Extension:AbuseFilter/Access flags
The AbuseFilter extension allows privileged users to set specific controls on the visibility of filters and their associated log entries. These controls are known as Access Flags.
Access flags are primarily used to hide filters that contain sensitive patterns (to prevent gaming of the system) or sensitive data (such as Personally Identifiable Information).
Permissions reference
There are three distinct flags that can restrict access to a filter. It is important to note that these flags are additive. If a filter has multiple flags enabled (e.g., it is both Private and Suppressed), a user must possess the specific permissions for all active flags to view the filter or its logs.
To modify a filter, a user generally requires the standard abusefilter-modify right, plus the permissions required to view a filter's details based on the flags below.
| Flag name | Description | How it is applied | User right to view filter details | User right to view logs |
|---|---|---|---|---|
| Public (Default) | The filter is visible to everyone. | Default state when no other flags are checked. | (Everyone) | (Everyone) |
| Private (Hidden) | Hides the filter logic and comments to prevent bad actors from learning how to bypass the rule. | Checked via the "Private" (or "Hide details") checkbox in the filter editor. | abusefilter-view-private |
abusefilter-log-private |
| Protected | Restricts access because the filter uses sensitive variables (e.g., checking IPs on a wiki where Temporary Accounts are active). | Automatically applied when the filter code contains "protected variables". | abusefilter-access-protected-vars |
abusefilter-protected-vars-log |
| Suppressed | Restricts access to highly sensitive information (e.g., PII). Logs are treated as auto-suppressed. | Checked via the "Suppressed" checkbox in the filter editor. Requires suppressrevision to set. |
viewsuppressed |
viewsuppressed |
Flag behavior and usage
Private (hidden) filters
| MediaWiki version: | ≥ 1.19 |
Marking a filter as "Private" is intended for anti-vandalism rules where revealing the exact regex or logic would allow vandals to slightly alter their behaviour to avoid detection.
This restricts the visibility of filter details (such as rules) and log details to those with rights typically granted only to sysop (admins) when using the default configuration.
Protected filters
| MediaWiki version: | ≥ 1.43 |
This flag is not manually set by the user, it is determined by the variables used in the code box.
If a filter uses variables that are deemed private (for example, variables that reveal an IP address on a wiki that uses Temporary Accounts), the filter automatically becomes Protected.
This restricts the visibility of filter details (such as rules) and logs to those with rights typically granted only to sysop (admins) when using the default configuration.
Suppressed filters
| MediaWiki version: | ≥ 1.46 |
Marking a filter as "Suppressed" is intended to be used when filters have rules that include someone's Personally Identifiable Information (PII). This commonly applies to filters designed to prevent doxxing, as they by necessity may need to contain PII to prevent this from being posted to a wiki. Suppression can also be used when the abuse log entries generated by a filter would contain the PII which filter is intended to protect, even if the rules themselves do not necessarily contain PII themselves.
When suppressed, a filter's details can only be viewed by suppressors (those with the viewsuppressed user right), and all abuse log entries associated with the filter are effectively automatically suppressed and do not require intervention from a human suppressor.