Cross-wiki patrollers may not be able to meet the 300-edits threshold that is currently set as a minimum requirement for everyone who has access to the IP reveal feature (see T325451). To allow cross-wiki patrollers to continue their work effectively, stewards should be able to grant them an exception.
Note that currently several global groups do get this access including global sysops and global rollbackers.
This request was raised on meta.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Restricted Task | |||||
| Resolved | kostajh | T294511 2021 Security Team wikireplicas audit | |||
| Declined | None | T284948 Raw IPs of logged-out users disclosed in wiki-replicas | |||
| Resolved | Niharika | T324492 Temporary accounts - MVP | |||
| In Progress | Niharika | T325451 [Epic] Users with right privileges are able to view IP addresses | |||
| Resolved | Tchanders | T389808 Allow stewards to assign IP Reveal to cross-wiki patrollers who do not meet the thresholds defined for technical enforcement |
See the third point of T376315#10655196. Currently https://foundation.wikimedia.org/wiki/Policy:Access_to_temporary_account_IP_addresses does not allow doing so, so the policy should be revised first.
You are right. This is something we are working with the Legal team on. The policy needs to be updated to reflect the changes to granting IP reveal as well.
Needs to be done after or in conjunction with T393615: Impose technical restrictions on granting the `temporary-account-viewer` group.
Actually this does mean two distinct things:
Stewards can assign a user to a new global group which has IP reveal right globally (and unlike the current global-temporary-account-viewer group, other user right changes do not affect membership).
Hmm, thanks for raising this. I wonder if this might need to be solved by not automatically adding/removing the global-temporary-account-viewer group.
I'm referring to T376315: Control access to global-temporary-account-viewer group on WMF wikis automatically, in which we define a new config that automatically adds and removes the global-temporary-account-viewer group based on membership of other groups. The proposed logic says that global-temporary-account-viewer is automatically added if a user has any of global-sysop, steward, local checkuser or local suppress; and is automatically removed if the user has none of those groups.
If a steward is supposed to be able to give global-temporary-account-viewer to a user who doesn't have any of the other groups, or remove global-temporary-account-viewer from a user who does have the other groups, then the above logic doesn't work. For example, the software would not know the difference between a steward adding global-sysop and forgetting to add global-temporary-account-viewer (in which case global-temporary-account-viewer should be added automatically) vs a steward deliberately adding global-sysop without global-temporary-account-viewer (in which case global-temporary-account-viewer should not be added automatically).
I don't think having one automatically-added group and one manually-added group would work either, because the automatically-added one would still be there even if the manually-added one was removed.
Stewards were given the ability to grant the local group without checking for requirements in https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/1148827.
For the global group, we discussed this and decided to configure it as an automatic group, meaning it will only respond to group membership changes. If that becomes a problem, we will revert that configuration.
I'll close this task because I understand that @Niharika filed it to handle the local case, given the discussions we have had