Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Page MenuHomePhabricator
Create Task
Maniphest T377765

Do not allow protecting abuse filters if PII variables are not used
Closed, ResolvedPublicFeature
Actions

Description

Feature summary:
T363906 introduced a new checkbox to abuse filters, to protect PII-sensitive variables. The checkbox is labeled "I understand that details of this filter will be hidden from users who cannot see protected variables. This action is permanent and cannot be undone."

T364485 introduced a warning when trying to save an unprotected filter with PPI-sensitive variables.
I think a similar warning might be useful when changing an existing filter from its current status to protected: Even though the checkbox already says, this action cannot be undone, one might not fully realise what they are doing and accidentally (e.g. while trying to test the new checkbox) change an existing filter which doesn't need to be protected.

I suggests adding a warning asking to confirm the change when clicking "save" and changing an existing filter to protected โ€“ at least while the feature is still new, the warning might be useless once everyone has learned about protected filters.

Use cases / benefits:
Prevent admins from accidentally changing existing filters to protected in case the current checkbox helper text isn't taken seriously and the filter doesn't need to be protected.

Approach, following discussion on this task:

  • Remove the "protect" checkbox from the form. (This means a filter can't be protected without protected variables.)
  • After clicking save, show a warning with a "protect" checkbox if the filter contains protected variables
  • Without checking this box, it is impossible to save the filter

Details

SubjectRepoBranchLines +/-
Improve workflow for protecting filters with protected variablesmediawiki/extensions/AbuseFiltermaster+161 -27
Customize query in gerrit

Related Objects

Event Timeline

Johannnes89 created this task.Oct 21 2024, 5:22 PM
Restricted Application added a subscriber: Aklapper. ยท View Herald TranscriptOct 21 2024, 5:22 PM
DerHexer subscribed.Oct 22 2024, 10:57 AM
Pppery subscribed.Oct 25 2024, 5:36 AM

I would go further still, and use only the warning and not the checkbox. Since the checkbox seems to show up on every abuse filter edit even ones that have nothing to do with protected variables having it on every save is scary.

Niharika subscribed.Oct 25 2024, 2:15 PM
Bugreporter subscribed.Oct 26 2024, 3:47 PM

An alternative solution is do not allow protecting abuse filters unless sensitive variables are used.

Titore subscribed.Tue, Oct 29, 5:28 PM
Bugreporter mentioned this in T378553: Do not allow protecting abuse filters if PII variables are not used.Wed, Oct 30, 12:40 AM
Johannnes89 added a subscriber: STran.Sun, Nov 10, 9:22 AM

@STran fyi, the scenario described above has now happened on a major content wiki: https://en.wikipedia.org/wiki/Wikipedia:Edit_filter_noticeboard#c-Ohnoitsjamie-20241109182800-Codename_Noreste-20241108230800 โ€“ there should clearly be a solution to warn/prevent admins from accidentally protecting filters which don't need protection.

Johannnes89 mentioned this in T363906: [Epic] Ensure filters that use PII-sensitive variables are protected.Sun, Nov 10, 9:37 AM
Urbanecm subscribed.Sun, Nov 10, 8:30 PM
In T377765#10261625, @Pppery wrote:

I would go further still, and use only the warning and not the checkbox. Since the checkbox seems to show up on every abuse filter edit even ones that have nothing to do with protected variables having it on every save is scary.

This ^^. There is no reason to protect a filter that is not using a protected variable. Let's make it a two step process rather than allowing filters to be protected preemptively.

In the meantime, I filled T379503: Disable AbuseFilter protected variables features on wikis where Temporary accounts are not about to be released to disable that subfeature on projects where it is needed. That should prevent accidents from happening.

Urbanecm added a comment.Sun, Nov 10, 8:31 PM
In T377765#10261625, @Pppery wrote:

I would go further still, and use only the warning and not the checkbox. Since the checkbox seems to show up on every abuse filter edit even ones that have nothing to do with protected variables having it on every save is scary.

This ^^. There is no reason to protect a filter that is not using a protected variable. Let's make it a two step process rather than allowing filters to be protected preemptively.

Tamzin added subscribers: suffusion_of_yellow, Tamzin.Mon, Nov 11, 8:42 AM

Meantime, would it be possible for a sysadmin to reverse the protection of 1165 on enwiki? @suffusion_of_yellow has a good suggestion of giving stewards the right to undo it if accidental protection continues to be possible, but I agree with Pppery and Urbanecm that it should just not be possible.

kostajh added a project: Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15).Mon, Nov 11, 8:45 AM
Urbanecm added a comment.Mon, Nov 11, 9:47 AM
In T377765#10308466, @Tamzin wrote:

Meantime, would it be possible for a sysadmin to reverse the protection of 1165 on enwiki?

Good question, we'll discuss that and get back to you. In the meantime: I see the filter is now deleted and hidden, and presumably copied to a different filter. Would you mind clarifying why it would be helpful to unprotect 1165?

@suffusion_of_yellow has a good suggestion of giving stewards the right to undo it if accidental protection continues to be possible, but I agree with Pppery and Urbanecm that it should just not be possible.

Thanks for the suggestion. I'm not sure that would be possible, as protection enables collection of certain otherwise-private data. Unprotecting the filter would need those data to be deleted (meaning there still would be a great deal of irreversibility, just a different kind). But, this would definitely be considered while deciding on a decision. Personally, I think it would be much easier to ensure it is not possible to protect filters that do not need the protection.

Bugreporter added a comment.Mon, Nov 11, 10:06 AM

Meantime, would it be possible for a sysadmin to reverse the protection of 1165 on enwiki? @suffusion_of_yellow has a good suggestion of giving stewards the right to undo it if accidental protection continues to be possible, but I agree with Pppery and Urbanecm that it should just not be possible.

Thanks for the suggestion. I'm not sure that would be possible, as protection enables collection of certain otherwise-private data. Unprotecting the filter would need those data to be deleted (meaning there still would be a great deal of irreversibility, just a different kind). But, this would definitely be considered while deciding on a decision.

Further discussion should be at T378551: Create a way to unprotect an abuse filter

Bugreporter added a comment.Mon, Nov 11, 10:09 AM

Unprotecting the filter would need those data to be deleted

If they are just unnamed user IPs, hidden them should be enough and they will be removed after 90 days.

Tchanders claimed this task.Tue, Nov 12, 4:13 PM
Tchanders moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.
Tchanders added a comment.Tue, Nov 12, 6:53 PM
In T377765#10261625, @Pppery wrote:

I would go further still, and use only the warning and not the checkbox. Since the checkbox seems to show up on every abuse filter edit even ones that have nothing to do with protected variables having it on every save is scary.

In T377765#10264872, @Bugreporter wrote:

An alternative solution is do not allow protecting abuse filters unless sensitive variables are used.

It sounds like we're converging on doing both of these:

  • Remove the "protect" checkbox from the form
  • After clicking save, show a warning with a "confirm" checkbox if the filter contains protected variables
  • Without confirming, it is impossible to save the filter
Pppery added a comment.Tue, Nov 12, 6:54 PM

Yep, seems reasonable.

gerritbot added a comment.Wed, Nov 13, 12:14 PM

Change #1090837 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/extensions/AbuseFilter@master] Improve workflow for protecting filters with protected variables

https://gerrit.wikimedia.org/r/1090837

gerritbot added a project: Patch-For-Review.Wed, Nov 13, 12:14 PM
Tchanders renamed this task from Add a warning before changing an abuse filter to PII protected to Do not allow protecting abuse filters if PII variables are not used.Wed, Nov 13, 12:22 PM
Tchanders updated the task description. (Show Details)
Tchanders merged a task: T378553: Do not allow protecting abuse filters if PII variables are not used.
Tchanders added subscribers: Tchanders, Novem_Linguae.
Tchanders added a comment.Wed, Nov 13, 12:25 PM

I've updated the task description and title to reflect that we'll disallow protecting filters that don't have protected variables.

Tchanders mentioned this in T378523: abusefilter-edit-protected appears in all filters on all wikis.Wed, Nov 13, 3:53 PM
Tchanders mentioned this in T379503: Disable AbuseFilter protected variables features on wikis where Temporary accounts are not about to be released.Wed, Nov 13, 9:02 PM
gerritbot added a comment.Fri, Nov 15, 3:08 PM

Change #1090837 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] Improve workflow for protecting filters with protected variables

https://gerrit.wikimedia.org/r/1090837

Tchanders moved this task from In Progress to Needs review on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.Fri, Nov 15, 3:30 PM
Maintenance_bot removed a project: Patch-For-Review.Fri, Nov 15, 3:30 PM
Tchanders moved this task from Needs review to Needs QA on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.Fri, Nov 15, 3:30 PM
ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.4; 2024-11-19).Fri, Nov 15, 4:00 PM
Tchanders merged a task: T378523: abusefilter-edit-protected appears in all filters on all wikis.Mon, Nov 18, 10:29 AM
Tchanders added a subscriber: Ponor.
kostajh mentioned this in T369610: Give the `abusefilter-access-protected-vars` right to global maintainers.Mon, Nov 18, 11:16 AM
Tchanders edited projects, added Trust and Safety Product Sprint (Sprint Gong (November 18 - December 6)); removed Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15).Mon, Nov 18, 11:42 AM
Tchanders moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Gong (November 18 - December 6)) board.
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Gong (November 18 - December 6)) board.Tue, Nov 19, 7:31 AM
dom_walden subscribed.
  • Remove the "protect" checkbox from the form. (This means a filter can't be protected without protected variables.)
  • After clicking save, show a warning with a "protect" checkbox if the filter contains protected variables
  • Without checking this box, it is impossible to save the filter

I can confirm.

After submitting a filter with the user_unnamed_ip variable I see the below message and checkbox.

protected_message.png (104ร—1 px, 16 KB)

protected_checkbox.png (80ร—715 px, 12 KB)

Test environment: https://de.wikipedia.beta.wmflabs.org Abuse Filter โ€“ (6bc32ac) 08:17, 19 November 2024.

Tchanders closed this task as Resolved.Tue, Nov 19, 12:15 PM
Tchanders mentioned this in T380290: Remove protected flag from accidentally protected filters.Tue, Nov 19, 4:04 PM
In T377765#10308466, @Tamzin wrote:

Meantime, would it be possible for a sysadmin to reverse the protection of 1165 on enwiki?

We'll do this in T380290: Remove protected flag from accidentally protected filters, once the maintenance script is available to enwiki, which should be later this week.

Tchanders added a comment.Mon, Nov 25, 11:13 AM
In T377765#10336547, @Tchanders wrote:
In T377765#10308466, @Tamzin wrote:

Meantime, would it be possible for a sysadmin to reverse the protection of 1165 on enwiki?

We'll do this in T380290: Remove protected flag from accidentally protected filters, once the maintenance script is available to enwiki, which should be later this week.

Do we actually need to do this still? It looks like the filter is abandoned since it was accidentally protected: T380290#10352299

Tchanders added a comment.Mon, Nov 25, 11:56 AM
In T377765#10352312, @Tchanders wrote:
In T377765#10336547, @Tchanders wrote:
In T377765#10308466, @Tamzin wrote:

Meantime, would it be possible for a sysadmin to reverse the protection of 1165 on enwiki?

We'll do this in T380290: Remove protected flag from accidentally protected filters, once the maintenance script is available to enwiki, which should be later this week.

Do we actually need to do this still? It looks like the filter is abandoned since it was accidentally protected: T380290#10352299

It was pointed out to me that we should still remove the "protected" flag from the filter, because of access to the logs. It's been done now: T380290#10352472

gerritbot added a comment.Mon, Nov 25, 1:23 PM

Change #1097377 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/extensions/AbuseFilter@master] maintenance/SearchFilters: Allow searching by privacy level

https://gerrit.wikimedia.org/r/1097377

gerritbot added a project: Patch-For-Review.Mon, Nov 25, 1:23 PM
Tchanders added a comment.Mon, Nov 25, 1:27 PM
In T377765#10352895, @gerritbot wrote:

Change #1097377 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/extensions/AbuseFilter@master] maintenance/SearchFilters: Allow searching by privacy level

https://gerrit.wikimedia.org/r/1097377

Wrong task

Xaosflux subscribed.Mon, Nov 25, 10:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. ยท Wikimedia Foundation ยท Privacy Policy ยท Code of Conduct ยท Terms of Use ยท Disclaimer ยท CC-BY-SA ยท GPL ยท Credits