Page MenuHomePhabricator
Create Task
Maniphest T380919

Don't funnel all protected variable access logs to CheckUser temporary account access log
Closed, DuplicatePublic
Actions

Description

There is logic in place that currently results in log entries appearing in CheckUser when someone views a private filter with a protected variable. That's because the user_unnamed_ip protected variable is closely tied with temporary accounts access.

But for new protected variables, we don't need to log this type of access in CheckUser. We need to work out a solution for how to handle this.

Related Objects
Search...

Event Timeline

kostajh created this task.Nov 26 2024, 8:40 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 26 2024, 8:40 PM
STran subscribed.Dec 2 2024, 2:46 PM

Given that this is coming up again, we should considering notating the consensus in a decision record. I looked up our original reasoning for doing this and found it in our check-in notes:

It probably makes sense to have a central log if possible for all temporary account IP address access (for the sake of not wanting to split it too much).

We wanted to consolidate ip view logs to checkuser-temporary-account instead of splitting it across that and abusefilter-protected-vars (the default if CheckUser isn't installed). I don't have a strong conclusion since the problem is that the protected variables have two different logging needs (one agnostic and one tied to our legal reqs) and no immediate solution seems like a clear winner although just returning to the expected default feels reasonable to me:

  • log everything to AF: it'd centralize all the AF logs but force investigations to check across the CU and AF logs. This might be ok? I don't think any other extension is expected to expose IPs like AF does so it would, in theory, only ever be split across those two.
  • log only user_unnamed_ip access to CU (eg. viewed ip info about <user> from abusefilter) and the rest to AF: we'd have to hardcode more wmf-specific logging logic into AF, AF logs are now split between the two
  • as above but instead log all general access to AF (eg. viewed protected vars associated with <user>): we double-log but maybe we could log something wmf-specific to CU and keep all the agnostic AF logs in one place. Writing this out, this makes some sense to me as the ip viewing logs have a different intention (legal) than the general logging we usually support.

Additionally, we debounce on the user - does this have to be reconsidered? eg. is it okay to log "viewed protected vars associated with <user>" regardless of what variable was accessed? Asking because we care different amounts for the two variables being discussed (specific ip vs information around an ip).

kostajh moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Gong (November 18 - December 6)) board.Dec 3 2024, 7:46 AM
Dreamy_Jazz added a comment.Dec 5 2024, 8:44 PM

Do we need to create a log entry for the variables that are being added by MediaWiki-extensions-IPReputation? If not, then could we go with a fourth option of not logging when accessing anything other than user_unnamed_ip?

Dreamy_Jazz added a parent task: T380454: Provide ip_reputation_tunnel_operators AbuseFilter.Dec 5 2024, 8:44 PM
Dreamy_Jazz mentioned this in T381052: Investigate: Should we remove the preference check from AbuseFilter's protected variables implementation?.Dec 5 2024, 8:52 PM
Novem_Linguae subscribed.Dec 5 2024, 9:33 PM
Dreamy_Jazz moved this task from Sprint Gong (November 18 - December 6) to Sprint Chimes (Dec. 9 - Jan. 17) on the Trust and Safety Product Sprint board.Dec 9 2024, 5:35 PM
Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Chimes (Dec. 9 - Jan. 17)); removed Trust and Safety Product Sprint (Sprint Gong (November 18 - December 6)).
Dreamy_Jazz moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Chimes (Dec. 9 - Jan. 17)) board.
Dreamy_Jazz moved this task from Ready to Priority Backlog on the Trust and Safety Product Sprint (Sprint Chimes (Dec. 9 - Jan. 17)) board.
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Tuba (Jan 20 - Feb 7)); removed Trust and Safety Product Sprint (Sprint Chimes (Dec. 9 - Jan. 17)).Jan 17 2025, 12:24 PM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Hurdy-Gurdy (Feb 10 - Feb 28)); removed Trust and Safety Product Sprint (Sprint Tuba (Jan 20 - Feb 7)).Feb 10 2025, 10:01 AM
STran closed this task as Resolved.Feb 26 2025, 3:49 PM
STran claimed this task.

This will be resolved by a combination of T387328: Refactor CheckUser ProtectedVarsAccessLogger logging out of AbuseFilter and T387329: Investigate: Confirm our logging expectations for AbuseFilter/CheckUser Temporary Accounts logs when using protected variables

I forgot this task existed, sorry! Closing this out as more context is available in the newer tickets.

Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptFeb 26 2025, 3:49 PM
STran closed this task as a duplicate of T387329: Investigate: Confirm our logging expectations for AbuseFilter/CheckUser Temporary Accounts logs when using protected variables.Feb 26 2025, 3:49 PM
Dreamy_Jazz moved this task from Priority Backlog to Done on the Trust and Safety Product Sprint (Sprint Hurdy-Gurdy (Feb 10 - Feb 28)) board.Mar 7 2025, 5:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits