⚓ T356294 Restrict which groups have access to Special:GlobalContributions

Maniphest T356294

Restrict which groups have access to Special:GlobalContributions
Open, HighPublic
Actions

Description

Background

For full details see T337089: [Epic] Implement global contributions feature.

Who can have access to what information:

The following has been approved by Legal and stewards.

All search results excluding ‘No output’ ones will include:

Original input (Registered username/Temporary username/IP/IP range)
Date and timestamp
Wiki project
Wiki page
Link to diff / revision history
Edit summary

Who can access IP Reveal based on the policy:

Globally
- Auto opt-in globally without a preference - checkuser-temporary-account-no-preference
  - Stewards (T357762)
  - Ombuds (T371279)
  - Staff (T367170)
- Can opt in globally through Special:GlobalPreferences - checkuser-temporary-account
  - Global sysops (T371279)
  - Global rollbackers (T371279)
  - Abuse filter maintainers (T371279)
  - Abuse filter helpers (T371279)
  - Checkusers on any project (T375117)
  - Oversighters on any project (T375117)
Locally
- Auto opt-in locally without a preference - checkuser-temporary-account-no-preference
  - Checkusers (T327913)
  - Oversighters (T327913)
- Can opt-in locally through Special:Preferences - checkuser-temporary-account
  - Sysops (T327913)
  - Bureaucrats (T327913)
  - Users who meet the 300 edits + 6 months old account criteria (T369187)

Notes

Who does and does not have IP reveal access is outlined in the policy: https://foundation.wikimedia.org/wiki/Policy:Access_to_temporary_account_IP_addresses
There will only be a central Meta page for GUC lookup. We need to implement redirects from local wiki's special page to the central meta special page: T376612
There will be a centralized log page that tracks usage of this tool.
Users blocked on a given project should not be able to see information for that specific project

Details

Subject	Repo	Branch	Lines +/-
temp accounts: Enable IP reveal rights for local groups on meta	operations/mediawiki-config	master	+0 -18
Add service for performing API requests to external wikis	mediawiki/extensions/CheckUser	master	+472 -0
GlobalContributionsPager: Check IP reveal permissions at external wikis	mediawiki/extensions/CheckUser	master	+142 -3
[WIP] Add temporary group check for Special:GlobalContributions	mediawiki/extensions/CheckUser	master	+18 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
		Restricted Task
Resolved	kostajh	T294511 2021 Security Team wikireplicas audit
Declined	None	T284948 Raw IPs of logged-out users disclosed in wiki-replicas
In Progress	Niharika	T324492 Temporary accounts - MVP
Open	Niharika	T337012 Tracking task for community-owned and maintained tools that will be impacted by Temporary Accounts
Open	STran	T337089 [Epic] Implement global contributions feature
Open	Tchanders	T356294 Restrict which groups have access to Special:GlobalContributions
Resolved	STran	T377584 Temporarily restrict local access to Special:GlobalContributions
Duplicate	Tchanders	T379066 Global Contributions: Permission denied message is confusing
Resolved	Tchanders	T378641 Update copy on Special:GlobalContributions
Open	Tchanders	T380518 Allow any user with the global IP reveal preference to access Special:GlobalContributions

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Bugreporter mentioned this in T334620: Create group for assigning checkuser-temporary-account right.Feb 3 2024, 1:29 AM

Bugreporter mentioned this in T327913: Assign checkuser-temporary-account right to various groups.

Bugreporter mentioned this in T325451: Implement: Users with right privileges are able to view IP addresses.

Tchanders added a parent task: T325451: Implement: Users with right privileges are able to view IP addresses.Feb 16 2024, 2:09 PM

Tchanders updated the task description. (Show Details)Feb 26 2024, 1:57 PM

Tchanders updated the task description. (Show Details)Feb 26 2024, 2:01 PM

Stalling this pending conversations with Legal.

Tchanders mentioned this in T357762: Grant checkuser-temporary-account-no-preference to the steward group.Feb 26 2024, 2:07 PM

Johannnes89 subscribed.Feb 26 2024, 4:45 PM

@PBradley-WMF @MMoss_WMF Here's a proposal for how this could work technically.

The following rights exit:

checkuser-temporary-account-no-preference: This allows a user to reveal IPs without accepting a preference
checkuser-temporary-account: This allows a user to reveal IPs, but only if they accept a preference
checkuser-temporary-account-log: This allows a user to see who viewed IPs for a temporary account, but without revealing the IP

Proposal:

Stewards, checkusers, staff and ombuds get checkuser-temporary-account-no-preference, meaning that they can reveal IPs on any wiki. These groups also get checkuser-temporary-account-log.
Members of the groups global-sysop, global-rollbacker, abusefilter-helper and abusefilter-maintainer get checkuser-temporary-account on every wiki. Since they may not have signed an NDA, they must accept the agreement via a single global preference. Once they have done this, they can reveal IPs on any wiki. These groups also get checkuser-temporary-account-log.
Local admins (sysops) get checkuser-temporary-account on any wiki where they are an admin. Since they may not have signed an NDA, they must accept the agreement via a single global preference. Once they have done this, they can reveal IPs on any wiki where they are an admin.
All users who meet the requirements to reveal IPs globally, and who also meet the local requirements of some particular wiki, get checkuser-temporary-account on that wiki. Since they may not have signed an NDA, they must accept the agreement via a single global preference. Once they have done this, they can reveal IPs on that wiki.
Once a user has accepted the global preference, if they gain checkuser-temporary-account on a new wiki, they can reveal IPs on that wiki without accepting the preference again, since they have already accepted it.

Confirming that Legal has seen this and is preparing a response. Current status is blocked pending confirmation of what happens when various groups here have the global permission flag set (automatically or by opt in), but local projects have set enhanced local requirements.

In T356294#9586791, @PBradley-WMF wrote:

Confirming that Legal has seen this and is preparing a response. Current status is blocked pending confirmation of what happens when various groups here have the global permission flag set (automatically or by opt in), but local projects have set enhanced local requirements.

Another issue is currently user requires not to be blocked in more than one wiki in order to have IP reveal access - a criterion copied from board election eligibility criteria which is used there since 2011; and there are potentially users not meeting such criterion. This is one of reasons why I suggest to remove this requirement from Access to temporary account IP addresses policy.

Tchanders moved this task from Inbox to Create/update essential tools/anti-abuse management on the Temporary accounts board.Jun 4 2024, 3:16 PM

Tchanders edited projects, added Temporary accounts (Create/update essential tools/anti-abuse management); removed Temporary accounts.

Tchanders edited projects, added Temporary accounts (Blockers to minor pilot wiki deployment); removed Temporary accounts (Create/update essential tools/anti-abuse management).Jul 3 2024, 3:02 PM

Tchanders mentioned this in T369187: Allow users to be autopromoted into checkuser-temporary-account-viewer group based on local criteria.Jul 3 2024, 4:57 PM

@Niharika @Madalina Can we just use the same permissions as Special:IPContributions here? That's also the same permissions as for IP reveal.

Niharika added a project: CheckUser-GlobalContributions.Sep 4 2024, 5:30 PM

Niharika moved this task from Backlog to Pilot wiki (minor phase) blocker on the CheckUser-GlobalContributions board.Sep 4 2024, 5:37 PM

Niharika renamed this task from Define which groups have access to Special:GlobalUserContributions to Define which groups have access to Special:GlobalContributions.Sep 10 2024, 10:12 AM

In T356294#10046251, @Tchanders wrote:

@Niharika @Madalina Can we just use the same permissions as Special:IPContributions here? That's also the same permissions as for IP reveal.

(Dumping relevant thoughts that came to me during todays Legal/TSP office hours)

How would that look in practice though? Whether you have access to Special:IPContributions (and IP Reveal) is a question that has an wiki-dependant answer. One might be allowed to access Special:IPContributions at en.wikipedia, but not have the same access at de.wikipedia (or the other way around). However, CheckUser-GlobalContributions allows you to access data from all wikis.

Would we allow Global Contributions access to anyone who has IP Reveal access on any wiki? This would allow you to see the wiki's data through Global Contributions, but not through Special:IPContributions. Would we only allow Global Contributions access to users who have IP reveal access on all wikis? That would be a significant change from what we have now, and that may or may not be OK. Would we filter down the shown data to only include wikis the user has permission at? This is in-between the previous two options, as well as being a change of how GUC usually works.

Niharika claimed this task.Sep 16 2024, 10:52 AM

Niharika triaged this task as High priority.

Niharika added a project: Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)).

KColeman-WMF mentioned this in T349902: [Design] Create user flows for different GUC scenarios.Sep 23 2024, 2:02 PM

KColeman-WMF mentioned this in T337089: [Epic] Implement global contributions feature.Sep 23 2024, 2:06 PM

Niharika updated the task description. (Show Details)Oct 7 2024, 11:34 AM

Niharika updated the task description. (Show Details)Oct 7 2024, 11:46 AM

kostajh renamed this task from Define which groups have access to Special:GlobalContributions to Restrict which groups have access to Special:GlobalContributions.Oct 8 2024, 10:23 AM

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)); removed Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)).

Niharika removed Niharika as the assignee of this task.Oct 8 2024, 10:37 AM

STran claimed this task.Oct 9 2024, 8:45 AM

STran moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)) board.Oct 10 2024, 1:47 PM

@STran Does implementation of this need any changes to the permissions of the global groups? If that is needed, it would need to be done by a steward on-wiki. Let me know if any changes like that are needed.

kostajh moved this task from Backlog to In progress on the Temporary accounts (Blockers to minor pilot wiki deployment) board.Oct 15 2024, 8:26 AM

Niharika updated the task description. (Show Details)Oct 16 2024, 4:25 PM

Niharika updated the task description. (Show Details)Oct 16 2024, 7:10 PM

As it stands, anyone with the right to reveal IPs locally can see all the global results. This will need fixing before we deploy beyond the test wikis.

Problem

At the moment, we check if the user has the necessary rights and preferences (code here). This is difficult to do for each wiki; we could do a database lookup for the user's groups and the preferences, but whether a group has a right assigned to it is defined in the wiki's configuration.

Short-term fix

To start with, could we restrict access to users who can reveal IPs everywhere by just checking for membership of the global group global-temporary-account-viewer? (The middle column of the table in the task description.)

As a next step, could we use a DB lookup to check for local group membership and preferences (and number of edits and age of account), as the access policy currently states that the right is assigned predictably on all wikis.

Long term

That's quite inflexible and would mean that access to Special:GlobalContributions wouldn't be affected by changes to the permissions config. A proper, more stable solution would be to figure out cross-wiki permission checks properly.

Change #1081189 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/CheckUser@master] [WIP] Add temporary group check for Special:GlobalContributions

https://gerrit.wikimedia.org/r/1081189

gerritbot added a project: Patch-For-Review.Oct 17 2024, 3:15 PM

JJMC89 updated the task description. (Show Details)Oct 17 2024, 3:31 PM

In T356294#10237431, @Tchanders wrote:

Short-term fix

To start with, could we restrict access to users who can reveal IPs everywhere by just checking for membership of the global group global-temporary-account-viewer? (The middle column of the table in the task description.)

This is only a subset of the middle column of the table. global-temporary-account-viewer only includes CU+OS. All of the others with global access are granted it through their respective global groups.

Also, global-temporary-account-viewer is Wikimedia-specific, and, therefore, should not be in CheckUser.

In T356294#10238436, @JJMC89 wrote:

In T356294#10237431, @Tchanders wrote:

Short-term fix

To start with, could we restrict access to users who can reveal IPs everywhere by just checking for membership of the global group global-temporary-account-viewer? (The middle column of the table in the task description.)

This is only a subset of the middle column of the table. global-temporary-account-viewer only includes CU+OS. All of the others with global access are granted it through their respective global groups.

Also, global-temporary-account-viewer is Wikimedia-specific, and, therefore, should not be in CheckUser.

We could perhaps run a hook during the permission checks, so Wikimedia can check for these global groups instead of the right/preference - at least in the short term - to allow us to fully do the middle column.

STran mentioned this in T377584: Temporarily restrict local access to Special:GlobalContributions.Oct 18 2024, 1:48 PM

STran added a subtask: T377584: Temporarily restrict local access to Special:GlobalContributions.

Change #1081189 abandoned by STran:

[mediawiki/extensions/CheckUser@master] [WIP] Add temporary group check for Special:GlobalContributions

Reason:

Abandoned in favor of I5fd09249507b24f303f85b7e620fcf8ecd49f1e1

https://gerrit.wikimedia.org/r/1081189

Maintenance_bot removed a project: Patch-For-Review.Oct 18 2024, 3:30 PM

STran reassigned this task from STran to Tchanders.Oct 23 2024, 6:41 AM

Tchanders mentioned this in T377831: Ensure Special:GlobalContributions uses the global preference check, not the local preference.Oct 23 2024, 12:27 PM

Change #1082480 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/extensions/CheckUser@master] WIP GlobalContributionsPager: Sketch of checking permissions at external wikis

https://gerrit.wikimedia.org/r/1082480

gerritbot added a project: Patch-For-Review.Oct 23 2024, 2:05 PM

Tchanders moved this task from Pilot wiki (minor phase) blocker to Backlog on the CheckUser-GlobalContributions board.Oct 23 2024, 2:08 PM

Tchanders mentioned this in T377960: Show a notice on Special:GlobalContributions if results from external wikis are hidden from a user.Oct 23 2024, 2:30 PM

Titore subscribed.Oct 24 2024, 6:41 PM

Change #1083382 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/extensions/CheckUser@master] WIP Add service for performing API requests to external wikis

https://gerrit.wikimedia.org/r/1083382

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15); removed Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)).Oct 28 2024, 11:04 AM

kostajh moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.

KColeman-WMF mentioned this in T375465: Link to Special:GlobalContributions page from IP Info.Oct 28 2024, 3:04 PM

Summarising the latest thinking on how to do cross-wiki permission checks, and synthesizing some conversations we've been having elsewhere.

The permissions problems

Primary problem: IP reveal permissions

For users who have IP reveal rights on some wikis but not others, they should only see results for the wikis where they have IP reveal rights. What is the best way to check whether a user has IP reveal rights on an external wiki?

Relevant rights: checkuser-temporary-account-no-preference, checkuser-temporary-account.

Secondary problem: permission to see hidden things

Even if a user has the right to reveal IPs, they may not have permission to see a particular revision (if its author was hidden) or certain things about a revision. What is the best way to check whether a user has some particular right on an external wiki?

Relevant rights: deletedhistory, suppressrevision, viewsuppressed.

Possible solutions

API call

Approach: To get the actual permissions on an external wiki, make an API call for the needed permissions

Pros:

Allows us to know all the permissions listed above
Allows us to show/hide contributions based on author visibility, remove/format links to suppressed revisions exactly the same as the local contribution lines

Cons:

Time taken to make the query increases page load time
We need to handle failed API calls
Maintenance burden of testing and debugging

Direct lookups

Approach:

To work out whether a user has a right, we need to know two things: (1) what groups the user is in, and (2) whether the right is assigned to any of those groups in the wiki's config.
For (1), we can look up a user's group membership on an external wiki via the user_groups table. We can also look up their number of edits and the age of their account (so we can determine membership of any autopromote groups that use these criteria).
For (2), it's less clear how to do this.

Pros:

If we can figure out a good way to do (2), this is probably fine
It wouldn't increase page load time as badly as an API call

Cons:

If we can't figure out (2), then:
- We wouldn't really know the user's rights; we would be guessing them from their groups.
- We couldn't make assumptions about the deletedhistory, suppressrevision, viewsuppressed rights because there are no guarantees about which groups they are assigned to. E.g. there are currently differently-named groups on different wikis that have the deletedhistory right. This means that we would need to assume that users can't see deleted revisions, to avoid leaking information to users without permissions, so we would be over-hiding things from users who should in fact be able to see them. Similarly, deleted revision link formatting wouldn't be accurate.
- Perhaps we could argue that the IP reveal permissions are rigidly encoded in the access policy, so we can assume they won't change and will be the same on every wiki. But if the access policy did ever change, we would need to make a code change to Special:GlobalContributions to account for this change. The access policy would not be able to allow for any differences between wikis (including different thresholds for the autopromote group).

Thanks for writing out this summary. Going the API route makes sense to me, everything considered.

Tchanders mentioned this in T378525: Use cross-wiki permissions checks to determine what a user should see in Special:GlobalContributions.Oct 29 2024, 5:42 PM

Tchanders moved this task from In Progress to Needs review on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.Nov 1 2024, 10:27 AM

Testing steps

Setup:

Make an edit as a temporary user in a wiki. Make a note of their IP address.
- If the IP address is unknown, disable temporary accounts, make an edit, and see what IP address the edit is assigned to
Do the same for a temporary account using the same IP address at anther wiki.
Login as a user who has an account at both wikis

Incomplete rights:

Give this user IP reveal rights at one wiki, but not at the other
At the wiki where you have IP reveal rights, visit Special:GlobalContributions
You should see the edit made at this wiki, but not the edit made at the other wiki

Global rights:

Give this user IP reveal rights at both wikis
At one of the wikis, visit Special:GlobalContributions
You should see the edits made from both wikis

Change #1083382 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Add service for performing API requests to external wikis

https://gerrit.wikimedia.org/r/1083382

Change #1082480 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] GlobalContributionsPager: Check IP reveal permissions at external wikis

https://gerrit.wikimedia.org/r/1082480

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.2; 2024-11-05).Nov 4 2024, 9:00 PM

Maintenance_bot removed a project: Patch-For-Review.Nov 4 2024, 9:32 PM

kostajh closed subtask T377584: Temporarily restrict local access to Special:GlobalContributions as Resolved.Nov 5 2024, 8:16 AM

Tchanders mentioned this in T379105: Make it clear that cross-wiki permission checking in Special:GlobalContributions is not ideal.Nov 5 2024, 6:51 PM

Tchanders mentioned this in T379106: Remove API call for CentralAuth token from CheckUserApiRequestAggregator.Nov 5 2024, 6:54 PM

Tchanders mentioned this in T379107: Show a warning in Special:GlobalContributions if a permissions lookup at an external wiki fails.Nov 5 2024, 6:56 PM

Change #1087584 had a related patch set uploaded (by Tchanders; author: Tchanders):

[operations/mediawiki-config@master] temp accounts: Enable IP reveal rights for local groups on meta

https://gerrit.wikimedia.org/r/1087584

gerritbot added a project: Patch-For-Review.Nov 5 2024, 9:57 PM

The main patches to fix the functionality were merged.

There is some clean-up work captured in separate tasks:

The only thing left for this task is the config patch above to undo T377584: Temporarily restrict local access to Special:GlobalContributions, so that users who have rights at only some wikis can have access (the left hand column from the table in the task description).

Tchanders moved this task from Needs review to In Progress on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.Nov 13 2024, 5:20 PM

Tchanders edited projects, added Trust and Safety Product Sprint (Sprint Gong (November 18 - December 6)); removed Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15).Nov 18 2024, 11:44 AM

Tchanders moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Gong (November 18 - December 6)) board.

Tchanders moved this task from In Progress to Ready on the Trust and Safety Product Sprint (Sprint Gong (November 18 - December 6)) board.Nov 20 2024, 4:02 PM

Tchanders added subtasks: T379066: Global Contributions: Permission denied message is confusing, T378641: Update copy on Special:GlobalContributions.Nov 20 2024, 6:15 PM

Tchanders edited projects, added Temporary accounts (Major pilot wiki deployment); removed Temporary accounts (Blockers to minor pilot wiki deployment).Nov 20 2024, 6:36 PM

Tchanders added a subtask: T380518: Allow any user with the global IP reveal preference to access Special:GlobalContributions.Nov 21 2024, 5:51 PM

Tchanders removed a parent task: T325451: Implement: Users with right privileges are able to view IP addresses.Nov 25 2024, 2:39 PM

Tchanders mentioned this in T380903: Display wiki-specific namespaces in external article links on Special:GlobalContributions.Nov 26 2024, 6:27 PM

kostajh closed subtask T378641: Update copy on Special:GlobalContributions as Resolved.Thu, Dec 5, 9:29 AM