Re: [Wikitech-l] Separation of Concerns

Wed, 05 Jun 2013 00:47:51 -0700

On Tue, 04 Jun 2013 18:50:38 -0700, Brad Jorsch <bjor...@wikimedia.org> wrote: 


On Tue, Jun 4, 2013 at 7:56 PM, Tyler Romeo <tylerro...@gmail.com> wrote:
If you go by module, then you have problems where you need to grant
specific rights for using modules like list=categorymembers and
prop=revisions, but you can't grant the ability to edit normal pages
without also granting the ability to edit your user CSS/JS, and (if
you're an admin) the MediaWiki namespace and so on.



"but you can't grant the ability to edit normal pages without also  
granting the ability to edit your user CSS/JS"
We only need to introduce one (well two if you separate js and css) more  
right to restrict that. Then that point becomes a non-issue.


"and (if you're an admin) the MediaWiki namespace and so on."

Flat out false. Editing the MediaWiki namespace is part of the interface  
right. If standard MediaWiki permissions are used and you don't grant the  
client editinterface rights then the client can't edit the MediaWiki  
interface. Same for protected pages, that requires the protect right  
(though with or without OAuth we probably want to separate the actual  
protect/unprotect right from the right to edit things that are protected).




The situation with user rights isn't any better. Editing a page
requires 'edit' and 'writeapi' (and also 'read' unless you're blindly
overwriting pages), and likely 'minoredit' and 'skipcaptcha' would
also be wanted, and maybe also 'createpage', 'createtalk',
'autoreview', 'autopatrol', 'autoconfirmed', and 'bot'. And at the
same time, you can't avoid granting the permission to write to your
user CSS/JS.



There's nothing wrong with having a large list of fine-grained rights to  
grant as long as you format them properly for the user.
Rights like autopatrol and skipcaptcha are special rights just meant to  
deal with new accounts used to spam, not for OAuth type control. They  
would probably fit in a special list of registered rights that we don't  
need to not give to OAuth clients. Likewise minoredit is merely for admins  
to stop say anons from making piles of minor edits. There's no point in  
restricting it's use in OAuth.



As for writeapi. Besides that being one we could just automatically give  
to anything that requires edit rights I have doubts that there is even any  
point in that right continuing to exist.



--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]


_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

























					Reply via email to