• Assign to users via autopromote: 6 months account age and 300 edits

I think it would be better to use $wgAutopromoteOnce so that access can be revoked like other user groups. (See wmgAutopromoteOnceonEditin InitialiseSettings.php for examples of current use.)

Note current Wikimedia Access to Temporary Account IP Addresses Policy has a "not blocked in more than one project" requirement, which is copied from board election eligibility, and I consider it not appropriate as a required minimal requirement; in T356294#9504584 I propose the it be amended so this requirement should be removed. Actually modifying the policy requires WMF legal.

Another thing we need to clarify with legal, from the policy:

User account has made a minimum of 300 edits to Wikimedia projects

...which seems to imply 300 edits across all projects, which contradicts this task description.

We have asked legal and are awaiting an answer (@Madalina is helping with this). If it is across all wikis, we need to investigate how to do this technically.

In T327913#9550558, @Tchanders wrote:

Another thing we need to clarify with legal, from the policy:

User account has made a minimum of 300 edits to Wikimedia projects

...which seems to imply 300 edits across all projects, which contradicts this task description.

We have asked legal and are awaiting an answer (@Madalina is helping with this). If it is across all wikis, we need to investigate how to do this technically.

We've been told that it is across all projects.

(Leaving the task as stalled because we don't actually want to do this until we deploy temp accounts.)

In T327913#9950321, @Tchanders wrote:

In T327913#9550558, @Tchanders wrote:

Another thing we need to clarify with legal, from the policy:

User account has made a minimum of 300 edits to Wikimedia projects

...which seems to imply 300 edits across all projects, which contradicts this task description.

We have asked legal and are awaiting an answer (@Madalina is helping with this). If it is across all wikis, we need to investigate how to do this technically.

We've been told that it is across all projects.

(Leaving the task as stalled because we don't actually want to do this until we deploy temp accounts.)

@Niharika has confirmed that these will be treated as local criteria: you get access to reveal IPs on wikis where you fulfil those criteria locally. I am told this was agreed in discussion with stewards and with Legal, and that the access policy will be updated to reflect it.

Change #1073844 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[operations/mediawiki-config@master] Autopromote users into checkuser-temporary-account-viewer

https://gerrit.wikimedia.org/r/1073844

Change #1073844 merged by jenkins-bot:

[operations/mediawiki-config@master] Autopromote users into checkuser-temporary-account-viewer

https://gerrit.wikimedia.org/r/1073844

Mentioned in SAL (#wikimedia-operations) [2024-09-18T16:26:17Z] <dreamyjazz@deploy1003> Started scap sync-world: Backport for [[gerrit:1073844|Autopromote users into checkuser-temporary-account-viewer (T369187 T327913)]]

Mentioned in SAL (#wikimedia-operations) [2024-09-18T16:28:31Z] <dreamyjazz@deploy1003> dreamyjazz: Backport for [[gerrit:1073844|Autopromote users into checkuser-temporary-account-viewer (T369187 T327913)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Mentioned in SAL (#wikimedia-operations) [2024-09-18T16:40:20Z] <dreamyjazz@deploy1003> Finished scap sync-world: Backport for [[gerrit:1073844|Autopromote users into checkuser-temporary-account-viewer (T369187 T327913)]] (duration: 14m 06s)

I've completed all the items listed in the task. For QA, this can only really be fully checked on production wikis.

Things to check:

1. On Special:ListGroupRights you see that the sysop and bureaucrat groups have the checkuser-temporary-account right on any production wiki
2. On Special:ListGroupRights you see that the checkuser and suppress groups have the checkuser-temporary-account-no-preference right on any production wiki
3. Making the following request to the API on a wiki with temporary accounts enabled shows that the checkuser-temporary-account-viewer group is added via auto-promotion

{
	"action": "query",
	"format": "json",
	"meta": "siteinfo",
	"formatversion": "2",
	"siprop": "autopromoteonce"
}

"checkuser-temporary-account-viewer": {
	"operand": "&",
	"0": {
		"condname": "APCOND_EDITCOUNT",
		"params": [
			300
		]
	},
	"1": {
		"condname": "APCOND_AGE",
		"params": [
			15552000
		]
	},
	"2": {
		"operand": "!",
		"0": {
			"condname": "APCOND_INGROUPS",
			"params": [
				"sysop"
			]
		}
	},
	"3": {
		"operand": "!",
		"0": {
			"condname": "APCOND_INGROUPS",
			"params": [
				"checkuser"
			]
		}
	},
	"4": {
		"operand": "!",
		"0": {
			"condname": "APCOND_INGROUPS",
			"params": [
				"suppress"
			]
		}
	},
	"5": {
		"operand": "!",
		"0": {
			"condname": "APCOND_INGROUPS",
			"params": [
				"bureaucrat"
			]
		}
	},
	"6": {
		"operand": "!",
		"0": {
			"condname": "APCOND_INGROUPS",
			"params": [
				"bot"
			]
		}
	}
}

4. On wikis without temporary accounts enabled, the above request to the API should not include the checkuser-temporary-account-viewer group in the response

Testing that the user is actually autopromoted is harder, because you need an account on test.wikipedia.org (or another temporary accounts enabled wiki) which is at least 6 months old and has made at least 300 edits. Therefore, I propose that QA does not check this for practicality sake.

Thank you for the QA Steps @Dreamy_Jazz, I have verified different wiki's, and the appropriate rights are listed in the Special:ListGroupRights for groups: sysop, bureaucrat, checkuser and suppress.