Page MenuHomePhabricator
Create Task
Maniphest T110249

Allow OAuth applications to be granted rights the user doesn't have
Open, LowPublic
Actions

Description

If an OAuth application is granted right X, it will only be able to use it if the granting user have that right. In a few cases it would be useful to have some kind of "supergrant" where this limitation does not exist. The main use case is IP-related rights such as noratelimit or ipblock-exempt (which the user normally does not need and/or is not trusted with, but the application, while using its own IP, can run into problems the user would not).

Related Objects

Event Timeline

Tgr created this task.Aug 25 2015, 9:50 PM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added a project: MediaWiki-extensions-OAuth.
Tgr subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 25 2015, 9:50 PM
Tgr mentioned this in T70312: OAuth: Grant "High-volume editing" is confusing (does not provide "edit" right).Aug 25 2015, 9:51 PM
Tgr mentioned this in T74501: Need a way for trusted OAuth apps to make edits from blocked IPs.
Tgr mentioned this in T110235: Add dashboard.wikiedu.org IP to the ratelimit exemptions.Aug 25 2015, 10:00 PM
Krenair added a project: Security-Team.Aug 25 2015, 10:07 PM
Krenair subscribed.
Platonides subscribed.Sep 10 2015, 12:30 AM

I would define this as a «setuid grant»

jayvdb subscribed.Oct 7 2015, 5:01 AM
Tgr triaged this task as Low priority.Mar 7 2017, 4:10 AM
Tgr moved this task from Backlog to Tool User wants on the MediaWiki-extensions-OAuth board.Mar 7 2017, 4:38 AM
zhuyifei1999 subscribed.May 13 2017, 6:25 PM

Another would be Upload files from a URL (upload_by_url)

JBennett edited projects, added Security-team-backlog; removed Security-Team.Sep 4 2018, 2:41 PM
chasemp edited projects, added Security-Team; removed Security-team-backlog.Dec 23 2019, 5:12 PM
chasemp moved this task from Incoming to Back Orders on the Security-Team board.
taavi subscribed.May 20 2020, 6:24 PM
stwalkerster subscribed.Jan 26 2021, 7:22 PM
ExE-Boss subscribed.Jul 18 2021, 6:28 AM
Tgr mentioned this in T247433: Disable watchlist notifications for bot edits made on Commons structured data.Jan 11 2022, 2:14 AM
Reedy removed a project: Security-Team.Feb 2 2022, 7:48 PM
Zabe subscribed.Feb 2 2022, 7:49 PM
Xaosflux subscribed.Feb 9 2022, 7:37 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL