https://bugzilla.wikimedia.org/show_bug.cgi?id=70885
Chris Steipp <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #6 from Chris Steipp <[email protected]> --- As others have said, this is how OAuth is intended to work, so I'm going to close the bug since I think the original request as I understand it (have OAuth tools pass on the user's IP address) isn't possible in the case of toollabs apps, and realistically isn't something we can actually enforce. We don't own the app's code, so apps could pass totally random "addresses" in their api calls and we would have no way to know if they were being honest or not. I'm going to guess that behind this request is that cu's are trying to prove... something via a cu check. Maybe a sockpuppet investigation? And some of the edits were made through the tool. For that, OAuth only works for existing global accounts, so the account creation has to take place form an IP that we can look at. I'm guessing that behind the investigation is some sort of vandalism, so I'll also add you have basically two ways to address vandalism from an OAuth tool (since the IP address isn't passed on). Block the user (and correct, autoblock would make things difficult, so it should be avoided in that case), or revoke the OAuth tool's key. If it seems like a single user is abusing the tool, best to just block them directly. If a tools is consistently being abused, then we should revoke the tool's access until the app owner figures out ways to address the abuse. We could probably look into other options, including we could require that they pass on the remote IP in an xff header, and we list the tool as a trusted proxy, as a condition for re-enabling their key. But like I said above, we couldn't prove they were being honest, although it would allow us to track edits by honest OAuth apps. Feel free to reopen this bug if you think I have the problem wrong, and there's a feature request we can implement. I definitely don't want to see OAuth apps become a vandalism loophole. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
