Extension:用户查核

This page is a translated version of the page Extension:CheckUser and the translation is 43% complete.
Outdated translations are marked like this.
MediaWiki扩展手册
CheckUser
发行状态: 稳定版
实现 特殊页面 , 用户身份 , API , 函数钩 , 数据库
描述 CheckUser功能可以讓拥有权限的用户可以去查核所给定的用户名使用了哪些IP地址和给定的IP使用了哪些用户名,而无须直接手动在数据库中运行查询。
作者 Tim Starling, Aaron Schulz, Dreamy Jazz
最新版本 2.5 (continuous updates)
兼容性政策 快照跟随MediaWiki发布。 master分支不向后兼容。
PHP 7.4.3+
数据库更改
虚拟域 virtual-checkuser-global
cu_changes
cu_log_event
cu_private_event
cu_log
cu_useragent_clienthints
cu_useragent_clienthints_map
cu_useragent
cuci_wiki_map
cuci_temp_edit
cuci_user
许可协议 GNU通用公眾授權條款2.0或更新版本
下載
  • $wgCheckUserGBtoollink
  • $wgCheckUserClientHintsSpecialPages
  • $wgCheckUserCAMultiLock
  • $wgCheckUserLogSuccessfulBotLogins
  • $wgCheckUserSpecialPagesWithoutIPRevealButtons
  • $wgCheckUserLogLogins
  • $wgCUPublicKey
  • $wgCheckUserCAtoollink
  • $wgCheckUserCuciUserRandomChanceDebounceCutoff
  • $wgCheckUserClientHintsRestApiMaxTimeLag
  • $wgCheckUserDeveloperMode
  • $wgCheckUserWriteToCentralIndex
  • $wgCheckUserCentralIndexRangesToExclude
  • $wgCUDMaxAge
  • $wgCheckUserCIDRLimit
  • $wgCheckUserMaxBlocks
  • $wgCheckUserCentralIndexGroupsToExclude
  • $wgCheckUserDisplayClientHints
  • $wgCheckUserGlobalContributionsCentralWikiId
  • $wgCheckUserForceSummary
  • $wgCheckUserInvestigateMaximumRowCount
  • $wgCheckUserMaximumIPsToAutoblock
  • $wgCheckUserClientHintsForDisplay
  • $wgCheckUserClientHintsValuesToHide
  • $wgCheckUserClientHintsUnsetHeaderWhenPossible
  • $wgCheckUserCollapseCheckUserHelperByDefault
  • $wgCheckUserClientHintsEnabled
  • $wgCheckUserTemporaryAccountMaxAge
  • $wgCheckUserMaximumRowCount
  • $wgCheckUserClientHintsHeaders

  • checkuser
  • checkuser-log
  • checkuser-temporary-account
  • investigate
季度下載量 221 (Ranked 26th)
正在使用的公开wiki数 9,118 (Ranked 13th)
前往translatewiki.net翻譯CheckUser扩展
問題 开启的任务 · 报告错误
這是一個關於扩展本身的頁面。 關於維基媒體基金會的用户查核政策,見用户查核方针

CheckUser是一个允许拥有checkuser权限的用户查核给定IP地址下的用户和给定用户使用的IP地址的,而无须手动在数据库运行查询的扩展。 這個擴展正運作在所有維基媒體的維基項目上。

更新将根据维基媒体基金会的wiki的需要进行,或在发现关键漏洞时进行。

安裝

  • 下载文件,并将解压后的CheckUser文件夹移动到extensions/目录中。
    开发者和代码贡献人员应从Git安装扩展,输入:cd extensions/
    git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/CheckUser
  • 只有從git安裝才运行Composer来安装PHP依赖,通过发行composer install --no-dev至扩展目录。 (参见工單T173141了解潜在问题。)
  • 将下列代码放置在您的LocalSettings.php 的底部:
    wfLoadExtension( 'CheckUser' );
    
  • 运行更新脚本,它将自动创建此扩展必须依赖的数据库表。
  • Configure as required.
  •   完成 – 在您的wiki上导航至Special:Version,以验证已成功安装扩展。

Using MediaWiki-Docker

Follow the steps in MediaWiki-Docker/Extension/CheckUser to install this extension inside a MediaWiki Docker instance.

配置

这个工具可将最近的更改数据复制到单独的表格中,并在添加新条目时进行添加。 如果将$wgPutIPinRC 设置为false,复制的数据将不包含相关的IP地址。 However, entries added after installation of this extension will contain the IP address.

安装此扩展后,您可以减少$wgRCMaxAge 以缩短最近更改的时间,而不会影响查核用户。 使用$wgCUDMaxAge设置checkuser的查询日期,以秒为单位。

特定于查核用户的设置$wgCheckUserCIDRLimit决定了单次检查中可检查的最大范围。 他的格式与$wgBlockCIDRLimit 设置相同。 $2查核的默认限额为/19,$4查核的默认限额为/16

To allow this tool to log successful and failed login attempts as well as logouts, set $wgCheckUserLogLogins to true. If you have bot accounts on your wiki, setting $wgCheckUserLogSuccessfulBotLogins to false will skip logging successful login attempts to bot accounts.

MediaWiki版本:
1.43

If the extension is installed on a multi-wiki install, then you should set $wgVirtualDomainsMapping for the virtual-checkuser-global to point to a central database table. Setting this will ensure that the central index tables are actually on a central DB, and therefore the GlobalBlocking global autoblocks and GUC work. After doing this, you will need to run update.php to create the tables on the central wiki.

Troubleshooting Special:GlobalContributions functionality

If Special:GlobalContributions is not returning revisions as expected (e.g. you have revisions on another wiki that you can view on that wiki), a misconfiguration may be causing an internal failure that isn't user-facing (as it cannot be user resolved). Check that:

  • Your user has a central account and that their accounts on the affected wiki are linked. This can be checked at Special:MergeAccount.
  • The affected wiki is known to the wiki farm. This is defined in the sites table and wikis can be added to this table via the addSite maintenance script. You'll need to ensure that the optional parameters pagepath and filepath are filled out (eg. php ./maintenance/run.php ./maintenance/addSite.php $wikiName wiki --pagepath https://hostname/wiki/\$1 --filepath https://hostname/w/\$1), as Special:GlobalContributions uses these to generate API queries and links.
  • The central database is set with virtual-checkuser-global (eg. $wgVirtualDomainsMapping['virtual-checkuser-global'] = [ 'db' => $wiki ];) and that the cuci_temp_edit table is recording revisions from the affected wiki.
  • If necessary, cross-domain cookies should be enabled as the centralauth token must work across both wikis.

授权权限以使用用户查核

要授予Special:CheckUserSpecial:InvestigateSpecial:CheckUserLog的使用权,用户权限管理用户必须访问Special:UserRights,在框中输入用户名,然后选择 「checkuser」选项。 完成此操作后,上述特殊页面将显示在该用户的Special:SpecialPages页面中。

To allow users to access the IP addresses of temporary accounts , they should be granted the checkuser-temporary-account right.

要赋予系统管理员该扩展的所有权限,请在LocalSettings.php中输入以下内容:

$wgGroupPermissions['sysop']['checkuser'] = true;
$wgGroupPermissions['sysop']['checkuser-log'] = true;
$wgGroupPermissions['sysop']['investigate'] = true;
$wgGroupPermissions['sysop']['checkuser-temporary-account'] = true;

要仅允许添加和删除checkuser权限,请使用以下代码:

$wgAddGroups['sysop'][] = 'checkuser';
$wgRemoveGroups['sysop'][] = 'checkuser';

配置

extension.json中的配置设置
参数 默认 评论
$wgCUDMaxAge 7776000 保留多久用户查核日志(以秒为单位)? (默认= 3个月)
$wgCheckUserMaxBlocks 200 最大封鎖限制
$wgCheckUserForceSummary false 如果要强制用户查核员通过Special:CheckUser为每个检查提供原因,请将此设置为true。 (不是很有用,因为用户查核员可以简单地给出一个摘要,例如“他们需要被检查”或“我想要檢查”并且软件不会知道是否合理。)
$wgCheckUserCIDRLimit [ 'IPv4' => 16, 'IPv6' => 19 ] 可以在任何单独范围检查中检查的最短CIDR限制
$wgCUPublicKey '' 用于加密私人数据的公共密钥,以后可能需要读取。 使用以下命令產生公開密鑰:

openssl genrsa -out cu.key 2048; openssl rsa -in cu.key -pubout > cu.pub 并在此处粘贴cu.pub的内容

Used with an associated private key to encrypt certain data that is not shown to CUs but stored in the cu_changes or cu_private_event table. Currently this is only the recipients of emails. Without a valid public key the data will not be stored.

$wgCheckUserCAMultiLock false 这可用于通过中央认证向Special:CheckUser的查核结果表单表单添加Special:MultiLock的链接。 这需要在wiki上安装中央认证 扩展。 To enable this, set this to an array with a central wiki's database name and an array with the name(s) of the global group(s) to add the link for. 例如:
$wgCheckUserCAMultiLock = [
    'centralDB' => 'metawiki',
    'groups' => [ 'steward' ]
];
$wgCheckUserCAtoollink false 77360f1cf1d2起。 This adds a link to central wiki Special:CentralAuth to the Special:CheckUser's "Get users" results. This requires the 中央认证 extension to be installed on the wiki. To enable this, set this with a central wiki's database name. 例如:
$wgCheckUserCAtoollink = 'metawiki';
$wgCheckUserGBtoollink false 77360f1cf1d2起。 This adds a link to local or central wiki Special:GlobalBlock to the Special:CheckUser's "Get users" results. This requires the GlobalBlocking extension to be installed on the wiki. To enable this, if a $wgConf is configured, set this to an array with a central wiki's database name and an array with the name(s) of the local (or global if you have 中央认证 installed) group(s) to add the link for. 例如:
$wgCheckUserGBtoollink = [
	'centralDB' => 'metawiki',
	'groups' => [ 'steward', 'staff' ]
];
$wgCheckUserEnableSpecialInvestigate (1.35-1.43) false (<=1.39)
true (1.40+)
57dcfe46d2e4起。 This enables Special:Investigate, an updated version of Special:CheckUser that allows checking for multiple user accounts and IP addresses within one investigation.
$wgCheckUserLogLogins false Whether CheckUser should log login and logout attempts (both successful and not).
$wgCheckUserLogSuccessfulBotLogins true Whether CheckUser should store successful login attempts to accounts with the bot user group if $wgCheckUserLogLogins is set to true. Only is used if $wgCheckUserLogLogins is true
$wgCheckUserMaximumRowCount 5000 The maximum number of results that can be returned by Special:CheckUser. Before MediaWiki 1.39, in the 'Get edits' and 'Get IPs' results having over 5,000 results would return the results in a different format. From MediaWiki 1.39 this is the maximum number of results to show by page and more can be generated using the paging links
$wgCheckUserInvestigateMaximumRowCount 25000 Similar to $wgCheckUserMaximumRowCount, but for Investigate
$wgCheckUserTemporaryAccountMaxAge (1.40+) 86400 The number of seconds for which the temporary account API response is fresh.
$wgCheckUserEventTablesMigrationStage (1.40+) 3 (1.40)
259 (1.41)
769 (1.42-1.43)
768 (1.43)
Used to control the migration stage of log events stored in cu_changes to the new cu_log_event and cu_private_event tables. Is temporary and will be removed once migration is complete.
$wgCheckUserClientHintsEnabled (1.41+) true Used to control whether client hints should be collected and displayed in results by CheckUser.
$wgCheckUserClientHintsSpecialPages (1.41+) [ "CreateAccount", "Emailuser", "PasswordReset", "Userlogin", "Userlogout" ] The list of SpecialPages where CheckUser will request client hints if $wgCheckUserClientHintsEnabled is true.
$wgCheckUserClientHintsActionQueryParameter (1.41+) [ "history" ] The list of "action" values in the query parameters where client hints will be requested.
$wgCheckUserClientHintsHeaders (1.41+) { "Sec-CH-UA": "", "Sec-CH-UA-Arch": "architecture", "Sec-CH-UA-Bitness": "bitness", "": "brands", "Sec-CH-UA-Form-Factor": "", "Sec-CH-UA-Full-Version-List": "fullVersionList", "Sec-CH-UA-Mobile": "mobile", "Sec-CH-UA-Model": "model", "Sec-CH-UA-Platform": "platform", "Sec-CH-UA-Platform-Version": "platformVersion", "Sec-CH-UA-WoW64": ""} The list of client hint types that will be requested. Keys represent the client hint values requested using the Accept-CH header. Values represent the equivalent name when requesting them from the JS client side client hints API.
$wgCheckUserClientHintsUnsetHeaderWhenPossible (1.41+) true If true, the server will send an empty Accept-CH header when the user is viewing a page which does not need client hints data.
$wgCheckUserGlobalContributionsCentralWikiId (1.44+) null A string representing the name of the wiki to designate as the "central" wiki for Special:GlobalContributions. Setting this will redirect all other wiki's Special:GlobalContributions page to the central wiki's instead.

Special:CheckUser 用法

基本界面

  1. 前往Special:CheckUser
  2. 在“user”字段中,输入用户名(不带User:前缀),IP网址或CIDR范围。
    • IP:任何IPv4或IPv6网址。
    • CIDR: you can check a range of IP addresses by appending the CIDR prefix. The CIDR prefix value for IPv4 can be between 16-32 and the value for IPv6 can be between 19-128. The smaller number for both ranges can be changed using the configuration variable $wgCheckUserCIDRLimit. For notation, see Help:段封禁 .
    • XFF: you can check a client IP address provided by X-Forwarded-For headers by appending /xff (for example, 127.0.0.1/xff).
  1. Select the information you want to retrieve.
    • 获取IP地址 - returns IP addresses used by a registered user.
    • 获取操作 - returns all edits and logged actions made by users using an IP address or range specified in the target field, or if the target is a user all edits and logged actions by that user.
    • 获取用户 - returns user accounts that have edited from an IP or range.
  1. In the "原因:" field, type in the reason you are accessing the confidential data.

Try to succinctly summarise the situation (for example, "cross-wiki spam"); this will be logged in a log visible only to users with the checkuser-log permission.

显示的信息

用户查核结果中的典型条目是用户摘要(“获取用户”)如下:


  1. Example user agent

这种格式适合将大量信息整合到一种非常容易列出和删除的格式中,但除非您知道所提供的信息,否则很难阅读。 信息如下:

  • 用户名 (用户连接) (从给定的IP或范围编辑的时间段:) [来自IP或范围的编辑数]
    1. 來自編輯的IP地址 XFF: 提供XFF信息(可以被欺骗)

按使用顺序列出用于编辑的每个IP / XFF组合。

后面列出了每个用户在IP或范围内进行编辑的最后十个用户代理(浏览器、操作系统、系统语言和版本)。

XFF格式

XFF (X-Forwarded-For) headers indicate the series of IP addresses used from the user's computer (first) to the last proxy server. In case of Wikimedia, the last proxy server is one of the Wikimedia proxies (listed under $wgCdnServersNoPurge in the Wikimedia configuration file).

另一个例子

aaa.aaa.aaa.aaa XFF: 10.4.46.42, 127.0.0.1, aaa.aaa.aaa.aaa, 208.80.152.46

  • 前两个地址(10.4.46.42127.0.0.1)是原始网络专用的,无法直接从公共互联网访问,
  • 第三个地址(aaa.aaa.aaa.aaa)是编辑器的“公共面孔”,通常是宽带或拨号ISP,公司网关(但可能是匿名者或受恶意软件攻击的服务器),
  • 最后一个地址(208.80.152.46)是维基媒体Squid之一(sq36.wikimedia.org)。

MediaWiki configuration settings $wgUsePrivateIPs , $wgCdnServers , $wgCdnServersNoPurge and extensions using the IsTrustedProxy hook (such as Extension:TrustedXFF ) change the way an actual IP address used to attribute edits is selected.

个人工具链接

When you get results from Special:CheckUser you can add personal user tool links via the following interface messages:

  • MediaWiki:checkuser-toollinks for IPs in the 'Get IP Addresses' check type (for example m:MediaWiki:checkuser-toollinks)
  • MediaWiki:Checkuser-cidr-tool-links for IP ranges produced by the CIDR calculator present at the bottom of all Special:CheckUser pages. Interface message added in 1.41.

Special:Investigate 用法

基本用法

  1. 前往Special:Investigate。
  2. In the 用户名和IP地址 field, type in up to 10 targets, which may be usernames (without the User: prefix), IP addresses, or CIDR ranges.
  3. In the 原因 field, enter the reason you are accessing the confidential data, as described in the Special:CheckUser instructions above; this will be logged in a log visible only to users with the checkuser-log permission.

For advanced feature usage, see Help:Special Investigate.

定制工具链接

As with Special:CheckUser, links to external tools can be customized.

The links are defined in the checkuser-investigate-compare-toollinks message. This message is parsed to find links, which are added to the menu in the IP和用户代理 tab.


Special:IPContributions usage

This page is only available if temporary accounts are known on a wiki (See MainConfigSchema::AutoCreateTempUser for more information). It's used to examine the temporary accounts associated with an IP.

To use this page, you must have the right to view IP addresses (checkuser-temporary-account) and have enabled the preference to view IP addresses (on Special:Preferences, under "临时账号IP显示").

Basic usage

  1. Go to Special:IPContributions.
  2. In the IP地址或范围: field, input an IP (IPv4 or IPv6) or CIDR range.
  3. Adjust parameters as necessary and submit a search. This action will be logged to the checkuser-temporary-account log which will be visible to users with the checkuser-temporary-account-log right.

Special: GlobalContributions usage

This page is only available if temporary accounts are known on a wiki (See MainConfigSchema::AutoCreateTempUser for more information) and Extension:GlobalPreferences is enabled. Given an IP, it aggregates all revisions from temporary accounts across all wikis within the wiki farm that the user has the right to see.

To use this page, you must have the right to view IP addresses (checkuser-temporary-account) and have enabled the global preference to view IP addresses (on Special:GlobalPreferences, under "临时账号IP显示").

Basic usage

  1. Go to Special:GlobalContributions
  2. In the IP地址或范围: field, input an IP (IPv4 or IPv6) or CIDR range.
  3. Adjust parameters as necessary and submit a search. This action will be logged to the checkuser-temporary-account log which will be visible to users with the checkuser-temporary-account-log right.
  4. Alongside local results, results will be returned for wikis on which you also have the checkuser-temporary-account right.

Showing IPs for temporary accounts

MediaWiki版本:
1.40
 

The CheckUser extension will show since MediaWiki 1.40 a button that is displayed next to temporary account user links which allows the revealing of their IP address.

This functionality is available exclusively to users with the checkuser-temporary-account privilege, granting them the ability to view the IP addresses that are linked to temporary accounts. To access this information, the Enable revealing IP addresses for temporary accounts feature must be enabled on the user's Special:Preferences page.

These buttons will appear wherever user links are shown for a temporary account, such as when viewing page histories or in Special:Contributions. However, these will not be shown on Special:CheckUser, Special:Investigate or Special:InvestigateBlock.

API

CheckUser and CheckUserLog API

CheckUser提供了一个API,允许访问在Special:CheckUser和Special:CheckUserLog上显示的信息。 These two APIs work fairly similarly to the special pages, but the reason for a check using the checkuser API is prefixed with "API:" to indicate they were made using the API. Example usages of these APIs are shown below.

CheckUser API
api.php?action=query&list=checkuser&curequest=userips&cutarget=Jimbo_Wales
api.php?action=query&list=checkuser&curequest=edits&cutarget=127.0.0.1/16&xff=1&cureason=Some_check
CheckUserLog API
api.php?action=query&list=checkuserlog&culuser=WikiSysop&cullimit=25
api.php?action=query&list=checkuserlog&cultarget=127.0.0.1&culfrom=20111015230000

Temporary Account Reveal API

MediaWiki版本:
1.40

Usage

The TemporaryAccountHandler class offers API endpoints for retrieving the IP addresses associated with temporary user accounts. To access this information, the Enable revealing IP addresses for temporary accounts feature must be enabled on the user's Special:Preferences page.

API endpoint

GET /rest.php/checkuser/v0/temporaryaccount/{name} where {name} is the user name you want to look up

Response

If the request is successful, the API will respond with a JSON object containing the following fields:

Name Type Description
ips string[] IPs of the given temporary account

If the request fails, the API will respond with an appropriate error code and message.

Example request

GET /rest.php/checkuser/v0/temporaryaccount/*Unregistered%202

Example response

{"ips": [ "114.127.69.62" , "212.47.235.82" , "212.47.235.81" ]}

TemporaryAccountRevisionHandler

The TemporaryAccountRevisionHandler class offers API endpoints for viewing the IP associated with a revision for temporary accounts. You can specify one or multiple revision IDs in the query string.

API endpoint

GET /rest.php/checkuser/v0/temporaryaccount/*Unregistered%203/revisions/{revisionId} where {revisionId} is the revision ID(s) you want to look up separated by the | character.

Response

If the request is successful, the API will respond with a JSON object containing the following fields:

Name Type Description
ips dictionary The revision ID as the key and the associated IP address as the value.

If the request fails, the API will respond with an appropriate error code and message.

Example request

GET /rest.php/checkuser/v0/temporaryaccount/*Unregistered%203/revisions/31

Example response

{"ips":{"31":"40.175.36.227"}}

Example request with multiple revisions

GET /w/rest.php/checkuser/v0/temporaryaccount/*Unregistered%205/revisions/194|193

Example response

{"ips":{"194":"40.175.36.227","193":"1.2.3.4"}}