Page MenuHomePhabricator

Make the remote address rules for Settings > Activity Logs more consistent
ClosedPublic

Authored by epriestley on Jan 30 2018, 8:16 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Dec 21, 11:10 PM
Unknown Object (File)
Sat, Dec 21, 11:10 PM
Unknown Object (File)
Fri, Dec 6, 1:13 PM
Unknown Object (File)
Wed, Dec 4, 10:57 PM
Unknown Object (File)
Wed, Nov 27, 7:13 PM
Unknown Object (File)
Wed, Nov 27, 1:19 AM
Unknown Object (File)
Nov 23 2024, 2:31 AM
Unknown Object (File)
Nov 18 2024, 11:48 PM
Subscribers
None

Details

Summary

Depends on D18971. Ref T13049. The rule is currently "you can see IP addresses for actions which affect your account".

There's some legitimate motivation for this, since it's good if you can see that someone you don't recognize has been trying to log into your account.

However, this includes cases where an administrator disables/enables your account, or promotes/demotes you to administrator. In these cases, their IP is shown!

Make the rule:

  • Administrators can see it (consistent with everything else).
  • You can see your own actions.
  • You can see actions which affected you that have no actor (these are things like login attempts).
  • You can't see other stuff: usually, administrators changing your account settings.
Test Plan

Viewed activity log as a non-admin, no longer saw administrator's IP address disclosed in "Demote from Admin" log.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable