Page MenuHomePhabricator
Create Task
Maniphest T377765

Add a warning before changing an abuse filter to PII protected
Open, Needs TriagePublicFeature
Actions

Description

Feature summary:
T363906 introduced a new checkbox to abuse filters, to protect PII-sensitive variables. The checkbox is labeled "I understand that details of this filter will be hidden from users who cannot see protected variables. This action is permanent and cannot be undone."

T364485 introduced a warning when trying to save an unprotected filter with PPI-sensitive variables.
I think a similar warning might be useful when changing an existing filter from its current status to protected: Even though the checkbox already says, this action cannot be undone, one might not fully realise what they are doing and accidentally (e.g. while trying to test the new checkbox) change an existing filter which doesn't need to be protected.

I suggests adding a warning asking to confirm the change when clicking "save" and changing an existing filter to protected – at least while the feature is still new, the warning might be useless once everyone has learned about protected filters.

Use cases / benefits:
Prevent admins from accidentally changing existing filters to protected in case the current checkbox helper text isn't taken seriously and the filter doesn't need to be protected.

Related Objects

Event Timeline

Johannnes89 created this task.Mon, Oct 21, 5:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMon, Oct 21, 5:22 PM
DerHexer subscribed.Tue, Oct 22, 10:57 AM
Pppery subscribed.Fri, Oct 25, 5:36 AM

I would go further still, and use only the warning and not the checkbox. Since the checkbox seems to show up on every abuse filter edit even ones that have nothing to do with protected variables having it on every save is scary.

Niharika subscribed.Fri, Oct 25, 2:15 PM
Bugreporter subscribed.Sat, Oct 26, 3:47 PM

An alternative solution is do not allow protecting abuse filters unless sensitive variables are used.

Titore subscribed.Tue, Oct 29, 5:28 PM
Bugreporter mentioned this in T378553: Do not allow protecting abuse filters if PII variables are not used.Wed, Oct 30, 12:40 AM
Johannnes89 added a subscriber: STran.Sun, Nov 10, 9:22 AM

@STran fyi, the scenario described above has now happened on a major content wiki: https://en.wikipedia.org/wiki/Wikipedia:Edit_filter_noticeboard#c-Ohnoitsjamie-20241109182800-Codename_Noreste-20241108230800 – there should clearly be a solution to warn/prevent admins from accidentally protecting filters which don't need protection.

Johannnes89 mentioned this in T363906: [Epic] Ensure filters that use PII-sensitive variables are protected.Sun, Nov 10, 9:37 AM
Urbanecm subscribed.Sun, Nov 10, 8:30 PM
In T377765#10261625, @Pppery wrote:

I would go further still, and use only the warning and not the checkbox. Since the checkbox seems to show up on every abuse filter edit even ones that have nothing to do with protected variables having it on every save is scary.

This ^^. There is no reason to protect a filter that is not using a protected variable. Let's make it a two step process rather than allowing filters to be protected preemptively.

In the meantime, I filled T379503: Disable AbuseFilter protected variables features on wikis where Temporary accounts are not about to be released to disable that subfeature on projects where it is needed. That should prevent accidents from happening.

Urbanecm added a comment.Sun, Nov 10, 8:31 PM
In T377765#10261625, @Pppery wrote:

I would go further still, and use only the warning and not the checkbox. Since the checkbox seems to show up on every abuse filter edit even ones that have nothing to do with protected variables having it on every save is scary.

This ^^. There is no reason to protect a filter that is not using a protected variable. Let's make it a two step process rather than allowing filters to be protected preemptively.

Tamzin added subscribers: suffusion_of_yellow, Tamzin.Mon, Nov 11, 8:42 AM

Meantime, would it be possible for a sysadmin to reverse the protection of 1165 on enwiki? @suffusion_of_yellow has a good suggestion of giving stewards the right to undo it if accidental protection continues to be possible, but I agree with Pppery and Urbanecm that it should just not be possible.

kostajh added a project: Trust and Safety Product Sprint (Sprint Accordion October 28 - November 8).Mon, Nov 11, 8:45 AM
Urbanecm added a comment.Mon, Nov 11, 9:47 AM
In T377765#10308466, @Tamzin wrote:

Meantime, would it be possible for a sysadmin to reverse the protection of 1165 on enwiki?

Good question, we'll discuss that and get back to you. In the meantime: I see the filter is now deleted and hidden, and presumably copied to a different filter. Would you mind clarifying why it would be helpful to unprotect 1165?

@suffusion_of_yellow has a good suggestion of giving stewards the right to undo it if accidental protection continues to be possible, but I agree with Pppery and Urbanecm that it should just not be possible.

Thanks for the suggestion. I'm not sure that would be possible, as protection enables collection of certain otherwise-private data. Unprotecting the filter would need those data to be deleted (meaning there still would be a great deal of irreversibility, just a different kind). But, this would definitely be considered while deciding on a decision. Personally, I think it would be much easier to ensure it is not possible to protect filters that do not need the protection.

Bugreporter added a comment.Mon, Nov 11, 10:06 AM

Meantime, would it be possible for a sysadmin to reverse the protection of 1165 on enwiki? @suffusion_of_yellow has a good suggestion of giving stewards the right to undo it if accidental protection continues to be possible, but I agree with Pppery and Urbanecm that it should just not be possible.

Thanks for the suggestion. I'm not sure that would be possible, as protection enables collection of certain otherwise-private data. Unprotecting the filter would need those data to be deleted (meaning there still would be a great deal of irreversibility, just a different kind). But, this would definitely be considered while deciding on a decision.

Further discussion should be at T378551: Create a way to unprotect an abuse filter

Bugreporter added a comment.Mon, Nov 11, 10:09 AM

Unprotecting the filter would need those data to be deleted

If they are just unnamed user IPs, hidden them should be enough and they will be removed after 90 days.

Tchanders claimed this task.Tue, Nov 12, 4:13 PM
Tchanders moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 8) board.
Tchanders added a comment.Tue, Nov 12, 6:53 PM
In T377765#10261625, @Pppery wrote:

I would go further still, and use only the warning and not the checkbox. Since the checkbox seems to show up on every abuse filter edit even ones that have nothing to do with protected variables having it on every save is scary.

In T377765#10264872, @Bugreporter wrote:

An alternative solution is do not allow protecting abuse filters unless sensitive variables are used.

It sounds like we're converging on doing both of these:

  • Remove the "protect" checkbox from the form
  • After clicking save, show a warning with a "confirm" checkbox if the filter contains protected variables
  • Without confirming, it is impossible to save the filter
Pppery added a comment.Tue, Nov 12, 6:54 PM

Yep, seems reasonable.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits