Page MenuHomePhabricator
Create Task
Maniphest T387333

CheckUser should impose IP viewing restrictions on AbuseFilter's `unnamed_user_ip` protected variable
Closed, ResolvedPublic
Actions

Description

Splitting this off from T387331: Provide a mechanism for other extensions to modify protected variables access requirements in order to clearly track the work.

In a temporary accounts paradigm, CheckUser is the primary authority on IP viewing access. As such, it should also impose this on AbuseFilter where AF exposes IPs (the protected variable, user_unnamed_ip).

(copying reference notes directly from originating task)

From T385687: Investigate: How should the AbuseFilter variable `user_unnamed_ip` be restricted:

Given that we already have a modifiable config, AbuseFilterProtectedVariables that can have variables added to it, I think it wouldn't be unreasonable to also modify it to be able to declare additional restrictions like rights and preferences. eg. [ "user_unnamed_ip" => [ 'rights' => [ 'checkuser-temporary-account' ], 'preferences' => [] ] ] and then respect them anywhere else we use permission checks like canViewProtectedVariableValues.

One thought is that instead of defining additional restrictions through rights and preferences keys, we could define some kind of way to provide a validator class or callback. This would then inform AbuseFilter if the user has access to see the variable.

The reason I suggest this is because the validator callback could be CheckUserPermissionManager::canAccessTemporaryAccountIPAddresses which would then deduplicate the logic for the CheckUser additional restrictions. Furthermore, in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1100552 I was defining two callbacks because AbuseFilterPermissionManager has a method for seeing the variable and then another one for seeing the values of the variables. These are defined slightly differently, and I think we could want to do similar for CheckUser

Final mechanism is up to the implementer. The callback seems more in line with work already existing. My only concern is discoverability - it would be nice if this was more exposed as opposed to having to know CU is now involved in the process (assuming AF itself never really knows or cares who is hooking into the mechanism - only that it's being returned a truthy value).

Acceptance Criteria:

  • CU uses this method to protected user_unnamed_ip such that users can only see the value of user_unnamed_ip or filters which contain that variable if they have IP reveal access

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Don't pass optional $timestamp parameter in AbuseFilterHandlerTestmediawiki/extensions/CheckUsermaster+2 -2
Define additional restrictions for AbuseFilter user_unnamed_ip varmediawiki/extensions/CheckUsermaster+220 -6
Customize query in gerrit

Related Objects
Search...

Event Timeline

STran created this task.Feb 26 2025, 1:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 26 2025, 1:28 PM
STran mentioned this in T385687: Investigate: How should the AbuseFilter variable `user_unnamed_ip` be restricted.Feb 26 2025, 1:31 PM
STran added a parent task: T354599: [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter.Feb 26 2025, 3:38 PM
STran added a project: Trust and Safety Product Sprint (Sprint Lemon Meringue (March 3 - 21)).Feb 26 2025, 3:40 PM
Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.Feb 28 2025, 5:52 PM
Dreamy_Jazz edited projects, added Trust and Safety Product Team (Engineering); removed Trust and Safety Product Team.
Dreamy_Jazz added a subtask: T387331: Provide a mechanism for other extensions to modify protected variables access requirements.Mar 5 2025, 5:56 PM
kostajh moved this task from Engineering to Engineering on the Trust and Safety Product Team board.Mar 10 2025, 12:44 PM
kostajh edited projects, added Trust and Safety Product Team; removed Trust and Safety Product Team (Engineering).
kostajh moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Lemon Meringue (March 3 - 21)) board.Mar 10 2025, 1:17 PM
Dreamy_Jazz claimed this task.Mar 14 2025, 8:57 PM
Dreamy_Jazz moved this task from Ready to In Progress on the Trust and Safety Product Sprint (Sprint Lemon Meringue (March 3 - 21)) board.
gerritbot added a comment.Mar 14 2025, 9:38 PM

Change #1127984 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] [Very WIP] Define additional restrictions for AbuseFilter user_unnamed_ip var

https://gerrit.wikimedia.org/r/1127984

gerritbot added a project: Patch-For-Review.Mar 14 2025, 9:38 PM
Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Lemon Meringue (March 3 - 21)) board.Mar 21 2025, 5:04 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz added a parent task: T380920: Remove the AbuseFilter protected variables preference gate.Mar 24 2025, 1:29 PM
Tchanders edited projects, added Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)); removed Trust and Safety Product Sprint (Sprint Lemon Meringue (March 3 - 21)).Mar 24 2025, 2:21 PM
Tchanders moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)) board.
gerritbot added a comment.Mar 24 2025, 6:16 PM

Change #1130688 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Don't pass optional $timestamp parameter in AbuseFilterHandlerTest

https://gerrit.wikimedia.org/r/1130688

Dreamy_Jazz mentioned this in T380920: Remove the AbuseFilter protected variables preference gate.Mar 25 2025, 5:29 PM
Johannnes89 subscribed.Mar 25 2025, 6:26 PM
Dreamy_Jazz mentioned this in T387331: Provide a mechanism for other extensions to modify protected variables access requirements.Mar 26 2025, 4:34 PM
gerritbot added a comment.Apr 1 2025, 12:23 PM

Change #1127984 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Define additional restrictions for AbuseFilter user_unnamed_ip var

https://gerrit.wikimedia.org/r/1127984

Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)) board.Apr 1 2025, 12:24 PM
Dreamy_Jazz moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)) board.

I would suggest that QA will be done as part of QA of T387331#10694753.

gerritbot added a comment.Apr 1 2025, 12:28 PM

Change #1130688 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Don't pass optional $timestamp parameter in AbuseFilterHandlerTest

https://gerrit.wikimedia.org/r/1130688

Maintenance_bot removed a project: Patch-For-Review.Apr 1 2025, 12:29 PM
ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.24; 2025-04-08).Apr 1 2025, 1:00 PM
Dreamy_Jazz added a parent task: T381722: Add abusefilter-access-protected-vars to frwiki EFM and remove it for sysops.Apr 2 2025, 1:45 PM
Dreamy_Jazz closed this task as Resolved.Apr 3 2025, 2:21 PM
Dreamy_Jazz closed subtask T387331: Provide a mechanism for other extensions to modify protected variables access requirements as Resolved.Apr 17 2025, 12:48 PM
Dreamy_Jazz mentioned this in T325451: [Epic] Users with right privileges are able to view IP addresses.May 7 2025, 4:09 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits