There could be scenarios where we want to withdraw IP address reveal permissions from a user in a situation where the user has caused enough of a trust & safety concern to have them not view IPs but not severe enough to block them from the project.
This permission should work globally - so a user can be blocked from revealing IP addresses from all wikis. This should also work irrespective of whether the user has opted-in to IP reveal ability.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Restricted Task | |||||
| Resolved | kostajh | T294511 2021 Security Team wikireplicas audit | |||
| Declined | None | T284948 Raw IPs of logged-out users disclosed in wiki-replicas | |||
| In Progress | Niharika | T324492 Temporary accounts - MVP | |||
| Open | Niharika | T325238 [Epic] IP Address Reveal for Privileged Users | |||
| Open | None | T337189 Add ability to centrally revoke ipinfo reveal permissions from users who should not have them |
Basically a global group with the same revoke ability as the local no-ipinfo group. Obviously something only for staff/stewards to manage.
I think this is going to need to be blocked upstream, 2 reasons:
A feature request for #1 should be created for the general condition if this is going to be done via global groups with central auth.
Would it be possible to implement this without adding a new user right, please? User rights should not be used to revoke permissions.
IMO I don't see any easy way to implement this without using $wgRevokePermissions, because:
If you have any suggestions as to how an alternative method would work, I'd be all ears.