Page MenuHomePhabricator
Create Task
Maniphest T377531

Ability to edit polls should be unbundled from securepoll-view-voter-pii / electionadmin
Closed, ResolvedPublicFeature
Actions

Description

Why

It seems to me that there are 2 kinds of SecurePoll tasks for election administrators:

  • Technical folks that will need to create and edit polls, who may not necessarily be a functionary/checkuser/NDA, and who you may not want looking at voter data, but still need to create and edit polls.
  • Scrutineers who will be a functionary/checkuser/NDA/very trusted user, who is trusted to view checkuser-like data on each voter.

Following the setup instructions at https://www.mediawiki.org/wiki/Extension:SecurePoll#Installation, the current system blends technical folks (admins) and scrutineers (electionadmins), by only allowing the scrutineer type folks (electionadmins) to edit polls.

With T301180: Allow local wikis to set up elections starting to be implemented, it may make sense to clean up this division of roles. So that someone technical like me can set up and edit polls, and the scrutineers who have a completely different role can be completely separate.

What

  • Create a new permission called securepoll-edit-poll. And the only thing they can do is edit polls to which they've been added during the poll creation process.

Possible follow-up work

  • On the add and edit poll pages, split the "Admins" oo-ui-tagMultiselectWidget into two oo-ui-tagMultiselectWidgets: "Poll editors" and "Scrutineers". Change the permissions check for each appropriately. I'd recommend that "poll editors" must have the securepoll-edit-poll permission, and the scrutineers must have the securepoll-view-voter-pii permission. Only the "Poll editor" field would require at least one person at all times. Scrutineers could be left blank / added later by the user. Having the same person added to both fields should be allowed, assuming they have both appropriate permissions.

image.png (1,627×217 px, 16 KB)

  • Update instructions at https://www.mediawiki.org/wiki/Extension:SecurePoll#Installation to suggest adding $wgGroupPermissions['electionadmin']['securepoll-edit-poll'] = true;. So then any administrator can be added to the list of "Poll editors". They don't need to view PII, so this should be fine.
  • On the appropriate wikis (votewiki, etc.), add a user group called scrutineer, that only has access to securepoll-view-voter-pii. Then change electionadmin to only have access to securepoll-create-poll and securepoll-edit-poll. Then clean up which users are in which groups. Some users may need to be added to both groups.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
votewiki, testwiki: add securepoll-edit-poll to electionadminoperations/mediawiki-configmaster+2 -0
Use user rights in checks instead of user groupmediawiki/extensions/SecurePollmaster+21 -42
Don't show PII to users without securepoll-view-voter-pii rightmediawiki/extensions/SecurePollmaster+20 -25
Customize query in gerrit

Related Objects
Search...

Event Timeline

Novem_Linguae created this task.Oct 17 2024, 11:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 17 2024, 11:53 PM
Pppery subscribed.Oct 18 2024, 12:00 AM
jrbs subscribed.Oct 18 2024, 7:41 PM
A_smart_kitten subscribed.Oct 18 2024, 8:27 PM
Johannnes89 subscribed.Oct 19 2024, 6:57 AM
Stang subscribed.Oct 24 2024, 11:41 AM
SD0001 subscribed.Oct 26 2024, 3:37 PM

SecurePoll is peculiar among MediaWiki extensions in that some actions actually check if the user is in the electionadmin group, as opposed to checking for rights. This definitely seems like something to avoid.

gerritbot added a comment.Oct 26 2024, 7:09 PM

Change #1083337 had a related patch set uploaded (by SD0001; author: SD0001):

[mediawiki/extensions/SecurePoll@master] Don't show PII to users without securepoll-view-voter-pii right

https://gerrit.wikimedia.org/r/1083337

gerritbot added a project: Patch-For-Review.Oct 26 2024, 7:09 PM

Change #1083338 had a related patch set uploaded (by SD0001; author: SD0001):

[mediawiki/extensions/SecurePoll@master] Use user rights in checks instead of user group

https://gerrit.wikimedia.org/r/1083338

gerritbot added a comment.Oct 27 2024, 3:28 PM

Change #1083434 had a related patch set uploaded (by SD0001; author: SD0001):

[operations/mediawiki-config@master] votewiki: add securepoll-administrate-poll right to electionadmin group

https://gerrit.wikimedia.org/r/1083434

Pppery merged a task: T297204: Split up rights involved with the `electionadmin` group.Oct 27 2024, 6:13 PM
Pppery added a subscriber: Zabe.
SD0001 added a parent task: T301180: Allow local wikis to set up elections.Oct 27 2024, 9:47 PM
SD0001 mentioned this in T378287: Enable SecurePoll extension and electionclerk user group on enwiki.Oct 29 2024, 10:20 AM
Xaosflux subscribed.Oct 30 2024, 10:02 PM
Izno subscribed.Nov 6 2024, 12:12 AM
gerritbot added a comment.Nov 6 2024, 11:51 AM

Change #1083337 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] Don't show PII to users without securepoll-view-voter-pii right

https://gerrit.wikimedia.org/r/1083337

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.3; 2024-11-12).Nov 6 2024, 12:00 PM
SD0001 mentioned this in T335201: Investigation: What needs to change to allow local wikis to run their own elections?.Nov 12 2024, 1:33 PM
SD0001 claimed this task.Nov 13 2024, 6:29 AM
SD0001 triaged this task as High priority.
ZhaoFJx mentioned this in T380020: Enable SecurePoll extension on zhwiki.Nov 16 2024, 7:18 PM
ZhaoFJx subscribed.
gerritbot added a comment.Dec 1 2024, 12:55 AM

Change #1083338 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] Use user rights in checks instead of user group

https://gerrit.wikimedia.org/r/1083338

Novem_Linguae added a comment.Dec 1 2024, 10:09 PM

Note that if you use this config:

$wgGroupPermissions['electionadmin']['securepoll-edit-poll'] = false;
$wgGroupPermissions['electionadmin']['securepoll-view-voter-pii'] = true;

That it's basically the same as using this config:

$wgGroupPermissions['electionadmin']['securepoll-edit-poll'] = false;
$wgGroupPermissions['electionadmin']['securepoll-view-voter-pii'] = false;

Even if you use the database to hack the view-voter-pii person in as an election admin for an election, all the PII is still hidden from them.

This isn't a bug right now because it's impossible to get added to a poll unless you have securepoll-edit-poll. But it could become a bug later as we continue to separate these two roles.

Novem_Linguae updated the task description. (Show Details)Dec 1 2024, 10:24 PM
Novem_Linguae added a comment.Dec 1 2024, 10:32 PM

Note that this task is now partially complete. It should be possible to create a user group just for editing an election, and an additional user group for both editing an election and scrutineering an election.

$wgGroupPermissions['electionadmin']['securepoll-create-poll'] = true;
$wgGroupPermissions['electionadmin']['securepoll-edit-poll'] = true;
$wgGroupPermissions['electionadmin']['securepoll-view-voter-pii'] = false;

$wgGroupPermissions['scrutineer']['securepoll-create-poll'] = true;
$wgGroupPermissions['scrutineer']['securepoll-edit-poll'] = true;
$wgGroupPermissions['scrutineer']['securepoll-view-voter-pii'] = true;

If work is continued on this task, then it would probably be to make it so that it's possible to scrutineer an election without editing an election. Which may or may not be worth the effort.

SD0001 removed SD0001 as the assignee of this task.EditedDec 2 2024, 3:08 AM
SD0001 raised the priority of this task from High to Needs Triage.

view-voter-pii requires the edit-poll right as a prerequisite, yes, but I think that's okay as the former is far more contentious than the latter. The important part is that it's possible to assign edit-poll without view-voter-pii. If someone wants to separate the two more fully, go for it, but I personally would consider this task fully resolved.

On the add and edit poll pages, split the "Admins" oo-ui-tagMultiselectWidget into two oo-ui-tagMultiselectWidgets: "Poll editors" and "Scrutineers".

This is another nice-to-have but it also works without it as we can list all the poll editors and scrutineers together. Whether or not they can scrutineer depends on their user rights.

On the appropriate wikis (votewiki, etc.), add a user group called scrutineer, that only has access to securepoll-edit-poll. Then change electionadmin to only have access to securepoll-create-poll and securepoll-edit-poll.

I think you also want to give view-voter-pii to scrutineer, but regardless, the focus of this task was the separation of powers for local uses of SecurePoll, in enwiki for example. Any votewiki config changes can be handled separately (which I don't see much point in, btw). The only other relevant wiki is testwiki where electionadmin already doesn't include view-voter-pii.

Novem_Linguae updated the task description. (Show Details)Dec 2 2024, 3:24 AM

I think you also want to give view-voter-pii to scrutineer

I meant to type that but got mixed up. Ticket updated. Thanks for spotting it.

gerritbot added a comment.Dec 2 2024, 9:05 PM

Change #1083434 merged by jenkins-bot:

[operations/mediawiki-config@master] votewiki, testwiki: add securepoll-edit-poll to electionadmin

https://gerrit.wikimedia.org/r/1083434

Stashbot mentioned this in T381295: Disabling Flow in cawiki 'Viquiprojecte Discussió' namespace.Dec 2 2024, 9:08 PM
Stashbot mentioned this in T381214: Enable VisualEditor by default in Indonesian Wikiquote .

Mentioned in SAL (#wikimedia-operations) [2024-12-02T21:08:10Z] <urbanecm@deploy2002> Started scap sync-world: Backport for [[gerrit:1099362|Enable VisualEditor by default on Indonesian Wikiquote (T381214)]], [[gerrit:1083434|votewiki, testwiki: add securepoll-edit-poll to electionadmin (T377531)]], [[gerrit:1099750|cawiki: stop Flow being the default for some talk namespaces (T381295)]]

Stashbot added a comment.Dec 2 2024, 9:12 PM

Mentioned in SAL (#wikimedia-operations) [2024-12-02T21:12:38Z] <urbanecm@deploy2002> kemayo, urbanecm, nmw03, sd: Backport for [[gerrit:1099362|Enable VisualEditor by default on Indonesian Wikiquote (T381214)]], [[gerrit:1083434|votewiki, testwiki: add securepoll-edit-poll to electionadmin (T377531)]], [[gerrit:1099750|cawiki: stop Flow being the default for some talk namespaces (T381295)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Pppery closed this task as Resolved.Dec 2 2024, 9:16 PM
Pppery reopened this task as Open.
Novem_Linguae updated the task description. (Show Details)Dec 2 2024, 9:21 PM
Stashbot added a comment.Dec 2 2024, 9:21 PM

Mentioned in SAL (#wikimedia-operations) [2024-12-02T21:21:50Z] <urbanecm@deploy2002> Finished scap sync-world: Backport for [[gerrit:1099362|Enable VisualEditor by default on Indonesian Wikiquote (T381214)]], [[gerrit:1083434|votewiki, testwiki: add securepoll-edit-poll to electionadmin (T377531)]], [[gerrit:1099750|cawiki: stop Flow being the default for some talk namespaces (T381295)]] (duration: 13m 40s)

Maintenance_bot removed a project: Patch-For-Review.Dec 2 2024, 9:31 PM
Pppery mentioned this in T383928: Using SecurePoll Extension for Routine Voting on Hebrew Wikipedia .Jan 16 2025, 8:30 PM
mszabo closed this task as Resolved.Jan 21 2025, 11:24 AM
Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptJan 21 2025, 11:24 AM
mszabo subscribed.Jan 21 2025, 11:28 AM

Closing this since the main issue at hand has been resolved. I've filed T384290 as a followup, any potential group changes could also be discussed there.

Stang unsubscribed.Jan 25 2025, 5:33 AM
jrbs mentioned this in T301180: Allow local wikis to set up elections.Feb 5 2025, 9:08 PM
Stang subscribed.Sep 5 2025, 6:00 AM
JaydenKieran subscribed.Oct 15 2025, 9:04 AM

https://gerrit.wikimedia.org/r/1083337 should be backported to 1.43 LTS at the very least. It is no different to T290808 (CVE-2021-46148), even if it does not affect WMF.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits