Page MenuHomePhabricator
Create Task
Maniphest T379503

Disable AbuseFilter protected variables features on wikis where Temporary accounts are not about to be released
Closed, DeclinedPublic
Actions

Description

As part of Temporary accounts project, AbuseFilter now has a concept of protected variables. That concept is necessary while preparing a project for Temporary accounts (reviewing filters that make use of IPs and using the protected variables), as well as when Temporary accounts are enabled. On all other projects, it causes confusion.

For now, let's disable access to AbuseFilter protected variables for all local groups on all projects, except projects where:

  • Temporary accounts are enabled
  • Temporary accounts are about to be enabled

This avoids scenarios such as https://en.wikipedia.org/wiki/Wikipedia:Edit_filter_noticeboard#Protected_filters.

Details

SubjectRepoBranchLines +/-
Revert "Disallow AbuseFilter protected variables use on non-temp-user wikis"operations/mediawiki-configmaster+0 -9
Disallow AbuseFilter protected variables use on non-temp-user wikisoperations/mediawiki-configmaster+9 -0
Customize query in gerrit

Related Objects

Event Timeline

Urbanecm created this task.Nov 10 2024, 8:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 10 2024, 8:16 PM
XXBlackburnXx subscribed.Nov 10 2024, 8:20 PM
Urbanecm mentioned this in T377765: Do not allow protecting abuse filters if PII variables are not used.Nov 10 2024, 8:30 PM
Johannnes89 subscribed.Nov 10 2024, 8:32 PM
codenamenoreste subscribed.Nov 10 2024, 9:51 PM
Titore subscribed.Nov 10 2024, 9:53 PM
matej_suchanek added a project: AbuseFilter.Nov 11 2024, 8:53 AM
Tchanders added a project: Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15).Nov 11 2024, 9:45 AM
Tchanders subscribed.Nov 12 2024, 4:09 PM

We can do this via permissions, making sure that abusefilter-access-protected-vars is only assigned on wikis where temporary accounts in enabled/known.

Tchanders claimed this task.Nov 12 2024, 4:10 PM
Tchanders moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.
gerritbot added a comment.Nov 12 2024, 4:39 PM

Change #1090515 had a related patch set uploaded (by Tchanders; author: Tchanders):

[operations/mediawiki-config@master] Disallow AbuseFilter protected variables use on non-temp-user wikis

https://gerrit.wikimedia.org/r/1090515

gerritbot added a project: Patch-For-Review.Nov 12 2024, 4:39 PM
Tchanders moved this task from In Progress to Needs review on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.Nov 12 2024, 7:05 PM
gerritbot added a comment.Nov 13 2024, 2:02 PM

Change #1090515 merged by jenkins-bot:

[operations/mediawiki-config@master] Disallow AbuseFilter protected variables use on non-temp-user wikis

https://gerrit.wikimedia.org/r/1090515

Stashbot added a comment.Nov 13 2024, 2:03 PM

Mentioned in SAL (#wikimedia-operations) [2024-11-13T14:03:25Z] <tchanders@deploy2002> Started scap sync-world: Backport for [[gerrit:1090515|Disallow AbuseFilter protected variables use on non-temp-user wikis (T379503)]]

Stashbot added a comment.Nov 13 2024, 2:06 PM

Mentioned in SAL (#wikimedia-operations) [2024-11-13T14:05:55Z] <tchanders@deploy2002> tchanders: Backport for [[gerrit:1090515|Disallow AbuseFilter protected variables use on non-temp-user wikis (T379503)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Nov 13 2024, 2:14 PM

Mentioned in SAL (#wikimedia-operations) [2024-11-13T14:14:53Z] <tchanders@deploy2002> Finished scap sync-world: Backport for [[gerrit:1090515|Disallow AbuseFilter protected variables use on non-temp-user wikis (T379503)]] (duration: 11m 28s)

Maintenance_bot removed a project: Patch-For-Review.Nov 13 2024, 2:31 PM
Tchanders moved this task from Inbox to Create/update essential tools/anti-abuse management on the Temporary accounts board.Nov 13 2024, 2:57 PM
Tchanders edited projects, added Temporary accounts (Create/update essential tools/anti-abuse management); removed Temporary accounts.
Tchanders mentioned this in T378523: abusefilter-edit-protected appears in all filters on all wikis.Nov 13 2024, 3:53 PM
Tchanders moved this task from Needs review to Done on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.
Ponor subscribed.Nov 13 2024, 8:50 PM

I don't know what's happening here, but it's not good.
We were encouraged to switch to the new ip_in_range(user_unnamed_ip, ...), and some of us did.
That protected our filters for good.
But now we cannot see nor edit the protected filters. They disappeared from our lists. I don't even know if they're working.
On hrwiki, they're the only protection from our IP-jumping LTA.

@Tchanders?

Tchanders added a comment.EditedNov 13 2024, 9:02 PM

We disallowed sysops on wikis without temporary accounts from using protected variables, in order to avoid exposing the "protect this filter" checkbox when it shouldn't be needed.

However it seems it is needed on wikis that have already updated their filters in advance of temporary accounts deployment.

Let's re-allow access to protected variables as soon as possible, and rely on T377765: Do not allow protecting abuse filters if PII variables are not used to avoid filters being needlessly protected.

Thanks for the report @Ponor

gerritbot added a comment.Nov 13 2024, 9:09 PM

Change #1090965 had a related patch set uploaded (by Tchanders; author: Tchanders):

[operations/mediawiki-config@master] Revert "Disallow AbuseFilter protected variables use on non-temp-user wikis"

https://gerrit.wikimedia.org/r/1090965

gerritbot added a project: Patch-For-Review.Nov 13 2024, 9:09 PM
gerritbot added a comment.Nov 13 2024, 9:50 PM

Change #1090965 merged by jenkins-bot:

[operations/mediawiki-config@master] Revert "Disallow AbuseFilter protected variables use on non-temp-user wikis"

https://gerrit.wikimedia.org/r/1090965

Stashbot added a comment.Nov 13 2024, 9:51 PM

Mentioned in SAL (#wikimedia-operations) [2024-11-13T21:51:07Z] <tchanders@deploy2002> Started scap sync-world: Backport for [[gerrit:1090965|Revert "Disallow AbuseFilter protected variables use on non-temp-user wikis" (T379503)]]

Stashbot added a comment.Nov 13 2024, 9:55 PM

Mentioned in SAL (#wikimedia-operations) [2024-11-13T21:55:10Z] <tchanders@deploy2002> tchanders: Backport for [[gerrit:1090965|Revert "Disallow AbuseFilter protected variables use on non-temp-user wikis" (T379503)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Nov 13 2024, 10:00 PM

Mentioned in SAL (#wikimedia-operations) [2024-11-13T22:00:11Z] <tchanders@deploy2002> Finished scap sync-world: Backport for [[gerrit:1090965|Revert "Disallow AbuseFilter protected variables use on non-temp-user wikis" (T379503)]] (duration: 09m 03s)

Maintenance_bot removed a project: Patch-For-Review.Nov 13 2024, 10:30 PM
Tchanders added a comment.Nov 14 2024, 12:59 PM

@Ponor This should be fixed now.

Ponor added a comment.Nov 14 2024, 1:19 PM

@Tchanders Yes, my filters are back and I was able to edit one. Thanks!

Tchanders closed this task as Declined.Nov 14 2024, 7:52 PM

Declining, as explained in T379503#10319347.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits