additional checkbox that says "Revealing an IP address" to Partial block radio button checkboxes.
@Dreamy_Jazz I can't see Global Block page so not sure where the checkbox would appear on that page. Happy for you to add it where you feel it makes most sense!
Could we scope this to local blocks, rather than adding a global block?
It becomes quite a big project if we need to make GlobalBlocking handle partial blocks. If we do need to do this, it would be more feasible to do it in time for rollout to all wikis than for major pilots.
I do agree that this would be a project that would take a fair amount of time. However, I would note that it would make it difficult for stewards to revoke access for all wikis if we only implement it for a local block.
@Urbanecm and I talked through this one. Based on our conversation it makes sense to make global revocation a blocker to major pilots deployment.
Here's our thinking behind this decision: Without this feature, it would be very hard for stewards to handle cases of global abuse of IP Reveal access. A user may be active on several wikis (we saw the example of @Urbanecm's account which holds 300+ edits on 24 wikis). Without global revocation, a wiki-by-wiki revocation would need to be carried out. This could mean bringing the decision to the admins on some wikis which may even be rejected. Stewards will not be able to force-revoke access even if it is needed. This poses a risk of LTAs being free to abuse IP address access. An alternate stewards could resort to is to globally block the user, which is a much stricter measure than IP Reveal access and risks alienating users who have a chance at redemption.
We can add an additional checkbox that says "Revealing an IP address" to Partial block radio button checkboxes.
@Dreamy_Jazz I can't see Global Block page so not sure where the checkbox would appear on that page. Happy for you to add it where you feel it makes most sense!
The GlobalBlock page looks like this, with no mention of partial blocks since they're not currently possible globally:
 |  |
We could probably benefit from some help about how to display a partial block option, and whether to split these options into sections like Special:Block, etc.
Thanks for the additional context @Tchanders! My first thought is that yes, we should mirror Special:Block for consistency, so we would introduce block type (Sitewide or Partial).