Page MenuHomePhabricator
Create Task
Maniphest T290324

Create Oversight-level abuse filters
Open, In Progress, Needs TriagePublic
Actions

Description

Summary

Add support for suppressing AbuseFilters, allowing certain filters with sensitive information (e.g., PII) to be marked as suppressed. This restricts visibility of filter details, logs, and history to users with oversight rights.

Background

  • Introduces a new "suppressed" flag for AbuseFilters to protect sensitive information.
  • Unlike "protected" filters, suppression can occur without needing certain variables, offering a more flexible way to protect data.
  • Suppression restricts access to filter details, logs, and history, making them visible only to oversighters.
  • This enhancement includes updates to both the UI and API to support the management of suppressed filters.
  • Logs for suppressed filters are auto-suppressed by default.
  • Suppression operates independently from filter hiding; a suppressed filter can require both oversight and EFH/M rights if hidden.

User story

As an oversighter, (if I was one) I would want the ability to mark sensitive AbuseFilters as "suppressed" so that their details, logs, and history are only visible to users with oversight rights, helping ensure better privacy protection for sensitive data. For example, if an LTA is posting someone's address or phone number everywhere and I want to create a filter that hits on that address or phone number.

Technical notes

  • Add a "suppressed" checkbox in the filter edit form, only accessible to users with oversight rights. The checkbox is grayed out for other users.
  • Modify the system to restrict visibility of suppressed filter details, logs, and history to users with oversight rights.
  • Add UI and API support for managing suppressed filters, ensuring oversight users can handle them.
  • Create unit and integration tests to validate the behavior of suppressed filters and ensure proper functionality.
  • Suppression works independently from filter hiding, so it can be used in conjunction with existing privacy features.

Acceptance criteria

  • "Suppressed" flag available in the filter edit form, usable only by oversighters.
  • Filter details, logs, and history of suppressed filters are visible only to users with oversight rights.
  • Support for showing and managing suppressed filters added to the UI and API.
  • Unit and integration tests for suppressed filters implemented.
  • Approval from L3SC
  • Approval from Trust & Safety Product
  • Documentation on mediawiki.org updated to reflect new suppression functionality.
  • QA (pending deployment)

Deployment

  • January 6 - Group 0 wikis (incl. testwiki)
  • January 7 - Group 1 wikis
  • January 8 - Group 2 wikis (incl. enwiki)

Related links

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
AbuseFilterPermissionManager: Make blocks deny suppressor rightsmediawiki/extensions/AbuseFiltermaster+78 -26
AbuseFilter: Add support for suppressing filtersmediawiki/extensions/AbuseFiltermaster+562 -33
[WIP] AbuseFilterPermissionManager: Add oversight-only abuse filtersmediawiki/extensions/AbuseFiltermaster+145 -15
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
kostajh added a comment.Apr 16 2025, 11:53 AM
In T290324#10747052, @ARamadan-WMF wrote:

@kostajh , Hello, has Trust and Safety completed this?

L3SC approval is documented here. I'd like for Trust and Safety Product Team to take a look at this, because we recently reworked a bunch of code to support T354599: [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter and we may have some learnings there that apply to this patch. I'm tentatively placing it in our next sprint for our team to provide code review.

Sdrqaz subscribed.Apr 17 2025, 1:39 AM
Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)); removed Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).Apr 30 2025, 1:40 PM
Izno subscribed.May 10 2025, 2:26 PM
0xDeadbeef subscribed.May 22 2025, 2:51 AM
Niharika subscribed.May 22 2025, 10:01 AM

@MolecularPilot Thank you for your work on this and sorry about the delay on our end. I've reviewed the task requirements and it looks good to me. My only question is whether this has gone through any community approvals process? Looking at the number of subscribers on this task it seems like this is a popular idea. If there is a community discussion about it that you can link to, that would be helpful.

I tried to pull the patch into a patch demo to review the feature but that failed presumably because the patch needs rebasing. Happy to look that over once the patch is updated.

@kostajh We can proceed with the engineering review.

Jules78120 added a comment.EditedMay 22 2025, 10:09 AM

Hi @Niharika. As a former fr-wp OS, and current AF: I don't think there are public community discussion on fr-wp, but we wanted to get such Oversight-level abuse filters because we have on fr-wp a (private) anti-harassment abuse filter (148) using real names of editors, especially functionnaries. Which is not optimal for privacy.

Barkeep49 added a comment.May 22 2025, 2:47 PM

I can tell you this has gone through the en OS mailing list as a very popular idea. Crucially this also came out of the Wishlist process which, as I understand it, is supposed to be its own form of community discussion.

kostajh changed the task status from Stalled to Open.May 22 2025, 3:38 PM
kostajh moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)) board.
A_smart_kitten added a project: User-notice.May 22 2025, 4:19 PM

+User-notice: IMO this feature is worth a Tech/News announcement if/when it's implemented; feel free to remove the tag if you disagree :)

A_smart_kitten moved this task from To Triage to Not ready to announce on the User-notice board.May 22 2025, 4:19 PM
Quiddity subscribed.May 23 2025, 12:27 AM

For Tech News (once this is ready to announce): Drafts/suggested wording would be welcome! (I always appreciate help understanding what exactly needs to be communicated).
Any estimates of the timing of the entry are also always welcome (for when I/other editors are skimming the workboard for recently-active tasks, each week). Cheers.

PatchDemoBot added a comment.May 25 2025, 5:34 AM

Test wiki created on Patch demo by MolecularPilot using patch(es) linked to this task:
https://patchdemo.wmcloud.org/wikis/c6c26351dc/w/

MolecularPilot added a comment.May 25 2025, 5:48 AM

Change rebased ontop of protected variable changes (latest master) and ready for code review!

All tests are passing and you can see the patch demo of it working through the above link (login info specified on the main page).

For Tech News, I was thinking something like:

  • Edit filters can now be suppressed to automatically restrict details and logs to oversighters only.

but the question does arise do we use enwiki/Wikimedia specific terms ("edit filter", "oversighter") or general MediaWiki terms ("abuse filter, "suppressor")?

Izno added a comment.EditedMay 25 2025, 6:43 AM

The global terms should be preferred for i18n purposes. That said, I'd rewrite the note as "Edit filters can now be set to suppress attempted edits and actions [automatically]." which avoids part of the issue. (And I think edit filter is the wider known terminology these days too, but I could be wrong.) Link suppress to the relevant MW wiki documentation page or Wikidata item, and add a separate "see filters documentation about this feature" sentence after, wherever that lives.

Novem_Linguae added a comment.May 25 2025, 2:24 PM

How about "Certain edit filters can now be set to suppress their list of attempted edits and actions. The idea is to restrict information in edit filters related to doxing."

Nemoralis subscribed.May 27 2025, 3:48 PM
Quiddity updated the task description. (Show Details)May 28 2025, 6:51 PM
Quiddity updated the task description. (Show Details)
Quiddity added a comment.May 28 2025, 7:17 PM

I've added four related wishlist links to the task's Description. I believe that, plus @Niharika's comment above, satisfies the Acceptance criteria for "Approval from Trust & Safety Product", but I'll leave checking-that-checkbox to someone else.

Re: terminology: I see the 4 wishlist pages all use "abuse filter". But I'm aware that that name isn't ideal for a few reasons (incl. inaccurate for some filters, and not universally used by editors). In the Tech News entry, I suggest using "edit filters", but I will also add a note in the "translation guidance" (qqq) telling the translators to use either term, as appropriate for their linguistic community.

Re: Acceptance criteria of "Documentation on mediawiki.org updated to reflect new suppression functionality." -- Is this part done, or planned to be done by someone? It would be ideal to have the updated content both ready for translation, and linked-to within the Tech News entry.

Re: draft of an entry: I'd suggest (but further edits/suggestions are very welcome!):

  • Edit filters [[LINK TO NEW DOCS| can now be set]] to suppress their list of attempted edits and actions. This will help oversighters if they are using any edit filters to prevent doxxing.
Niharika added a comment.Jun 3 2025, 10:36 AM

@Jules78120 @Barkeep49 Noted, thank you. In that case this is all good on my end. The other remaining thing is for our team to do a code review. It's in our current sprint and should be looked at by someone hopefully soon.
@Quiddity let's leave the Approval for TSP checkbox open for whoever does the code review. They can sign off on it.

MolecularPilot added a comment.Jun 7 2025, 1:04 PM

There was a minor merge conflict in the patch caused by a change merged to main in the last few days, I’ve reconciled this, so it’s ready for code review now, but absolutely no rush for that! :)

MolecularPilot changed the task status from Open to In Progress.Jun 16 2025, 4:54 AM
MolecularPilot edited projects, added Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)); removed Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)).
MolecularPilot moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.
kostajh moved this task from Needs Review to Priority Backlog on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.Jul 2 2025, 1:44 PM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)); removed Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)).Jul 7 2025, 9:47 AM
Dreamy_Jazz removed a project: Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)).EditedJul 17 2025, 1:30 PM
Dreamy_Jazz subscribed.

Removing our sprint tag as we provided code review but are now waiting for the patch to be updated for the new merge conflicts and the comments I left a few weeks ago.

We would want to take another look at this for code review once the patch has been updated.

Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Jul 24 2025, 2:42 PM
MolecularPilot added a comment.Jul 27 2025, 8:51 PM

Hi! Thank you very much for the patch review,. I’ve addressed all concerns, but due to a problem with WiFi (I am writing this on my phone) I’m currently unable to submit the new patch. I should be able to by next weekend when it is repaired. Thanks again! :)

Dreamy_Jazz added a comment.EditedJul 28 2025, 11:09 AM
In T290324#11037917, @MolecularPilot wrote:

Hi! Thank you very much for the patch review,. I’ve addressed all concerns, but due to a problem with WiFi (I am writing this on my phone) I’m currently unable to submit the new patch. I should be able to by next weekend when it is repaired. Thanks again! :)

Thanks for the update! Hope you can get the WiFi sorted soon and there are no other unexpected problems. If you could ping me when that's done, I can take another look at the patch.

Nemoralis unsubscribed.Jul 28 2025, 11:48 AM
OKryva-WMF edited projects, added Product Safety and Integrity; removed Trust and Safety Product Team.Oct 24 2025, 3:21 PM
OKryva-WMF moved this task from Inbox to Triaged (backlog) on the Product Safety and Integrity board.Oct 24 2025, 3:23 PM
MolecularPilot added a comment.Nov 5 2025, 12:58 PM

My apologies, this slipped my mind once my WiFi was restored. I’ll resolve the merge conflicts and reviewer comments within a few days and submit an updated patch. :)

MolecularPilot added a comment.Nov 9 2025, 2:33 AM

@Dreamy_Jazz I've addressed the merge conflicts and all of your feedback in the latest patchset - Patchset 12 - and it's ready for your review when ready. Thank you again for your detailed feedback!

MolecularPilot edited projects, added Patch-For-Review; removed Patch-Needs-Improvement.Nov 9 2025, 2:43 AM
STei-WMF subscribed.Nov 11 2025, 8:25 PM

Is this ready for Tech News?

MolecularPilot added a comment.Nov 11 2025, 8:34 PM

It needs to be reviewed and merged first.

Aklapper added a comment.Nov 11 2025, 10:57 PM

@STei-WMF Please look at the "Details" box to see patch statuses, and at the project tags which may include Patch-For-Review.

OKryva-WMF edited projects, added Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)); removed Product Safety and Integrity.Nov 12 2025, 11:58 AM
OKryva-WMF moved this task from Backlog to Needs review on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.
OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12); removed Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)).Dec 1 2025, 9:15 AM
OKryva-WMF moved this task from Backlog to Needs review on the Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12) board.Dec 1 2025, 9:15 AM
Dreamy_Jazz updated the task description. (Show Details)Dec 17 2025, 11:37 PM
PatchDemoBot added a comment.Dec 18 2025, 1:21 PM

Test wiki created on Patch demo by MolecularPilot using patch(es) linked to this task:
https://c638625221.catalyst.wmcloud.org/w/

Dreamy_Jazz moved this task from Not ready to announce to Announce in next Tech/News on the User-notice board.Dec 18 2025, 1:49 PM

This patch will not be going out until the week of the 5th of January (as there are no trains over the Christmas holiday period), but otherwise should be ready for a tech news entry

Dreamy_Jazz moved this task from Needs review to Needs QA on the Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12) board.Dec 18 2025, 2:09 PM
gerritbot added a comment.Dec 18 2025, 2:14 PM

Change #1115319 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] AbuseFilter: Add support for suppressing filters

https://gerrit.wikimedia.org/r/1115319

STei-WMF added a comment.Dec 18 2025, 8:24 PM

Is this entry still accurate for Tech News?:

Edit filters [[LINK TO NEW DOCS| can now be set]] to suppress their list of attempted edits and actions. This will help oversighters if they are using any edit filters to prevent doxxing.

MolecularPilot added a comment.EditedDec 18 2025, 10:48 PM

I think that's great, maybe just also add that this hides the filter details (incl. rules as well) and that the log suppression is done automatically, like:

Edit filters [[LINK TO NEW DOCS|can now be set]] to automatically suppress their details such as rules and list of attempted edits and actions. This will help oversighters use edit filters to prevent doxxing or other suppressible material.

PatchDemoBot added a comment.Dec 19 2025, 12:32 AM

Test wiki on Patch demo by MolecularPilot using patch(es) linked to this task was deleted:

https://patchdemo.wmcloud.org/wikis/c6c26351dc/w/

PatchDemoBot added a comment.Dec 19 2025, 12:32 AM

Test wiki on [[ | Patch demo ]] by MolecularPilot using patch(es) linked to this task was deleted:

https://c638625221.catalyst.wmcloud.org/w/

MolecularPilot added a comment.Dec 19 2025, 8:04 AM

I've made new docs now at https://www.mediawiki.org/wiki/Extension:AbuseFilter/Access_flags that can be linked in the tech news entry.

A_smart_kitten mentioned this in T413188: PatchDemoBot wiki deletion comments sometimes contain a malformed/nonexistent link.Dec 19 2025, 9:36 AM
STei-WMF added a comment.Dec 19 2025, 3:25 PM
In T290324#11475472, @MolecularPilot wrote:

I've made new docs now at https://www.mediawiki.org/wiki/Extension:AbuseFilter/Access_flags that can be linked in the tech news entry.

Edit filters [[mw:Extension:AbuseFilter/Access flags|can now be set]] to automatically suppress their details such as rules and list of attempted edits and actions. This will help oversighters use edit filters to prevent doxxing or other suppressible material.[https://phabricator.wikimedia.org/T290324]

Done!

STei-WMF moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.Dec 19 2025, 3:26 PM
Dreamy_Jazz added a comment.Dec 19 2025, 3:32 PM

@STei-WMF, this change will not be deployed until January but it is being included in next week's Tech News from what I can see.

If we are using it in this coming week's Tech News, can we clarify that this will be available in January?

STei-WMF added a comment.Dec 19 2025, 5:36 PM
In T290324#11477087, @Dreamy_Jazz wrote:

@STei-WMF, this change will not be deployed until January but it is being included in next week's Tech News from what I can see.

If we are using it in this coming week's Tech News, can we clarify that this will be available in January?

I will add that it will be available in January.

MolecularPilot updated the task description. (Show Details)Dec 22 2025, 2:31 AM
MolecularPilot updated the task description. (Show Details)
gerritbot added a comment.Dec 22 2025, 4:23 AM

Change #1220039 had a related patch set uploaded (by MolecularPilot; author: MolecularPilot):

[mediawiki/extensions/AbuseFilter@master] AbuseFilterPermissionManager: Check for blocks when assessing suppresion rights

https://gerrit.wikimedia.org/r/1220039

Novem_Linguae updated the task description. (Show Details)Dec 22 2025, 9:23 AM
Titore subscribed.Dec 22 2025, 12:27 PM
Johannnes89 mentioned this in T414011: Users with viewsuppressed permissions are able to edit suppressed abuse filters and remove the suppressed flag in the process.Jan 7 2026, 6:33 PM
Reedy mentioned this in T414016: PHP Deprecated: Creation of dynamic property MediaWiki\Extension\AbuseFilter\Filter\Flags::$suppressed is deprecated.Jan 7 2026, 8:02 PM
gerritbot added a comment.Jan 7 2026, 11:48 PM

Change #1220039 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] AbuseFilterPermissionManager: Make blocks deny suppressor rights

https://gerrit.wikimedia.org/r/1220039

OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Daffodil (Jan 19 - Feb 6)); removed Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12).Jan 9 2026, 10:35 AM
OKryva-WMF moved this task from Backlog to Needs QA on the Product Safety and Integrity (Sprint Daffodil (Jan 19 - Feb 6)) board.Jan 9 2026, 10:35 AM
STei-WMF moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Jan 9 2026, 4:35 PM
Wargo subscribed.Jan 13 2026, 1:07 AM

Note the Unsuppress will unhide all the logs. Should be warning somewhere or the logs until unflag should stay hidden?

Wargo added a subtask: T414396: Suppressed filters should hide abuse logs of other filters' hits for the same edit.Jan 13 2026, 1:16 AM
Johannnes89 added a comment.Jan 13 2026, 6:06 AM
In T290324#11514874, @Wargo wrote:

Note the Unsuppress will unhide all the logs. Should be warning somewhere or the logs until unflag should stay hidden?

That’s already discussed in T414011 along with other issues. Ideally the option to unsuppress filters should be removed, just like it’s not possible to unprotected filters with protected variables.

Johannnes89 mentioned this in T414990: Disallow unsuppression of abuse filters (and their log entries & filter notes).Mon, Jan 19, 5:38 PM
DerHexer subscribed.Tue, Jan 20, 12:51 PM
MGChecker subscribed.Tue, Jan 20, 10:35 PM

Who is able to see the information that a certain filter is suppressed? I would suspect abusefilter-view to suffice, but maybe it is regulated differently?

Johannnes89 added a comment.Wed, Jan 21, 12:26 PM
In T290324#11539679, @MGChecker wrote:

Who is able to see the information that a certain filter is suppressed? I would suspect abusefilter-view to suffice, but maybe it is regulated differently?

That's indeed based on abusefilter-view (usually given to all users, even unregistered ones – or restricted to autoconfirmed users in some projects).

Example from https://test.wikipedia.org/wiki/Special:AbuseFilter (I've now unsuppressed filter 300 again):

Screenshot 2026-01-21 at 13.16.53.png (1×2 px, 640 KB)

Clicking on the filter link without the permissions to view suppressed filters shows the abusefilter-edit-denied-suppressed message which is similar to the denied-messages for private and protected filters.

OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Flower (Feb 9 - Feb 27)); removed Product Safety and Integrity (Sprint Daffodil (Jan 19 - Feb 6)).Tue, Feb 10, 8:39 AM
OKryva-WMF moved this task from Backlog to Needs QA on the Product Safety and Integrity (Sprint Flower (Feb 9 - Feb 27)) board.Tue, Feb 10, 8:58 AM
kostajh added a comment.Wed, Feb 11, 6:07 PM
In T290324#11515167, @Johannnes89 wrote:
In T290324#11514874, @Wargo wrote:

Note the Unsuppress will unhide all the logs. Should be warning somewhere or the logs until unflag should stay hidden?

That’s already discussed in T414011 along with other issues. Ideally the option to unsuppress filters should be removed, just like it’s not possible to unprotected filters with protected variables.

@MolecularPilot what do you think about this proposal?

Quiddity unsubscribed.Wed, Feb 11, 7:42 PM
MolecularPilot added a comment.Thu, Feb 12, 5:21 AM

I agree with what Pppery mentioned in T414990, I don't think making a filter completely unable to be unsuppressed is ideal, and feel it's inconsistent with the wiki model. I think a better solution is to set the, already existing, "manually suppressed" (I don't recall the exact column name) bit for any log generated while a filter is suppressed, so unsuppressed the filter doesn't automatically reveal this. I think it's different to protected filter logs, as they inherently contain PII in the variables like IP addresses, but each log hit for a suppressed filter doesn't necessarily contain this. Though, if we do need to go with irreversible suppression for legal/compliance/etc. reasons, a warning before suppressing would definitely be ideal.

mikez-WMF added a project: Community-Wishlist.Fri, Feb 13, 12:56 PM
mikez-WMF moved this task from Backlog to In Progress on the Community-Wishlist board.Fri, Feb 13, 2:34 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits