Page MenuHomePhabricator
Create Task
Maniphest T387329

Investigate: Confirm our logging expectations for AbuseFilter/CheckUser Temporary Accounts logs when using protected variables
Closed, ResolvedPublic
Actions

Description

T385687: Investigate: How should the AbuseFilter variable `user_unnamed_ip` be restricted proposes that extensions should be allowed to declare their own restrictions on protected variables. This is to support the centralization of IP access within the CheckUser extension. However, no user-facing interface exposes this information. Please investigate whether or not this is important to expose. From T385687#10579417:

One thing that occurred to me - should we log that access was affected? A protected variable being viewed w/o these CU constraints means something different than if CU isn't enabled and that wouldn't be clear just by looking at AF logs. Additionally, if we're going to redirect as we're doing now, it's also not clear from AF logs that some of the logs also exist in CU's logs instead. This is an existing problem but I guess now's the time to re-surface it. I don't think this investigation is blocked on this question, as it can be answered as part of the logging refactoring task.

Additionally, as of T387328: Refactor CheckUser ProtectedVarsAccessLogger logging out of AbuseFilter, all protected vars logs should still be funneled to CheckUser (as only one protected variable exists, user_unnamed_ip and CU wants to centralize IP logs). However, when IPReputation variables are introduced, those logs should continue to remain in AbuseFilter as they are not considered sensitive the way IPs are. Please investigate how we expect logging to behave when we want different outcomes per variable.

Current thoughts (please update as necessary):

  • If we don't record what variable is being viewed (afaik this is not a legal requirement), are we ok with duplicate logs? If so we could maintain a full list in AF and a subset in CU with CU managing what logs it wants to keep
  • If we do record what variables are being viewed...we still might want to maintain duplicate logs if it's okay as there would be no other way to get a full list of who viewed protected variables otherwise

Per comment, this is split off from other tasks supporting T380920: Remove the AbuseFilter protected variables preference gate as the status quo seems acceptable for now and this is not currently considered blocking for temporary accounts. However, it may be blocking for IPReputation variables.

Related Objects
Search...

Event Timeline

STran created this task.Feb 26 2025, 1:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 26 2025, 1:03 PM
STran mentioned this in T385687: Investigate: How should the AbuseFilter variable `user_unnamed_ip` be restricted.Feb 26 2025, 1:31 PM
STran added a parent task: T354599: [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter.Feb 26 2025, 3:38 PM
STran added a project: Trust and Safety Product Sprint (Sprint Lemon Meringue (March 3 - 21)).Feb 26 2025, 3:40 PM
STran updated the task description. (Show Details)Feb 26 2025, 3:47 PM
STran mentioned this in T380919: Don't funnel all protected variable access logs to CheckUser temporary account access log.
STran merged a task: T380919: Don't funnel all protected variable access logs to CheckUser temporary account access log.Feb 26 2025, 3:49 PM
STran added subscribers: kostajh, Novem_Linguae, Dreamy_Jazz.
Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.Feb 28 2025, 5:52 PM
Dreamy_Jazz edited projects, added Trust and Safety Product Team (Engineering); removed Trust and Safety Product Team.
kostajh moved this task from Engineering to Engineering on the Trust and Safety Product Team board.Mar 10 2025, 12:44 PM
kostajh edited projects, added Trust and Safety Product Team; removed Trust and Safety Product Team (Engineering).
kostajh added a comment.Mar 11 2025, 10:14 AM

Based on Samuel's note here we should log when a user views an AbuseFilter log with a protected variable containing IP reputation data.

kostajh added subscribers: EMagallanes, sguebo_WMF.Mar 11 2025, 10:17 AM
In T387329#10622773, @kostajh wrote:

Based on Samuel's note here we should log when a user views an AbuseFilter log with a protected variable containing IP reputation data.

I've asked @sguebo_WMF and @EMagallanes for clarification on this, though, in this comment

Dreamy_Jazz added a comment.Mar 11 2025, 4:19 PM
In T387329#10622777, @kostajh wrote:
In T387329#10622773, @kostajh wrote:

Based on Samuel's note here we should log when a user views an AbuseFilter log with a protected variable containing IP reputation data.

I've asked @sguebo_WMF and @EMagallanes for clarification on this, though, in this comment

Sguebo_WMF has recommended we continue to log when a user sees IP reputation protected variables.

STran renamed this task from Investigate: Should AbuseFilter logs also log modifications to protected vars access requirements? to Investigate: Confirm our logging expectations for AbuseFilter/CheckUser Temporary Accounts logs when using protected variables.Mar 20 2025, 10:46 AM
STran added a comment.Mar 20 2025, 3:47 PM

Talked to @kostajh to confirm and it sounds like it's up to us as long as we log somewhere per Legal and the following behavior will work:

  • We should centralize the IP view logs as we're doing now. With the expansion of protected variables, we'll need to only route the ones that use user_unnamed_ip to the temp account logs
  • If not too difficult, we should update the log to mention what protected variable is being viewed so that it's explicit that the logs being routed to the temp account logs are due to the user_unnamed_ip variable

cc @Dreamy_Jazz

STran claimed this task.Mar 20 2025, 3:47 PM
STran moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Lemon Meringue (March 3 - 21)) board.
Dreamy_Jazz added a comment.Mar 20 2025, 3:52 PM
In T387329#10657580, @STran wrote:

Talked to @kostajh to confirm and it sounds like it's up to us as long as we log somewhere per Legal and the following behavior will work:

  • We should centralize the IP view logs as we're doing now. With the expansion of protected variables, we'll need to only route the ones that use user_unnamed_ip to the temp account logs
  • If not too difficult, we should update the log to mention what protected variable is being viewed so that it's explicit that the logs being routed to the temp account logs are due to the user_unnamed_ip variable

cc @Dreamy_Jazz

I would agree with implementing this behaviour.

STran mentioned this in T389613: Only divert `user_unnamed_ip` protected variable views to CheckUser logs.Mar 21 2025, 12:09 PM
STran mentioned this in T389614: Update protected variable view log copy to reflect what protected variable(s) are being viewed.Mar 21 2025, 12:12 PM

I've created T389613: Only divert `user_unnamed_ip` protected variable views to CheckUser logs and T389614: Update protected variable view log copy to reflect what protected variable(s) are being viewed. I put T389613 in our current sprint as I would consider it a blocker to adding new variables as we would divert too many logs and left T389614 since this was less critical although I think it would be nice to do before so that we don't have to maintain a legacy log line (as we aren't passing in any variable parameters atm).

STran moved this task from Needs Review to Done on the Trust and Safety Product Sprint (Sprint Lemon Meringue (March 3 - 21)) board.Mar 21 2025, 12:13 PM
Dreamy_Jazz added a project: WE4.2 Anti-abuse.Mar 21 2025, 5:32 PM
Dreamy_Jazz moved this task from Backlog to 2024-2025 Q3 on the WE4.2 Anti-abuse board.
kostajh closed this task as Resolved.Mar 25 2025, 10:36 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits