Page MenuHomePhabricator
Create Task
Maniphest T76554

Restrict editing of .json pages in the user namespace (like .js and .css)
Closed, ResolvedPublic
Actions

Description

Users currently have special protected for their personal .js and .css pages. The protection entails that only they can create or edit them, with the exception of privileged users holding the edituserjs or editusercss user right.

There are currently users storing private "nobody else edits this" kind of stuff on .js pages in order to receive this protection, even when said content is not JavaScript code.

There are even tools (Toolforge tools, Gadgets, user scripts, standalone apps) that encourage or require the storing of non-js content on a specially named .js sub page.

This use case is blocking T76204, which wants to give users a way to automatically validate their user scripts against common errors.

Per T76204#802378, and more generally, we should provide users with the option to store data (in the JSON format) under their user space with the same protection level as .js and .css pages currently receive.

In addition to being able to unblock T76204, by providing tools with a way to migrate their data, it is also more generally a useful feature for storing personal data. Some of which could be used in the future for storing other kinds of site customisations.

Details

SubjectRepoBranchLines +/-
Add protection for User: JSON pages in the same manner as JS & CSS onesmediawiki/coremaster+192 -40
content: Recognise .json as JsonContent in User and MediaWiki namespacemediawiki/coremaster+23 -12
Customize query in gerrit

Related Objects
Search...

Event Timeline

Krinkle created this task.Dec 3 2014, 1:33 AM
Krinkle raised the priority of this task from to Lowest.
Krinkle updated the task description. (Show Details)
Krinkle added projects: MediaWiki-Page-editing, JavaScript.
Krinkle changed Security from none to None.
Krinkle added a subtask: T76553: Ensure JsonContent pages have valid syntax when saved.
Krinkle mentioned this in T76204: Enforce JavaScript syntax check when editing user/site script pages.
Krinkle subscribed.
Jdforrester-WMF subscribed.Dec 3 2014, 2:12 AM
Krinkle mentioned this in T76553: Ensure JsonContent pages have valid syntax when saved.Dec 3 2014, 3:37 AM
gerritbot added a project: Patch-For-Review.Dec 3 2014, 3:39 AM

Change 177172 had a related patch set uploaded (by Krinkle):
content: Recognise .json as JsonContent User and MediaWiki namespace

https://gerrit.wikimedia.org/r/177172

Patch-For-Review

TTO subscribed.Dec 3 2014, 9:33 AM
Rillke subscribed.Dec 3 2014, 9:48 AM
Se4598 subscribed.Dec 3 2014, 1:26 PM
Umherirrender mentioned this in T76629: Numeric anchor in phabricator to link to a comment of a task does not work in IE11.Dec 3 2014, 7:26 PM
Legoktm closed subtask T76553: Ensure JsonContent pages have valid syntax when saved as Resolved.Dec 24 2014, 5:32 PM
Ricordisamoa subscribed.Dec 31 2014, 10:49 AM
gerritbot subscribed.Jun 3 2015, 4:25 PM

Change 177172 merged by jenkins-bot:
content: Recognise .json as JsonContent in User and MediaWiki namespace

https://gerrit.wikimedia.org/r/177172

Krinkle mentioned this in rMW3b44da326167: content: Recognise .json as JsonContent in User and MediaWiki namespace.Jun 3 2015, 4:25 PM
Jdforrester-WMF assigned this task to Krinkle.Jun 3 2015, 4:33 PM
Jdforrester-WMF raised the priority of this task from Lowest to Medium.
Jdforrester-WMF added a project: User-notice.

Does the above patch restrict editing of user-json? I guess not? Do we need to add a new user right for this, and tweak the language about the existing right (editusercssjs) to mention JSON too?

Krinkle added a comment.EditedJun 3 2015, 4:47 PM
In T76554#1334272, @Jdforrester-WMF wrote:

Does the above patch restrict editing of user-json?

No, this patch is a prerequisite for that.

Forrestbot added projects: MW-1.26-release, WMF-deploy-2015-06-09_(1.26wmf9).Jun 3 2015, 5:00 PM
Forrestbot subscribed.
Krinkle removed a project: WMF-deploy-2015-06-09_(1.26wmf9).Jun 4 2015, 12:31 AM
Krinkle removed subscribers: Forrestbot, gerritbot.
gpaumier moved this task from To Triage to Not ready to announce on the User-notice board.Jun 4 2015, 3:11 PM
Krinkle added a parent task: T76204: Enforce JavaScript syntax check when editing user/site script pages.Sep 15 2015, 6:21 PM
Krinkle removed projects: MW-1.26-release, Patch-For-Review.Sep 15 2015, 6:23 PM
Krenair subscribed.Sep 15 2015, 7:24 PM
Glaisher subscribed.Nov 28 2015, 5:53 PM
Danny_B subscribed.Jan 20 2016, 7:53 AM
Krinkle lowered the priority of this task from Medium to Low.Feb 9 2016, 7:16 PM
Krinkle removed Krinkle as the assignee of this task.Jul 16 2016, 1:27 AM
Legoktm mentioned this in T155900: JSON pages need to be locked for editing by users without rights.Jan 21 2017, 8:19 PM
Legoktm merged a task: T155900: JSON pages need to be locked for editing by users without rights.
Legoktm added subscribers: Iniquity, Legoktm, Urbanecm.
Iniquity added a comment.Jan 21 2017, 8:24 PM

@Legoktm, thanks!
@Krinkle, hello, any progress here?

Jack_who_built_the_house subscribed.Jan 21 2017, 8:29 PM
JEumerus subscribed.Jan 22 2017, 10:37 AM

Does this function account for content model changes?

Iniquity added a comment.Jan 26 2017, 10:08 PM
In T76554#2959058, @JEumerus wrote:

Does this function account for content model changes?

What do you mean?

JEumerus added a comment.Jan 26 2017, 11:09 PM

What I mean is that changing the content model of a JS page causes it to lose its protection; see links in T85847#2959070

Nirmos subscribed.Feb 6 2018, 8:19 AM
gerritbot added a comment.Feb 7 2018, 11:22 PM

Change 408940 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[mediawiki/core@master] [WIP] Add protection for User: and MediaWiki: JSON pages

https://gerrit.wikimedia.org/r/408940

gerritbot added a project: Patch-For-Review.Feb 7 2018, 11:22 PM
MZMcBride subscribed.Feb 7 2018, 11:56 PM
Quiddity subscribed.Feb 8 2018, 8:39 PM
Jdforrester-WMF added a comment.Feb 15 2018, 12:31 AM
In T76554#2974497, @JEumerus wrote:

What I mean is that changing the content model of a JS page causes it to lose its protection; see links in T85847#2959070

The code currently stops a third party editing a user's page if it's a subpage with the JS or CSS content model; it doesn't actually depend on being called .js or .css, but that's the only way non-admins can make a JS/CSS content model page. With this change, it would also extend to the JSON content model (and the .json extension), yes. The particular issue you highlighted would no longer break – User:Foo/bar.json pages (or User:Foo/bar.js with the JSON content model) would not be editable by other users except admins.

PerfektesChaos subscribed.Mar 22 2018, 9:04 AM
Krinkle updated the task description. (Show Details)Mar 29 2018, 2:27 AM
MZMcBride added a comment.Mar 29 2018, 2:36 AM

Thank you for the task description expansion!

gerritbot added a comment.Mar 29 2018, 2:49 PM

Change 408940 merged by jenkins-bot:
[mediawiki/core@master] Add protection for User: JSON pages in the same manner as JS & CSS ones

https://gerrit.wikimedia.org/r/408940

Jdforrester-WMF closed this task as Resolved.Mar 29 2018, 2:51 PM
Jdforrester-WMF claimed this task.
Jdforrester-WMF removed a project: Patch-For-Review.
Jdforrester-WMF moved this task from Not ready to announce to Announce in next Tech/News on the User-notice board.
ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2018-04-03 (1.31.0-wmf.28)).Mar 29 2018, 3:00 PM
Liuxinyu970226 moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.Mar 31 2018, 3:02 AM
Framawiki awarded a token.Apr 3 2018, 5:01 PM
Johan moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Apr 5 2018, 6:06 PM
RandomDSdevel awarded a token.Apr 6 2018, 7:45 PM
MusikAnimal subscribed.May 7 2018, 8:33 PM

Hello! I see many good reasons for this change, but perhaps this wasn't brought up: Some bots use JSON config pages that are intentionally open for anyone to edit, for example https://en.wikipedia.org/wiki/User:Community_Tech_bot/Popular_pages_config.json

For our use case, we'd have to change the content model to wikitext so that anyone could edit it. This is fine except you then don't have the nifty JSON editor that validates your input, nor the pretty JSON formatting when viewing the page directly.

Would it make sense to allow admins to lower the protection level? I assume adding this functionality wouldn't be a trivial change. I'm just curious if you at all think it is a good idea.

Additionally, now when viewing a JSON page, it shows the same warnings at the top that JS/CSS pages do:

Depending on what's using the JSON, these could be true, but they certainly aren't in our case. It's just misleading, is all.

Ciencia_Al_Poder subscribed.May 7 2018, 8:36 PM
In T76554#4188271, @MusikAnimal wrote:

Some bots use JSON config pages that are intentionally open for anyone to edit, for example https://en.wikipedia.org/wiki/User:Community_Tech_bot/Popular_pages_config.json

Couldn't that page be moved to another namespace, like Project:, and change the content model there to json?

Legoktm added a comment.May 7 2018, 8:36 PM
In T76554#4188271, @MusikAnimal wrote:

Hello! I see many good reasons for this change, but perhaps this wasn't brought up: Some bots use JSON config pages that are intentionally open for anyone to edit, for example https://en.wikipedia.org/wiki/User:Community_Tech_bot/Popular_pages_config.json

For our use case, we'd have to change the content model to wikitext so that anyone could edit it. This is fine except you then don't have the nifty JSON editor that validates your input, nor the pretty JSON formatting when viewing the page directly.

You could move it to the Project namespace? In general, asking users to edit JSON isn't ideal.

Would it make sense to allow admins to lower the protection level? I assume adding this functionality wouldn't be a trivial change. I'm just curious if you at all think it is a good idea.

I think this opens up a can of worms.

Additionally, now when viewing a JSON page, it shows the same warnings at the top that JS/CSS pages do:

Depending on what's using the JSON, these could be true, but they certainly aren't in our case. It's just misleading, is all.

Could you file a separate bug for that?

Jdforrester-WMF added a comment.May 7 2018, 8:40 PM
In T76554#4188285, @Ciencia_Al_Poder wrote:
In T76554#4188271, @MusikAnimal wrote:

Some bots use JSON config pages that are intentionally open for anyone to edit, for example https://en.wikipedia.org/wiki/User:Community_Tech_bot/Popular_pages_config.json

Couldn't that page be moved to another namespace, like Project:, and change the content model there to json?

Yes, that's what I'd recommend if you really do want anyone (not just sysops) able to redirect the work of an automated tool.

Niharika subscribed.May 7 2018, 8:46 PM

I'd like to echo what @MusikAnimal wrote above about lowering the protection level. An alternate could be to not have this apply on bot account pages.
I'm surprised this change went through without a wider announcement ahead of rollout.

Jdforrester-WMF added a comment.May 7 2018, 8:51 PM
In T76554#4188317, @Niharika wrote:

I'd like to echo what @MusikAnimal wrote above about lowering the protection level.

OK. But implementing that would be a serious amount of work, and not generally a good idea from a product perspective (yet more complication in an area that already confuses many sysops).

An alternate could be to not have this apply on bot account pages.

As above, this sounds like a bad idea to provide a hack that shouldn't exist.

I'm surprised this change went through without a wider announcement ahead of rollout.

Discussed for multiple years, announced in Tech/News, highlighted in Scrum of Scrums at least twice over the years. If anything, rather more announcement than something this mild deserves.

Niharika added a comment.May 7 2018, 8:55 PM
In T76554#4188341, @Jdforrester-WMF wrote:

I'm surprised this change went through without a wider announcement ahead of rollout.

Discussed for multiple years, announced in Tech/News, highlighted in Scrum of Scrums at least twice over the years. If anything, rather more announcement than something this mild deserves.

Not everyone's been around for years. That bot came into existence last year.
I don't see a mention in the recent few scrum of scrums notes but I didn't look too closely.

MusikAnimal mentioned this in T194086: JavaScript warnings shown at the top of JSON pages can be misleading.May 7 2018, 8:56 PM
MusikAnimal added a comment.May 7 2018, 8:59 PM

Couldn't that page be moved to another namespace, like Project:, and change the content model there to json?

You could move it to the Project namespace?

Given the nature of our bot, I think we could get away with this. However on enwiki anything in the WP namespace is usually subject to scrutiny, so other bot operators probably will have trouble storing their config pages there. I realize this probably won't be an issue some 90-something percent of the time, as any given bot config is rarely edited. It was just really neat that we could allow non-admins to make configuration changes.

In general, asking users to edit JSON isn't ideal.

In general, yes. The old Popular Pages Bot had a full-on wiki-like interface on Toolforge, such that any changes can be audited. The community asked that we replicate this functionality, and instead of building a whole new tool we opted for an on-wiki config page since it offers a revision history.

Additionally, now when viewing a JSON page, it shows the same warnings at the top that JS/CSS pages do

Could you file a separate bug for that?

Created at T194086

For now we will try to move the Popular Pages Bot documentation and config to the WP namespace. Thanks!

Ladsgroup edited projects, added User-notice-archive; removed User-notice.Aug 13 2022, 1:55 PM
jhsoby mentioned this in T320803: How to use MediaWiki:Common.json? (Delete "common.json" i18n message?).Oct 14 2022, 12:32 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL