Noting that we were thinking that an API should exist to make it easier for community built tools to also know this information.

We may want to achieve that by just adding it to the existing CheckUser-UserInfoCard API or make a new one so it's easier to use.

On the User Info Card, I think we could display this information in one of two places:

1. As part of the list with icons (this will help it stand out more, but do we want it to?)

2. Under groups, near the bottom (since it's a user right/preference)

I prefer the second option. If a user isn't an admin or functionary, they will belong to the temporary account IP viewer group. It should be less confusing to display the group and the info, that the user opted-in, right next to each other. The first design separates those pieces of information.

I imagine a warning if a user did not opt-in to be helpful as well (although there are groups like checkusers, oversighters and stewards which don't need do opt-in). Once people read something like "temporary account IP viewer" they might just assume the user opted-in, so showing the following information would be useful:
Groups: Temporary account IP viewer
No opt-in to view temporary account IPs

In T395661#10871660, @Johannnes89 wrote:

I prefer the second option. If a user isn't an admin or functionary, they will belong to the temporary account IP viewer group. It should be less confusing to display the group and the info, that the user opted-in, right next to each other. The first design separates those pieces of information.

I imagine a warning if a user did not opt-in to be helpful as well (although there are groups like checkusers, oversighters and stewards which don't need do opt-in). Once people read something like "temporary account IP viewer" they might just assume the user opted-in, so showing the following information would be useful:
Groups: Temporary account IP viewer
No opt-in to view temporary account IPs

Thanks for your thoughts on this! The latest iteration includes text to explain when a user has not opted in:

In T395661#10887326, @KColeman-WMF wrote:

Thanks for your thoughts on this! The latest iteration includes text to explain when a user has not opted in:

Thanks, looks good to me :)

In T395661#10871369, @KColeman-WMF wrote:

On the User Info Card, I think we could display this information in one of two places:

1. As part of the list with icons (this will help it stand out more, but do we want it to?)

I like this version better, as it is more concise. I think we would only display this line if the user is in a relevant group that has temporary account IP reveal access and has checked the box in preferences, if applicable. Otherwise we don't show the line. I would also propose that we do not show the "temporary account viewer" group in the list of groups, to avoid confusion with having the group, but not having enabled the checkbox in preferences.

In T395661#10899141, @kostajh wrote:

In T395661#10871369, @KColeman-WMF wrote:

On the User Info Card, I think we could display this information in one of two places:

1. As part of the list with icons (this will help it stand out more, but do we want it to?)

I like this version better, as it is more concise. I think we would only display this line if the user is in a relevant group that has temporary account IP reveal access and has checked the box in preferences, if applicable. Otherwise we don't show the line. I would also propose that we do not show the "temporary account viewer" group in the list of groups, to avoid confusion with having the group, but not having enabled the checkbox in preferences.

If we go with this approach, the icon would need to change so it's not the same icon as displayed on the temp user info card:

What are your thoughts on displaying a warning if a user did not opt-in, as suggested previously? I am wondering what scenario this would be in aid of.

There is also a nice symmetry with having the temporary accounts line in the same position, across both types of user cards.

Change #1155736 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/CheckUser@master] UserInfoCard: Add canUserAccessTemporaryAccountIPAddresses to output

https://gerrit.wikimedia.org/r/1155736

With limited exceptions (e.g., grammatical gender), user preferences are non-public information. Disclosing them publicly is a Vuln-Infoleak.

In T395661#10905818, @JJMC89 wrote:

With limited exceptions (e.g., grammatical gender), user preferences are non-public information. Disclosing them publicly is a Vuln-Infoleak.

Opt-in status would be added as an exception to the Access to nonpublic personal data policy, similar to the existing exception for Bureaucrats to view 2FA status of other users. Disclosure of opt-in status would not be public, but be to other users who have access to temp account IPs, so that they can comply with the access policy.

In T395661#10910750, @MMoss_WMF wrote:

In T395661#10905818, @JJMC89 wrote:

With limited exceptions (e.g., grammatical gender), user preferences are non-public information. Disclosing them publicly is a Vuln-Infoleak.

Opt-in status would be added as an exception to the Access to nonpublic personal data policy, similar to the existing exception for Bureaucrats to view 2FA status of other users. Disclosure of opt-in status would not be public, but be to other users who have access to temp account IPs, so that they can comply with the access policy.

It is being disclosed to members of the public - users other than the account owner. Those users are also free to disclose the information to anyone (the public) as the majority of them are not bound by the ANPDP.

I think the simplest solution would be to annotate the preference with a statement of who has access to the fact that they have (not) enabled the preference similar to how the prefs-help-gender message includes This information will be public.. Maybe something as simple as Other users can view the status of this preference.

In T395661#10911030, @JJMC89 wrote:

I think the simplest solution would be to annotate the preference with a statement of who has access to the fact that they have (not) enabled the preference similar to how the prefs-help-gender message includes This information will be public..

Updating the preference text sounds fine to me, although, I think we should still technically enforce that only users who have access to reveal temporary account IPs can use the API to obtain this information about another account.

No objections to keeping it restricted

+1 to updating the preference text being the simplest solution and also still restricting who can use the API

+1 as well - good solution.

Change #1156699 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/WikimediaMessages@master] Update checkuser-tempaccount-enable-preference-description message

https://gerrit.wikimedia.org/r/1156699

In T395661#10911994, @gerritbot wrote:

Change #1156699 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/WikimediaMessages@master] Update checkuser-tempaccount-enable-preference-description message

https://gerrit.wikimedia.org/r/1156699

Proposed wording:

Before enabling this setting, you must read and agree to the \"[https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Access_to_temporary_account_IP_addresses Access to Temporary Account IP Addresses Policy]\". In particular:<ul><li>You must meet the eligibility criteria described in the Policy;</li><li>You must not access, use or disclose information about temporary account IP addresses except if it is reasonably necessary for the '''investigation of or enforcement against vandalism, abuse, spam, harassment, disruptive behavior, and other violations of Wikimedia Foundation or community policies'''. If you do share the information with others, you must be sensitive about where and how you do that, and you should remove the information when it is no longer reasonably necessary for others to see it.</li></ul>If you have read and agree to the Policy, you may enable the preference by checking the checkbox. Other users can view the status of this preference.

The new part is Other users can view the status of this preference. at the end. @Niharika looks OK?

@kostajh should this instead be Other users with access to temporary account IPs can view the status of this preference to make it clearer that users who don't have access will not be able to determine who does?

In T395661#10912607, @Niharika wrote:

@kostajh should this instead be Other users with access to temporary account IPs can view the status of this preference to make it clearer that users who don't have access will not be able to determine who does?

Sounds good, I've updated the patch.

Change #1156699 merged by jenkins-bot:

[mediawiki/extensions/WikimediaMessages@master] Update checkuser-tempaccount-enable-preference-description message

https://gerrit.wikimedia.org/r/1156699

In T395661#10901383, @KColeman-WMF wrote:

If we go with this approach, the icon would need to change so it's not the same icon as displayed on the temp user info card:

Maybe it's OK to reuse the same icon, given that they are seen in two different contexts. I don't have a strong opinion either way.

@Niharika @KColeman-WMF are we going with "Can view temporary account IPs", "Opted in to view temporary account IPs", or something else? Once we finalize the icon + text label, @Mimurawil can implement the frontend component to display this.

Change #1155736 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] UserInfoCard: Add canUserAccessTemporaryAccountIPAddresses to output

https://gerrit.wikimedia.org/r/1155736

In T395661#10913824, @kostajh wrote:

Maybe it's OK to reuse the same icon, given that they are seen in two different contexts. I don't have a strong opinion either way.

The icon of a user with a pin is also used for IP Auto reveal. If the same users who can automatically reveal temp account IPs can also manually reveal IPs, then I would use this icon for consistency. It will help avoid any visual confusion for functionaries when clicking between the different users.

@Niharika @KColeman-WMF are we going with "Can view temporary account IPs", "Opted in to view temporary account IPs", or something else? Once we finalize the icon + text label, @Mimurawil can implement the frontend component to display this.

My view is that Opted in to view temporary account IPs is clearer than Can view temporary account IPs because it makes it explicit that the user has had to select a preference in order to view IPs.

In T395661#10918394, @KColeman-WMF wrote:

In T395661#10913824, @kostajh wrote:

Maybe it's OK to reuse the same icon, given that they are seen in two different contexts. I don't have a strong opinion either way.

The icon of a user with a pin is also used for IP Auto reveal. If the same users who can automatically reveal temp account IPs can also manually reveal IPs, then I would use this icon for consistency. It will help avoid any visual confusion for functionaries when clicking between the different users.

@Niharika @KColeman-WMF are we going with "Can view temporary account IPs", "Opted in to view temporary account IPs", or something else? Once we finalize the icon + text label, @Mimurawil can implement the frontend component to display this.

My view is that Opted in to view temporary account IPs is clearer than Can view temporary account IPs because it makes it explicit that the user has had to select a preference in order to view IPs.

+1 for Opted in to view temporary account IPs. @KColeman-WMF when you've decided, can you please update the task description with the icon and finalized text, then we can implement this?

@kostajh The task has been updated so this is ready for implementation now.

Some users, to view temporary account IP, opt-in/opt-out in their preferences.
But other users don't use their preferences for automatic global access (Stewards, Ombuds, U4C, and Staff) or for automatic local access (CheckUsers and Oversighters). And the policy says: "members of a user group with automatic access who do not wish to have these access privileges should contact ca@wikimedia.org. Stewards are authorized to terminate access"

So, I think UserInfoCard should indicate, for these other users:
*if they had their access privileges removed: Can no longer view temporary account IPs
*otherwise: Can view temporary account IPs

Change #1164690 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/CheckUser@master] UserInfoCard: Show if a user has access to view temporary account IPs

https://gerrit.wikimedia.org/r/1164690

Do not display "temporary account viewer" in the list of groups when Opted in to view temporary account IPs is shown, as it is redundant information

@KColeman-WMF I am not sure if we should do this -- I think it would be confusing to not show that group. So, I would propose that we leave it in for now. (That's less work for the implementation of this task as well.)

In T395661#10949654, @NicoScribe wrote:

So, I think UserInfoCard should indicate, for these other users:
*if they had their access privileges removed: Can no longer view temporary account IPs

I agree this would be useful, but let's do that in a different task, please.

In T395661#10956785, @kostajh wrote:

Do not display "temporary account viewer" in the list of groups when Opted in to view temporary account IPs is shown, as it is redundant information

@KColeman-WMF I am not sure if we should do this -- I think it would be confusing to not show that group. So, I would propose that we leave it in for now. (That's less work for the implementation of this task as well.)

That sounds fine to me, as does the suggestion to display a message to users if they've had their temp account viewer access removed.

In T395661#10956786, @kostajh wrote:

I agree this would be useful, but let's do that in a different task, please.

OK, thank you! I have created T398142.

Change #1164690 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] UserInfoCard: Show if a user has access to view temporary account IPs

https://gerrit.wikimedia.org/r/1164690

Change #1165405 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/CheckUser@master] UserInfoCard: Fix opt-in to temporary account label display

https://gerrit.wikimedia.org/r/1165405

Change #1165470 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/CheckUser@wmf/1.45.0-wmf.8] UserInfoCard: Fix opt-in to temporary account label display

https://gerrit.wikimedia.org/r/1165470

Change #1165470 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@wmf/1.45.0-wmf.8] UserInfoCard: Fix opt-in to temporary account label display

https://gerrit.wikimedia.org/r/1165470

Mentioned in SAL (#wikimedia-operations) [2025-07-01T09:01:59Z] <kharlan@deploy1003> Started scap sync-world: Backport for [[gerrit:1165470|UserInfoCard: Fix opt-in to temporary account label display (T395661)]], [[gerrit:1165265|UserInfoCard can unintentionally render information for more than one user]]

Mentioned in SAL (#wikimedia-operations) [2025-07-01T09:04:04Z] <kharlan@deploy1003> kharlan: Backport for [[gerrit:1165470|UserInfoCard: Fix opt-in to temporary account label display (T395661)]], [[gerrit:1165265|UserInfoCard can unintentionally render information for more than one user]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Change #1165405 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] UserInfoCard: Fix opt-in to temporary account label display

https://gerrit.wikimedia.org/r/1165405

Mentioned in SAL (#wikimedia-operations) [2025-07-01T09:11:14Z] <kharlan@deploy1003> Finished scap sync-world: Backport for [[gerrit:1165470|UserInfoCard: Fix opt-in to temporary account label display (T395661)]], [[gerrit:1165265|UserInfoCard can unintentionally render information for more than one user]] (duration: 09m 15s)

The new code has been implemented and is working as expected per the Acceptance Criteria, also the Temporary account IP reveal preference message has been updated with the new verbiage Other users with access to temporary account IPs can view the status of this preference .