Last modified: 2014-06-26 14:35:39 UTC
Created attachment 15742 [details] Screen shot of the message Quote from the user (Martha Forsyth) who encountered this: WikiData: I looked at it, when I went to "log in" I found this notice: It's the last one that scared me off. I do NOT feel qualified to "Perform administrative actions: Rollback changes to pages; Delete pages, revisions, and log entries" - I could sure handle "rollback changes" but deleting??! Not for me to say! I haven't looked into the Privacy Policy yet (I will) but this is a VERY scary notice. It LOOKS as if I would be allowing Widar to do things "on my behalf and in my name" COMPLETELY on its own! Now, I doubt that is true - but it sure scared me off, and I was about to dive in!
A little more background: this resulted from an effort to try "Wikidata The Game" based on this blog post: http://wikistrategies.net/wikidata-guest-post-tom-morris/#more-898 Via this link: http://tools.wmflabs.org/wikidata-game/
The issue is with reusing Widar for this game. Since Widar is used for many different tools, you must give it all of those rights when you approve it. So yes, the game would have the ability to delete pages, if an admin decides to play it. The appropriate thing to do would be to register and use another consumer, that requests fewer rights. If there's another component to this bug, such as how the rights are displayed, or how you're able to access more information about what user rights you're granting when you give an OAuth consumer these rights, feel free to reopen this and clarify.
(In reply to Chris Steipp from comment #2) > So yes, the game would have the ability to delete pages, if an admin decides > to play it. The appropriate thing to do would be to register and use another > consumer, that requests fewer rights. The game's "Merge items" mode can actually delete pages for you, if you're an admin and check an additional checkbox. Maybe the dialog shouldn't list the rights that the user doesn't have anyway? (For example, I can confirm that "Delete pages, revisions, and log entries" is shown even if the user is not an admin, which is definitely confusing.) Would that require us to invalidate the OAuth permissions when the user gets these rights, just in case?
I am glad to see there are some technical issues being surfaced, and I like Bartosz's suggestion, that the tool could be more closely tailored to discussing only the rights the user has. However, I think the bigger issue here is in the way that information is conveyed, rather than the factual accuracy of the information. There are many little issues, that add up to something that's confusing and off-putting to a less technical end-user. I will quote the message's text, with commentary, below: > Hi Martha, > Widar would like to do the following actions on your behalf on www.wikidata.org: Two problems: 1. Martha has at this point never heard the name "Widar" before, and will probably never hear it again. The reference to "Widar" is not helpful. Is this a person? A web site? An organization? How would she know, and why should she care what Widar wants? 2. "would like to" is a strange way to put it. The person who has a desire here is Martha: she wants to play the Wikidata Game. If there are conditions that must be met, that's what she needs to know; not what some abstract entity "wants." Now she is wondering about machine sentience and artificial intelligence, when all she wanted to do was try out a web game! > * Perform high volume activity > high volume editing I'm not sure I even know what this is referring to. Presumably, some kind of restriction on edits-per-hour is being lifted. I didn't even know such a restriction existed. As an end user, why should Martha care? Why does she even need to know this? How is the information helping her achieve her goal, or how would not knowing harm her? > * Interact with pages > Edit existing pages; Create, edit, and move pages What is a "page"? Is this referring to Wikidata or Wikipedia? Perhaps this could simply say "Make changes to the Wikidata.org web site"? > * Perform administrative actions > Rollback changes to pages; Delete pages, revisions, and log entries I think Bartosz has a good suggestion here: if possible, it would be nice if this item could simply be removed for non-administrators. "Rollback" might be a right that a non-admin has, but in many cases she will not even know what "rollback" means. As an admin, I've granted this right to people without discussing it much, and I've seen other admins do this as well. So if there's a way to avoid the jargon "rollback" and instead describe what will actually be done, that would be ideal. > Privacy Policy I'm not sure why the Privacy Policy is mentioned at all. Whose policy is it? Wikimedia's? Widar's? And why is it relevant? If this is a mere formality, maybe it could be eliminated, or maybe it could be made smaller/lighter grey/moved below the buttons or otherwise de-emphasized.
