Last modified: 2014-08-30 21:12:41 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T72182, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 70182 - Restrict editing of core MediaWiki javascript / css with a separate user right
Restrict editing of core MediaWiki javascript / css with a separate user right
Status: PATCH_TO_REVIEW
Product: MediaWiki
Classification: Unclassified
JavaScript (Other open bugs)
1.24rc
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-08-29 17:06 UTC by Chris Steipp
Modified: 2014-08-30 21:12 UTC (History)
7 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Chris Steipp 2014-08-29 17:06:48 UTC 
Umherirrender added a patch, Gerrit change #154452, which adds a site js/css user right, similar to the right to edit user js/css (bug 8834).

I want to track this with a bug, so we can document the decision to implement this, if we decide to. I've thought about implementing this for a while, and I'm happy to see it done. I think this is an improvement in MediaWiki supporting least privilege / separation of duty.

In the last few weeks, there has been a lot of discussion about supporting a more formal code review process for site js/css. In my first look, I don't think Umherirrender's patch conflicts with this goal, but if it does, that would potentially be a reason to not merge it.

Other thoughts?
Comment 1 Gerrit Notification Bot 2014-08-29 17:46:03 UTC 
Change 154452 had a related patch set uploaded by Ebe123:
Add 'editsitejs' and 'editsitecss' user rights

https://gerrit.wikimedia.org/r/154452
Comment 2 Alex Monk 2014-08-29 17:59:44 UTC 
This is absolutely pointless while we have bug 43646 (and others like it but unreported - run a google search if you can't see that bug)
Comment 3 Helder 2014-08-29 18:55:08 UTC 
What about restricting the edit of raw messages to users with a "editrawmessages" user right in such a way that "editinterface" is not enough to edit them?
Comment 4 Alex Monk 2014-08-29 18:56:46 UTC 
Well, if you want to go and identify all raw messages... If you missed one though, adding it to the list would probably be a security issue involving releases etc.
Comment 5 Umherirrender 2014-08-29 21:12:07 UTC 
The patch is not a security patch, just a way to restrict the serious way to edit javascript. There are also other ways to disable (or try to disable) some html in messages, like spam filters or abuse filters.
Comment 6 Bawolff (Brian Wolff) 2014-08-29 22:27:48 UTC 
(In reply to Alex Monk from comment #2)
> This is absolutely pointless while we have bug 43646 (and others like it but
> unreported - run a google search if you can't see that bug)

In addition to MediaWiki:Copyright (Sorry, not mentioning the issue when its so well known that we even have projects like enwikinews actually using it as a feature, seems silly to me), most projects have various random pages in the mediawiki namespace that get loaded from main js. Not to mention gadgets and things. There are lots of ways to get js into the site
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links