Extension:用户查核
CheckUser 发行状态: 稳定版 |
|
---|---|
实现 | 特殊页面 , 用户身份 , API , 函数钩 , 数据库 |
描述 | CheckUser功能可以讓拥有权限的用户可以去查核所给定的用户名使用了哪些IP地址和给定的IP使用了哪些用户名,而无须直接手动在数据库中运行查询。 |
作者 | Tim Starling, Aaron Schulz, Dreamy Jazz |
最新版本 | 2.5 (continuous updates) |
兼容性政策 | 快照跟随MediaWiki发布。 master分支不向后兼容。 |
PHP | 7.4.3+ |
数据库更改 | 是 |
虚拟域 | virtual-checkuser-global |
表 | cu_changes cu_log_event cu_private_event cu_log cu_useragent_clienthints cu_useragent_clienthints_map cu_useragent cuci_wiki_map cuci_temp_edit cuci_user |
许可协议 | GNU通用公眾授權條款2.0或更新版本 |
下載 | |
|
|
|
|
|
|
季度下載量 | 208 (Ranked 28th) |
正在使用的公开wiki数 | 9,118 (Ranked 13th) |
前往translatewiki.net翻譯CheckUser扩展 | |
問題 | 开启的任务 · 报告错误 |
- 這是一個關於扩展本身的頁面。 關於維基媒體基金會的用户查核政策,見用户查核方针。
CheckUser是一个允许拥有checkuser
权限的用户查核给定IP地址下的用户和给定用户使用的IP地址的,而无须手动在数据库运行查询的扩展。
這個擴展正運作在所有維基媒體的維基項目上。
更新将根据维基媒体基金会的wiki的需要进行,或在发现关键漏洞时进行。
安裝
- 下载文件,并将解压后的
CheckUser
文件夹移动到extensions/
目录中。
开发者和代码贡献人员应从Git安装扩展,输入:cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/CheckUser - 只有從git安裝才运行Composer来安装PHP依赖,通过发行
composer install --no-dev
至扩展目录。 (参见工單T173141了解潜在问题。) - 将下列代码放置在您的LocalSettings.php 的底部:
wfLoadExtension( 'CheckUser' );
- 运行更新脚本,它将自动创建此扩展必须依赖的数据库表。
- Configure as required.
- 完成 – 在您的wiki上导航至Special:Version,以验证已成功安装扩展。
Using MediaWiki-Docker
Follow the steps in MediaWiki-Docker/Extension/CheckUser to install this extension inside a MediaWiki Docker instance.
配置
这个工具可将最近的更改数据复制到单独的表格中,并在添加新条目时进行添加。
如果将$wgPutIPinRC
设置为false
,复制的数据将不包含相关的IP地址。
However, entries added after installation of this extension will contain the IP address.
安装此扩展后,您可以减少$wgRCMaxAge
以缩短最近更改的时间,而不会影响查核用户。
使用$wgCUDMaxAge
设置checkuser的查询日期,以秒为单位。
特定于查核用户的设置$wgCheckUserCIDRLimit决定了单次检查中可检查的最大范围。
他的格式与$wgBlockCIDRLimit 设置相同。
$2查核的默认限额为/19
,$4查核的默认限额为/16
。
To allow this tool to log successful and failed login attempts as well as logouts, set $wgCheckUserLogLogins
to true
.
If you have bot accounts on your wiki, setting $wgCheckUserLogSuccessfulBotLogins
to false
will skip logging successful login attempts to bot accounts.
MediaWiki版本: | ≥ 1.43 |
If the extension is installed on a multi-wiki install, then you should set $wgVirtualDomainsMapping for the virtual-checkuser-global
to point to a central database table.
Setting this will ensure that the central index tables are actually on a central DB, and therefore the GlobalBlocking global autoblocks and GUC work.
After doing this, you will need to run update.php
to create the tables on the central wiki.
Troubleshooting Special:GlobalContributions functionality
If Special:GlobalContributions is not returning revisions as expected (e.g. you have revisions on another wiki that you can view on that wiki), a misconfiguration may be causing an internal failure that isn't user-facing (as it cannot be user resolved). Check that:
- Your user has a central account and that their accounts on the affected wiki are linked. This can be checked at Special:MergeAccount.
- The affected wiki is known to the wiki farm. This is defined in the
sites
table and wikis can be added to this table via theaddSite
maintenance script. You'll need to ensure that the optional parameterspagepath
andfilepath
are filled out (eg.php ./maintenance/run.php ./maintenance/addSite.php $wikiName wiki --pagepath https://hostname/wiki/\$1 --filepath https://hostname/w/\$1
), as Special:GlobalContributions uses these to generate API queries and links. - The central database is set with
virtual-checkuser-global
(eg.$wgVirtualDomainsMapping['virtual-checkuser-global'] = [ 'db' => $wiki ];
) and that thecuci_temp_edit
table is recording revisions from the affected wiki. - If necessary, cross-domain cookies should be enabled as the
centralauth
token must work across both wikis.
授权权限以使用用户查核
要授予Special:CheckUser、Special:Investigate 和Special:CheckUserLog的使用权,用户权限管理用户必须访问Special:UserRights,在框中输入用户名,然后选择 「checkuser」选项。 完成此操作后,上述特殊页面将显示在该用户的Special:SpecialPages页面中。
To allow users to access the IP addresses of temporary accounts , they should be granted the checkuser-temporary-account right.
要赋予系统管理员该扩展的所有权限,请在LocalSettings.php
中输入以下内容:
$wgGroupPermissions['sysop']['checkuser'] = true;
$wgGroupPermissions['sysop']['checkuser-log'] = true;
$wgGroupPermissions['sysop']['investigate'] = true;
$wgGroupPermissions['sysop']['checkuser-temporary-account'] = true;
要仅允许添加和删除checkuser
权限,请使用以下代码:
$wgAddGroups['sysop'][] = 'checkuser';
$wgRemoveGroups['sysop'][] = 'checkuser';
配置
参数 | 默认 | 评论 |
---|---|---|
$wgCUDMaxAge
|
7776000
|
保留多久用户查核日志(以秒为单位)? (默认= 3个月) |
$wgCheckUserMaxBlocks
|
200
|
最大封鎖限制 |
$wgCheckUserForceSummary
|
false
|
如果要强制用户查核员通过Special:CheckUser为每个检查提供原因,请将此设置为true。 (不是很有用,因为用户查核员可以简单地给出一个摘要,例如“他们需要被检查”或“我想要檢查”并且软件不会知道是否合理。) |
$wgCheckUserCIDRLimit
|
[ 'IPv4' => 16, 'IPv6' => 19 ]
|
可以在任何单独范围检查中检查的最短CIDR限制 |
$wgCUPublicKey
|
''
|
用于加密私人数据的公共密钥,以后可能需要读取。 使用以下命令產生公開密鑰:
Used with an associated private key to encrypt certain data that is not shown to CUs but stored in the cu_changes or cu_private_event table. Currently this is only the recipients of emails. Without a valid public key the data will not be stored. |
$wgCheckUserCAMultiLock
|
false
|
这可用于通过中央认证向Special:CheckUser的查核结果表单表单添加Special:MultiLock的链接。 这需要在wiki上安装中央认证 扩展。 To enable this, set this to an array with a central wiki's database name and an array with the name(s) of the global group(s) to add the link for. 例如:
$wgCheckUserCAMultiLock = [
'centralDB' => 'metawiki',
'groups' => [ 'steward' ]
];
|
$wgCheckUserCAtoollink
|
false
|
从77360f1cf1d2起。 This adds a link to central wiki Special:CentralAuth to the Special:CheckUser's "Get users" results. This requires the 中央认证 extension to be installed on the wiki. To enable this, set this with a central wiki's database name. 例如:
$wgCheckUserCAtoollink = 'metawiki';
|
$wgCheckUserGBtoollink
|
false
|
从77360f1cf1d2起。 This adds a link to local or central wiki Special:GlobalBlock to the Special:CheckUser's "Get users" results. This requires the GlobalBlocking extension to be installed on the wiki. To enable this, if a $wgConf is configured, set this to an array with a central wiki's database name and an array with the name(s) of the local (or global if you have 中央认证 installed) group(s) to add the link for. 例如:
$wgCheckUserGBtoollink = [
'centralDB' => 'metawiki',
'groups' => [ 'steward', 'staff' ]
];
|
$wgCheckUserEnableSpecialInvestigate (1.35-1.43)
|
false (<=1.39)true (1.40+)
|
从57dcfe46d2e4起。 This enables Special:Investigate, an updated version of Special:CheckUser that allows checking for multiple user accounts and IP addresses within one investigation. |
$wgCheckUserLogLogins
|
false
|
Whether CheckUser should log login and logout attempts (both successful and not). |
$wgCheckUserLogSuccessfulBotLogins
|
true
|
Whether CheckUser should store successful login attempts to accounts with the bot user group if $wgCheckUserLogLogins is set to true . Only is used if $wgCheckUserLogLogins is true
|
$wgCheckUserMaximumRowCount
|
5000
|
The maximum number of results that can be returned by Special:CheckUser. Before MediaWiki 1.39, in the 'Get edits' and 'Get IPs' results having over 5,000 results would return the results in a different format. From MediaWiki 1.39 this is the maximum number of results to show by page and more can be generated using the paging links |
$wgCheckUserInvestigateMaximumRowCount
|
25000
|
Similar to $wgCheckUserMaximumRowCount, but for Investigate |
$wgCheckUserTemporaryAccountMaxAge (1.40+)
|
86400
|
The number of seconds for which the temporary account API response is fresh. |
$wgCheckUserEventTablesMigrationStage (1.40+)
|
3 (1.40)259 (1.41) 769 (1.42-1.43) 768 (1.43)
|
Used to control the migration stage of log events stored in cu_changes to the new cu_log_event and cu_private_event tables. Is temporary and will be removed once migration is complete. |
$wgCheckUserClientHintsEnabled (1.41+)
|
true
|
Used to control whether client hints should be collected and displayed in results by CheckUser. |
$wgCheckUserClientHintsSpecialPages (1.41+)
|
[ "CreateAccount", "Emailuser", "PasswordReset", "Userlogin", "Userlogout" ]
|
The list of SpecialPages where CheckUser will request client hints if $wgCheckUserClientHintsEnabled is true .
|
$wgCheckUserClientHintsActionQueryParameter (1.41+)
|
[ "history" ]
|
The list of "action" values in the query parameters where client hints will be requested. |
$wgCheckUserClientHintsHeaders (1.41+)
|
{ "Sec-CH-UA": "", "Sec-CH-UA-Arch": "architecture", "Sec-CH-UA-Bitness": "bitness", "": "brands", "Sec-CH-UA-Form-Factor": "", "Sec-CH-UA-Full-Version-List": "fullVersionList", "Sec-CH-UA-Mobile": "mobile", "Sec-CH-UA-Model": "model", "Sec-CH-UA-Platform": "platform", "Sec-CH-UA-Platform-Version": "platformVersion", "Sec-CH-UA-WoW64": "" }
|
The list of client hint types that will be requested. Keys represent the client hint values requested using the Accept-CH header. Values represent the equivalent name when requesting them from the JS client side client hints API. |
$wgCheckUserClientHintsUnsetHeaderWhenPossible (1.41+)
|
true
|
If true , the server will send an empty Accept-CH header when the user is viewing a page which does not need client hints data.
|
$wgCheckUserGlobalContributionsCentralWikiId (1.44+)
|
null
|
A string representing the name of the wiki to designate as the "central" wiki for Special:GlobalContributions. Setting this will redirect all other wiki's Special:GlobalContributions page to the central wiki's instead. |
Special:CheckUser 用法
基本界面
- 前往Special:CheckUser。
- 在“user”字段中,输入用户名(不带
User:
前缀),IP网址或CIDR范围。- IP:任何IPv4或IPv6网址。
- CIDR: you can check a range of IP addresses by appending the CIDR prefix. The CIDR prefix value for IPv4 can be between 16-32 and the value for IPv6 can be between 19-128. The smaller number for both ranges can be changed using the configuration variable $wgCheckUserCIDRLimit. For notation, see Help:段封禁 .
- XFF: you can check a client IP address provided by X-Forwarded-For headers by appending
/xff
(for example,127.0.0.1/xff
).
- XFF: you can check a client IP address provided by X-Forwarded-For headers by appending
- Select the information you want to retrieve.
- 获取IP地址 - returns IP addresses used by a registered user.
- 获取操作 - returns all edits and logged actions made by users using an IP address or range specified in the target field, or if the target is a user all edits and logged actions by that user.
- 获取用户 - returns user accounts that have edited from an IP or range.
- In the "原因:" field, type in the reason you are accessing the confidential data.
Try to succinctly summarise the situation (for example, "cross-wiki spam"); this will be logged in a log visible only to users with the checkuser-log
permission.
-
基本检查用户界面
-
用户名检查的例子
-
IP檢查的例子
-
Example Get edits check
-
示例日志
显示的信息
用户查核结果中的典型条目是用户摘要(“获取用户”)如下:
- Example (talk | contribs | block) (Check) (20:11, 21 12月 2024 -- 20:12, 21 12月 2024) [5]
- 127.0.0.37 XFF: 127.0.0.1, 127.0.0.5
- Example user agent
这种格式适合将大量信息整合到一种非常容易列出和删除的格式中,但除非您知道所提供的信息,否则很难阅读。 信息如下:
- 用户名 (用户连接) (从给定的IP或范围编辑的时间段:) [来自IP或范围的编辑数]
- 來自編輯的IP地址 XFF: 提供XFF信息(可以被欺骗)
按使用顺序列出用于编辑的每个IP / XFF组合。
后面列出了每个用户在IP或范围内进行编辑的最后十个用户代理(浏览器、操作系统、系统语言和版本)。
XFF格式
XFF (X-Forwarded-For) headers indicate the series of IP addresses used from the user's computer (first) to the last proxy server. In case of Wikimedia, the last proxy server is one of the Wikimedia proxies (listed under $wgCdnServersNoPurge in the Wikimedia configuration file).
另一个例子
aaa.aaa.aaa.aaa XFF: 10.4.46.42, 127.0.0.1, aaa.aaa.aaa.aaa, 208.80.152.46
- 前两个地址(
10.4.46.42
、127.0.0.1
)是原始网络专用的,无法直接从公共互联网访问, - 第三个地址(
aaa.aaa.aaa.aaa
)是编辑器的“公共面孔”,通常是宽带或拨号ISP,公司网关(但可能是匿名者或受恶意软件攻击的服务器), - 最后一个地址(
208.80.152.46
)是维基媒体Squid之一(sq36.wikimedia.org
)。
MediaWiki configuration settings $wgUsePrivateIPs , $wgCdnServers , $wgCdnServersNoPurge and extensions using the IsTrustedProxy hook (such as Extension:TrustedXFF ) change the way an actual IP address used to attribute edits is selected.
个人工具链接
When you get results from Special:CheckUser you can add personal user tool links via the following interface messages:
MediaWiki:checkuser-userlinks-ip
for IP addresses (for example m:MediaWiki:checkuser-userlinks-ip)
MediaWiki:Checkuser-userlinks
for registered users (for example m:MediaWiki:Checkuser-userlinks)
MediaWiki:checkuser-toollinks
for IPs in the 'Get IP Addresses' check type (for example m:MediaWiki:checkuser-toollinks)MediaWiki:Checkuser-cidr-tool-links
for IP ranges produced by the CIDR calculator present at the bottom of all Special:CheckUser pages. Interface message added in 1.41.
Special:Investigate 用法
基本用法
- 前往Special:Investigate。
- In the 用户名和IP地址 field, type in up to 10 targets, which may be usernames (without the
User:
prefix), IP addresses, or CIDR ranges. - In the 原因 field, enter the reason you are accessing the confidential data, as described in the Special:CheckUser instructions above; this will be logged in a log visible only to users with the checkuser-log permission.
-
输入形式
-
账号信息标签
-
IP和用户代理标签
-
时间轴标签
For advanced feature usage, see Help:Special Investigate.
定制工具链接
As with Special:CheckUser, links to external tools can be customized.
The links are defined in the checkuser-investigate-compare-toollinks
message.
This message is parsed to find links, which are added to the menu in the IP和用户代理 tab.
Special:IPContributions usage
This page is only available if temporary accounts are known on a wiki (See MainConfigSchema::AutoCreateTempUser
for more information).
It's used to examine the temporary accounts associated with an IP.
To use this page, you must have the right to view IP addresses (checkuser-temporary-account
) and have enabled the preference to view IP addresses (on Special:Preferences, under "临时账号IP显示").
Basic usage
- Go to Special:IPContributions.
- In the IP地址或范围: field, input an IP (IPv4 or IPv6) or CIDR range.
- Adjust parameters as necessary and submit a search. This action will be logged to the
checkuser-temporary-account
log which will be visible to users with thecheckuser-temporary-account-log
right.
-
Input form
-
Example results
Special: GlobalContributions usage
This page is only available if temporary accounts are known on a wiki (See MainConfigSchema::AutoCreateTempUser
for more information) and Extension:GlobalPreferences is enabled.
Given an IP, it aggregates all revisions from temporary accounts across all wikis within the wiki farm that the user has the right to see.
To use this page, you must have the right to view IP addresses (checkuser-temporary-account
) and have enabled the global preference to view IP addresses (on Special:GlobalPreferences, under "临时账号IP显示").
Basic usage
- Go to Special:GlobalContributions
- In the IP地址或范围: field, input an IP (IPv4 or IPv6) or CIDR range.
- Adjust parameters as necessary and submit a search. This action will be logged to the
checkuser-temporary-account
log which will be visible to users with thecheckuser-temporary-account-log
right. - Alongside local results, results will be returned for wikis on which you also have the
checkuser-temporary-account
right.
-
Input form
-
Example results
Showing IPs for temporary accounts
MediaWiki版本: | ≥ 1.40 |
The CheckUser extension will show since MediaWiki 1.40 a button that is displayed next to temporary account user links which allows the revealing of their IP address.
This functionality is available exclusively to users with the checkuser-temporary-account
privilege, granting them the ability to view the IP addresses that are linked to temporary accounts.
To access this information, the Enable revealing IP addresses for temporary accounts feature must be enabled on the user's Special:Preferences page.
These buttons will appear wherever user links are shown for a temporary account, such as when viewing page histories or in Special:Contributions. However, these will not be shown on Special:CheckUser, Special:Investigate or Special:InvestigateBlock.
API
CheckUser and CheckUserLog API
CheckUser提供了一个API,允许访问在Special:CheckUser和Special:CheckUserLog上显示的信息。
These two APIs work fairly similarly to the special pages, but the reason for a check using the checkuser
API is prefixed with "API:" to indicate they were made using the API.
Example usages of these APIs are shown below.
- CheckUser API
api.php?action=query&list=checkuser&curequest=userips&cutarget=Jimbo_Wales api.php?action=query&list=checkuser&curequest=edits&cutarget=127.0.0.1/16&xff=1&cureason=Some_check
- CheckUserLog API
api.php?action=query&list=checkuserlog&culuser=WikiSysop&cullimit=25 api.php?action=query&list=checkuserlog&cultarget=127.0.0.1&culfrom=20111015230000
Temporary Account Reveal API
MediaWiki版本: | ≥ 1.40 |
Usage
The TemporaryAccountHandler class offers API endpoints for retrieving the IP addresses associated with temporary user accounts. To access this information, the Enable revealing IP addresses for temporary accounts feature must be enabled on the user's Special:Preferences page.
API endpoint
GET /rest.php/checkuser/v0/temporaryaccount/{name}
where {name}
is the user name you want to look up
Response
If the request is successful, the API will respond with a JSON object containing the following fields:
Name | Type | Description |
---|---|---|
ips
|
string[]
|
IPs of the given temporary account |
If the request fails, the API will respond with an appropriate error code and message.
Example request
GET /rest.php/checkuser/v0/temporaryaccount/*Unregistered%202
Example response
{"ips": [ "114.127.69.62" , "212.47.235.82" , "212.47.235.81" ]}
TemporaryAccountRevisionHandler
The TemporaryAccountRevisionHandler class offers API endpoints for viewing the IP associated with a revision for temporary accounts. You can specify one or multiple revision IDs in the query string.
API endpoint
GET /rest.php/checkuser/v0/temporaryaccount/*Unregistered%203/revisions/{revisionId}
where {revisionId}
is the revision ID(s) you want to look up separated by the |
character.
Response
If the request is successful, the API will respond with a JSON object containing the following fields:
Name | Type | Description |
---|---|---|
ips
|
dictionary
|
The revision ID as the key and the associated IP address as the value. |
If the request fails, the API will respond with an appropriate error code and message.
Example request
GET /rest.php/checkuser/v0/temporaryaccount/*Unregistered%203/revisions/31
Example response
{"ips":{"31":"40.175.36.227"}}
Example request with multiple revisions
GET /w/rest.php/checkuser/v0/temporaryaccount/*Unregistered%205/revisions/194|193
Example response
{"ips":{"194":"40.175.36.227","193":"1.2.3.4"}}
此扩展用于一个或多个维基媒体项目。 这可能意味着扩展足够稳定、运作足够良好,可以用在这样的高流量的网站上。 请在维基媒体的CommonSettings.php和InitialiseSettings.php配置文件中查找此扩展的名称以查看哪些网站安装了该扩展。 特定wiki上的已安装的扩展的完整列表位于Special:Version页面。 |
此扩展在以下wiki农场/托管网站和/或软件包中提供: 這不是一份權威名單。 即使某些wiki农场/托管网站和/或软件包未在这里列出,它们也可能提供此扩展。 请检查你的wiki农场/托管网站或软件包以确认提供情况。 |
- Stable extensions/zh
- Special page extensions/zh
- User identity extensions/zh
- API extensions/zh
- Hook extensions/zh
- Database extensions/zh
- GPL licensed extensions/zh
- Extensions in Wikimedia version control/zh
- Extensions which add rights/zh
- APIGetAllowedParams extensions/zh
- AuthManagerLoginAuthenticateAudit extensions/zh
- BeforeInitialize extensions/zh
- BeforePageDisplay extensions/zh
- ContributionsToolLinks extensions/zh
- EmailUser extensions/zh
- GetPreferences extensions/zh
- GlobalBlockingGetRetroactiveAutoblockIPs extensions/zh
- GlobalPreferencesSetGlobalPreferences extensions/zh
- LoadExtensionSchemaUpdates extensions/zh
- LocalUserCreated extensions/zh
- PerformRetroactiveAutoblock extensions/zh
- RecentChange save extensions/zh
- RenameUserSQL extensions/zh
- ResourceLoaderRegisterModules extensions/zh
- SaveUserOptions extensions/zh
- SpecialContributionsBeforeMainOutput extensions/zh
- SpecialPageBeforeExecute extensions/zh
- SpecialPage initList extensions/zh
- User::mailPasswordInternal extensions/zh
- UserLogoutComplete extensions/zh
- UserMergeAccountFields extensions/zh
- UserToolLinksEdit extensions/zh
- All extensions/zh
- Extensions requiring Composer with git/zh
- Extensions used on Wikimedia/zh
- Extensions included in Canasta/zh
- Extensions included in Fandom/zh
- Extensions included in Miraheze/zh
- Extensions included in ShoutWiki/zh
- Extensions included in Telepedia/zh
- Extensions included in WikiForge/zh
- Log extensions/zh