Description

The CheckUser extension allows lookup of temporary account IP addresses using REST APIs. However, when the same temporary account has made more than one edit the REST API allows specifying more than one revision ID for the lookup of IPs.

When these REST API calls are made, the code incorrectly makes the request the number of times equal to the number of edits made by the temporary account.

Steps to replicate the issue

Make a number of edits to a page using a temporary account (at least more than one edit)
Log into an account with the checkuser-temporary-account right
Open the developer console (F12)
Reveal the IP addresses for the temporary account you used to make the edits in step 1

What happens?:
Multiple requests for the same revision ID are shown in the console which all have the same response JSON.

What should have happened instead?:
Either a separate request should be made for each revision ID or only one request should have been made.

Example screenshot

Details

	Subject	Repo	Branch	Lines +/-
	Use ::next instead of ::siblings to prevent more than one reveal	mediawiki/extensions/CheckUser	master	+2 -2
	IP reveal: Stop performing duplicate API requests for temp user IPs	mediawiki/extensions/CheckUser	master	+50 -29

Customize query in gerrit

Related Objects

Mentioned Here: T358853: Temporary accounts: Automatically resolve temporary account names to IP addresses on displaying (auto reveal feature)

Event Timeline

Dreamy_Jazz created this task.Jan 22 2024, 4:16 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 22 2024, 4:16 PM

Dreamy_Jazz moved this task from Inbox to Temporary account IP reveal on the CheckUser board.Jan 22 2024, 4:16 PM

Dreamy_Jazz updated the task description. (Show Details)

Dreamy_Jazz added a project: Trust and Safety Product Team.

Dreamy_Jazz claimed this task.Jan 31 2024, 3:29 PM

Dreamy_Jazz added a project: Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)).

Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Piano (Feb 19th - 1st March)); removed Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)).Feb 20 2024, 12:59 AM

Dreamy_Jazz removed Dreamy_Jazz as the assignee of this task.Feb 21 2024, 11:16 AM

Dreamy_Jazz moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Piano (Feb 19th - 1st March)) board.Feb 29 2024, 9:19 PM

The IP reveal JS code also seems to have a bug where multi-reveal will not work properly if content is added via the wikipage.content hook.

Dreamy_Jazz edited projects, added Trust and Safety Product Sprint; removed Trust and Safety Product Sprint (Sprint Piano (Feb 19th - 1st March)).Mar 11 2024, 5:03 PM

We should think about this when we do T358853: Temporary accounts: Automatically resolve temporary account names to IP addresses on displaying (auto reveal feature), since we will need to rethink how the reveal IP buttons work at that point.

On a second look. this is not a duplicate.

Tchanders moved this task from Inbox to Update MediaWiki Core to introduce temp accounts on the Temporary accounts board.Jun 4 2024, 3:17 PM

Tchanders edited projects, added Temporary accounts (Update MediaWiki Core to introduce temp accounts); removed Temporary accounts.

Tchanders edited projects, added Trust and Safety Product Sprint (Sprint Cajon (Jun 24 - July 5)), Temporary accounts (Blockers to testwiki deployment); removed Temporary accounts (Update MediaWiki Core to introduce temp accounts), Trust and Safety Product Sprint.Jul 4 2024, 5:57 PM

Tchanders moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Cajon (Jun 24 - July 5)) board.Jul 5 2024, 10:44 AM

Tchanders claimed this task.Jul 5 2024, 11:46 AM

Tchanders moved this task from Ready to In Progress on the Trust and Safety Product Sprint (Sprint Cajon (Jun 24 - July 5)) board.

Change #1052315 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/extensions/CheckUser@master] WIP IP reveal: Stop performing duplicate API requests for temp user IPs

https://gerrit.wikimedia.org/r/1052315

gerritbot added a project: Patch-For-Review.Jul 5 2024, 2:52 PM

Tchanders moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Cajon (Jun 24 - July 5)) board.Jul 8 2024, 10:40 AM

Change #1052315 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] IP reveal: Stop performing duplicate API requests for temp user IPs

https://gerrit.wikimedia.org/r/1052315

Maintenance_bot removed a project: Patch-For-Review.Jul 9 2024, 6:31 PM

QA can follow the steps to reproduce, and you can test this on patch demo or a local wiki.

Dreamy_Jazz updated the task description. (Show Details)Jul 9 2024, 6:35 PM

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.14; 2024-07-16).Jul 9 2024, 7:00 PM

Change #1053044 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Use ::next instead of ::siblings to prevent more than one reveal

https://gerrit.wikimedia.org/r/1053044

gerritbot added a project: Patch-For-Review.Jul 9 2024, 7:13 PM

Bug found. Moving back to 'Needs review' to review the fix.

kostajh moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Cajon (Jun 24 - July 5)) board.Jul 10 2024, 7:30 AM

Change #1053044 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Use ::next instead of ::siblings to prevent more than one reveal

https://gerrit.wikimedia.org/r/1053044

Maintenance_bot removed a project: Patch-For-Review.Jul 10 2024, 8:30 AM

I have verified the new code has been implemented and is functioning and displaying as expected.

kostajh closed this task as Resolved.Jul 11 2024, 6:04 AM

	F56340015: image.png
	Jul 11 2024, 1:48 AM

	F41707468: image.png
	Jan 22 2024, 4:18 PM

REST API requests for temporary account IPs are made multiple times for the same revision IDsClosed, ResolvedPublicBUG REPORTActions