Page MenuHomePhabricator
Create Task
Maniphest T396217

Document that groups with IP reveal rights must not be changed without making changes to the cache for Special:GlobalContributions
Closed, ResolvedPublic1.5 Estimated Story Points
Actions

Assigned To
Tchanders
Authored By
STran
Jun 6 2025, 1:15 PM
Tags
Referenced Files
Restricted File
Sep 2 2025, 3:28 PM
F65948862: image.png
Sep 2 2025, 3:25 PM
F65948860: image.png
Sep 2 2025, 3:25 PM
Subscribers
Aklapper
Dreamy_Jazz
hector.arroyo
jijiki
kostajh
Ladsgroup
MMoss_WMF
View All 13 Subscribers

Description

Summary

Special:GlobalContributions permissions checks assume that the groups with IP reveal rights never change. This is currently the case according to the IP reveal access policy.

Explanation of the issue

If the IP reveal rights are assigned to different groups, then the Special:GlobalContributions permissions check may become inaccurate for users in those groups, for up to 1 month. This means:

  • If IP reveal rights were added to a group, then users in that group may not be able to reveal IPs via Special:GlobalContributions if they have an existing cache entry (meaning if they have checked Special:GlobalContributions within the last month). Eventually this will fix itself.
  • If IP reveal rights are removed from a group, then users in that group may still be able to reveal IPs via Special:GlobalContributions if they have an existing cache entry (meaning if they have checked Special:GlobalContributions within the last month). Eventually this will fix itself.

This is also the case for other permissions, e.g. seeing deleted edits.

This only affects changing which rights are assigned to groups. Special:GlobalContributions will show the correct data to a user straight away if they are added to or removed from a group with IP reveal rights.

Recommendations if changing group rights

As summarized in T396217#11065904, we advise that it is probably OK for some cache entries to be out of date for a while given the types of changes we expect to happen. We don't think it is likely that sensitive rights will be removed from groups, thus enabling users to see data that they shouldn't. We expect that assigning these rights to additional groups will be very infrequent.

However, this task should be read through and a judgement should be made about this, if ever the group rights assignments do change.

Technical notes

For more details, including possible solutions to invalidate the cache when the group rights assignment changes, see T396217#11065904.

Special:GlobalContributions caches its external permissions lookups because they're expensive but necessary. This cached value relies on being invalidated if the user ever gains or losses permissions in order to ensure that if the permission can affect their lookup permissions, Special:GC will accurately reflect that. The only way to programmatically declare this invalidation is on user group change (local and global). However, rights can be added/removed to groups via config and if a relevant right is added/removed this way, the cache invalidation has no way of seeing this.

The only protection against this drift is policy and institutional knowledge not to do the thing. If policy changes or a config changes, we need to decide and document:

  1. what to do preemptively (eg. in case of policy change and we have time to prepare)
  2. what to do reactively (eg. in case of a config change we need to respond to)
Acceptance Criteria

From T396217#11065904:

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Document that IP reveal permissions can't just be reassignedoperations/mediawiki-configmaster+6 -3
Test check key building in CheckUserGlobalContributionsLookupmediawiki/extensions/CheckUsermaster+23 -2
CheckUserGlobalContributionsLookup: Improve caching strategymediawiki/extensions/CheckUsermaster+113 -252
Customize query in gerrit

Related Objects

Event Timeline

STran created this task.Jun 6 2025, 1:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 6 2025, 1:15 PM
STran added a project: CheckUser-GlobalContributions.Jun 6 2025, 1:16 PM
STran moved this task from Backlog to Ready on the CheckUser-GlobalContributions board.
gerritbot added a comment.Jun 6 2025, 3:04 PM

Change #1154308 had a related patch set uploaded (by Tchanders; author: Tchanders):

[operations/mediawiki-config@master] Document that IP reveal permissions can't just be reassigned

https://gerrit.wikimedia.org/r/1154308

gerritbot added a project: Patch-For-Review.Jun 6 2025, 3:04 PM
Tchanders subscribed.Jun 6 2025, 3:08 PM

For local groups, the patch above points to this task from where the IP reveal rights are assigned in the config repo.

For global groups we could invalidate the affected cache entries automatically when permissions assignments are changed by running a new hook from SpecialGlobalGroupPermissions::invalidateRightsCache.

Tchanders added subscribers: Niharika, sgrabarczuk, MMoss_WMF and 4 others.Jun 6 2025, 3:09 PM
Tchanders renamed this task from Document response steps to potential permissions drift for Special:GlobalContributions access to Document that groups with IP reveal rights must not be changed without making changes to the cache for Special:GlobalContributions.Jun 6 2025, 3:14 PM
Tchanders updated the task description. (Show Details)
Tchanders added a project: Temporary accounts (Create/update essential tools/anti-abuse management).
mszabo added a comment.Jun 6 2025, 3:41 PM

For now, we could define a cache version in code and manually update it if mediawiki-config changes.

If we want to avoid that, we could go the RL way and integrate a simple maintenance script with the deployment process that would touch a check key either unconditionally, or if the permissions configuration changes (if that can be determined).

Niharika edited projects, added Temporary accounts; removed Temporary accounts (Create/update essential tools/anti-abuse management).Jul 22 2025, 11:02 AM
Niharika moved this task from Inbox to Q2 FY25-26 candidates on the Temporary accounts board.
Tchanders set the point value for this task to 1.5.Aug 1 2025, 9:01 AM
OKryva-WMF triaged this task as High priority.Aug 1 2025, 1:39 PM
OKryva-WMF added a project: Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)).
OKryva-WMF moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.
Tchanders claimed this task.Aug 5 2025, 5:32 PM
Tchanders moved this task from Ready to In Progress on the CheckUser-GlobalContributions board.
Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.Aug 6 2025, 9:46 AM
Tchanders moved this task from Ready to In Progress on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 6 2025, 11:26 AM
Tchanders added a subscriber: OKryva-WMF.EditedAug 6 2025, 4:11 PM

Here's my take on what to do next, having discussed with @STran, @Dreamy_Jazz , @mszabo and @OKryva-WMF (thanks!).

Summary
  • The permissions cache for GlobalContributions may become inaccurate, if the permissions are assigned to different groups.
  • We will make a change to how we cache, to make sure this only happens occasionally and for a limited duration.
  • We will document clearly on this task what to do if assigning the IP reveal permission to different groups: our advice is to do nothing, but also to read this task and reassess, in case something has changed between now and then.
The problem

The permissions cache is not invalidated when the rights that are looked up are assigned to different groups, only when the user's groups change.

There is no way to automatically invalidate the cache when local groups' rights change. (There's nothing to hook into, since these are only defined in config, which is updated by changing the config files.)

Therefore the cache entries may become inaccurate.

Exacerbating factors

The way we build the cache entry means the data can be older than the TTL (time to live - 1 month) would suggest.

What happens:

  • The first time a user visits Special:GlobalContributions, we look up their permissions on the relevant wikis and cache the results under a key made from the user's name, with a TTL of 1 month
  • If the user visits Special:GlobalContributions again within the next month, if we need to look up permissions at new wikis, we add these results to the user's existing cache object and set a new TTL of 1 month from now

Effect:

  • The older results can then last more than 1 month. (Arbitrarily long, e.g. if new wikis keep getting added to the cache entry every few weeks.) That exacerbates the problem of not invalidating when the group rights change, because an inaccurate cache entry can last arbitrarily long.
Mitigating factors

(The rights that are checked are checkuser-temporary-account, checkuser-temporary-account-no-preference, deletedtext, deletedhistory, suppressrevision and viewsuppressed.)

  • deletedtext, deletedhistory, suppressrevision and viewsuppressed are changed only very infrequently (once or twice a year [1]), so the cache entries would not often be wrong.
  • If the cache says a user can't see something when they should be able to, they can still see it locally via Special:Contributions.
  • The cache would only say a user can see something when they shouldn't be able to, if one of these rights is removed from a group. That hasn't happened in the last 5+ years [1]. This would only affect users in these trusted groups.
  • checkuser-temporary-account and checkuser-temporary-account-no-preference cannot be assigned to different groups without a policy change. We can improve documentation that cache entries could become inaccurate if these are changed.
What should we do?

Actions to take

  • Update the way we cache so that the data can't get arbitrarily old:
    • Segment on the user/wiki combination rather than just the user
    • Make a new cache entry for each user/wiki, rather than updating an existing entry
  • Update the config documentation patch from T396217#10891325 to advise reading through this task before changing the rights assignment for the IP reveal rights.
  • Update the description of this task to make it clear that, if the IP reveal rights assignments change, we advise doing nothing by default, but we advise reading through this task and deciding whether doing nothing is still the best course of action.

With the above actions and the mitigating factors, the cache inaccuracies could only affect a small number of trusted users for a limited time. If we're comfortable with this, we don't need to take further action.

Other solutions we discussed but didn't go with

Noting these here for reference.

Technical approaches:

  • Invalidate all cache entries whenever wmf-config changes. <- Not feasible since it changes multiple times a day
  • Store local group permissions in a database that is updated by a maintenance script each time permissions config change. Have this script invalidate the cache entries when needed. <- A lot of work for not much gain: storage space, two-sources-of-truth risk, running the script that almost always does nothing. (However, if other projects need this, it might be worth considering, since we do store global group rights in the DB. But that's beyond the scope of this task.)
  • Reduce the TTL, so the cache is wrong for less long. <- Too many cache misses is frustrating to users, since this can block the page from loading properly (we had bug reports about this before we implemented the cache). 1 month seems to be working (good stats, no bug reports).
  • Only look up the non-public-visibility rights for the wikis that return non-publicly visible results <- This is worth exploring if ever we decide the cache needs to be perfectly accurate. We'd need to consider how/whether to fix pagination if we need to remove hidden revisions after querying the wikis for all revisions.

Product approaches:

  • Only include contributions that are visible to everyone, so that the rights don't need to be looked up. Show which wikis the usr is active on, so this can be followed up locally on Special:Contributions. The non-public revisions can be seen there. <- Having to swap tools degrades the user experience, so it would be nice to avoid this if we can.
  • Don't show the non-public revisions by default, but add a checkbox for adding them. The IP reveal right is cached as before, and the other rights are looked up only when needed, and only for the wikis that have results on this page. <- This is probably the strongest product-based solution, but does cause some inconvenience to users and may be unnecessary if we don't mind the cache being occasionally wrong for a limited time and a small number of users.

[1] According to git log -G "deletedtext|deletedhistory|suppressrevision|viewsuppressed" --oneline --pretty=format:'%C(auto)%h%d (%cr) %s' on the mediawiki-config repo (thanks @STran for sharing this)

gerritbot added a comment.Aug 7 2025, 4:29 PM

Change #1176511 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/extensions/CheckUser@master] CheckUserGlobalContributionsLookup: Improve caching strategy

https://gerrit.wikimedia.org/r/1176511

Tchanders moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 7 2025, 5:27 PM
Niharika moved this task from Q2 FY25-26 candidates to Global wiki rollout on the Temporary accounts board.Aug 12 2025, 12:09 PM
Niharika edited projects, added Temporary accounts (Global wiki rollout); removed Temporary accounts.
Tchanders moved this task from Needs Review to In Progress on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 12 2025, 4:11 PM
OKryva-WMF added a project: OKR-Work.Aug 14 2025, 9:55 AM
Tchanders moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 14 2025, 11:46 AM
gerritbot added a comment.Aug 15 2025, 4:03 PM

Change #1176511 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] CheckUserGlobalContributionsLookup: Improve caching strategy

https://gerrit.wikimedia.org/r/1176511

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.15; 2025-08-19).Aug 15 2025, 5:00 PM
Tchanders moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 18 2025, 10:16 AM
Tchanders updated the task description. (Show Details)Aug 18 2025, 11:08 AM
OKryva-WMF edited projects, added Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)); removed Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)).Aug 19 2025, 10:18 AM
OKryva-WMF moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.Aug 19 2025, 10:28 AM
gerritbot added a comment.Aug 19 2025, 1:58 PM

Change #1179697 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/extensions/CheckUser@master] Test check key building in CheckUserGlobalContributionsLookup

https://gerrit.wikimedia.org/r/1179697

gerritbot added a comment.Aug 19 2025, 2:49 PM

Change #1179697 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Test check key building in CheckUserGlobalContributionsLookup

https://gerrit.wikimedia.org/r/1179697

ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.16; 2025-08-26); removed MW-1.45-notes (1.45.0-wmf.15; 2025-08-19).Aug 19 2025, 3:00 PM
Dreamy_Jazz moved this task from To triage to In progress on the Temporary accounts (Global wiki rollout) board.Aug 20 2025, 10:17 AM
gerritbot added a comment.Sep 2 2025, 1:04 PM

Change #1154308 merged by jenkins-bot:

[operations/mediawiki-config@master] Document that IP reveal permissions can't just be reassigned

https://gerrit.wikimedia.org/r/1154308

Stashbot mentioned this in T402181: Deploy Temporary accounts to all remaining small-sized projects.Sep 2 2025, 1:05 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-02T13:04:58Z] <stran@deploy1003> Started scap sync-world: Backport for [[gerrit:1154308|Document that IP reveal permissions can't just be reassigned (T396217)]], [[gerrit:1180532|Enable temporary accounts on remaining small-sized projects (T402181)]]

Stashbot added a comment.Sep 2 2025, 1:11 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-02T13:11:47Z] <stran@deploy1003> tchanders, stran: Backport for [[gerrit:1154308|Document that IP reveal permissions can't just be reassigned (T396217)]], [[gerrit:1180532|Enable temporary accounts on remaining small-sized projects (T402181)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Maintenance_bot removed a project: Patch-For-Review.Sep 2 2025, 1:31 PM
STran moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)) board.Sep 2 2025, 2:15 PM
jijiki raised the priority of this task from High to Unbreak Now!.EditedSep 2 2025, 3:25 PM
jijiki subscribed.

<comment removed as it belongs to T402181>

jijiki added a subscriber: Ladsgroup.Sep 2 2025, 3:31 PM
Dreamy_Jazz added a comment.Sep 2 2025, 3:34 PM

The patch for this ticket that was merged then was just a change in PHP comments. I'm not sure how it could have caused that?

kostajh added a comment.Sep 2 2025, 3:37 PM
In T396217#11139946, @Dreamy_Jazz wrote:

The patch for this ticket that was merged then was just a change in PHP comments. I'm not sure how it could have caused that?

It got deployed at the same time as https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/1180532 (enabling temp accounts on small wikis), so I think there was a mixup on which task was associated with the change.

Ladsgroup added a comment.Sep 2 2025, 3:38 PM

It can be because of the temp accounts being enabled? (deployed at the same time: https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/1180532) I need to go to a meeting very soon but this needs investigation.

jijiki added a comment.Sep 2 2025, 3:39 PM

Sorry for the mixup, I will reopen T402181 and remove my comment!

jijiki changed the task status from Open to In Progress.Sep 2 2025, 3:42 PM
jijiki lowered the priority of this task from Unbreak Now! to High.
OKryva-WMF closed this task as Resolved.Oct 10 2025, 10:59 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits