Page MenuHomePhabricator
Create Task
Maniphest T120886

Make javascript editing permissions more fine grained and separate from normal editinterface right
Closed, ResolvedPublic
Actions

Description

The most dangerous permission admins have is JS editing - but its also only used by a minority of admins. Additionally, editing other user personal js/css is pretty dangerous, and rather rarely needed.

We should be able to move that to a separate group (This bug is only about having the technical ability to do so within MediaWiki. Whether or not its a good idea to do so on WMF wikis, and whether its politically acceptable are separate discussions, and out of scope of this bug)

Things to do:
*Separate interface messages into normal interface, raw html, and js/css files. Have different permissions for the different types, or at least editinterface vs editinterface-scriptable.
**This is mostly easy, but tracking down all raw html messages might be annoying. Especially, lots of extensions seem to use raw html-ish stuff in js. (See also T2212)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Segregate right to edit sitewide CSS/JSmediawiki/corewmf/1.32.0-wmf.13+158 -32
Segregate right to edit sitewide CSS/JSmediawiki/corewmf/1.32.0-wmf.14+158 -32
Segregate right to edit sitewide CSS/JSmediawiki/coremaster+158 -32
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bawolff created this task.Dec 8 2015, 11:46 PM
Bawolff raised the priority of this task from to Needs Triage.
Bawolff updated the task description. (Show Details)
Bawolff added a project: Security-Team.
Bawolff added subscribers: Bawolff, csteipp.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptDec 8 2015, 11:46 PM
Krenair subscribed.Dec 8 2015, 11:46 PM
TTO subscribed.Dec 9 2015, 12:38 AM
Tgr mentioned this in T174307: Separate the user rights to edit MediaWiki: namespace scripts and viewable texts.Aug 28 2017, 7:21 AM
MGChecker subscribed.Aug 28 2017, 9:11 PM
He7d3r subscribed.Aug 30 2017, 5:51 PM

Gadgets 2.0 was supposed to fix this by introducing a specific namespace for the scripts. See:

He7d3r added a project: Gadgets-2.0.Aug 30 2017, 5:52 PM
Nirmos subscribed.Sep 9 2017, 2:25 AM
Mattflaschen-WMF renamed this task from Make javascript editing permissions more fine grained and separate from normal edit-interface to Make javascript editing permissions more fine grained and separate from normal editinterface right.Dec 23 2017, 2:59 AM
Mattflaschen-WMF merged a task: T174307: Separate the user rights to edit MediaWiki: namespace scripts and viewable texts.
Mattflaschen-WMF added subscribers: OdMishehu, Tgr.
Mattflaschen-WMF mentioned this in T71445: Implement a proper code-review process for MediaWiki JS/CSS pages on Wikimedia sites.Dec 23 2017, 3:02 AM
Tgr mentioned this in T190015: Create separate user group for editing sitewide CSS/JavaScript that does not include administrators by default.Mar 19 2018, 6:16 AM
Tgr added a parent task: T190015: Create separate user group for editing sitewide CSS/JavaScript that does not include administrators by default.
Nikerabbit subscribed.Mar 19 2018, 10:22 AM
gerritbot subscribed.Mar 21 2018, 8:04 PM

Change 421121 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@master] Segregate right to edit sitewide JS

https://gerrit.wikimedia.org/r/421121

gerritbot added a project: Patch-For-Review.Mar 21 2018, 8:04 PM
BethNaught subscribed.Jul 8 2018, 2:36 PM
SMcCandlish subscribed.Jul 25 2018, 7:53 PM
gerritbot added a comment.Jul 26 2018, 10:26 PM

Change 421121 merged by jenkins-bot:
[mediawiki/core@master] Segregate right to edit sitewide CSS/JS

https://gerrit.wikimedia.org/r/421121

gerritbot added a comment.Jul 26 2018, 11:16 PM

Change 448168 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@wmf/1.32.0-wmf.14] Segregate right to edit sitewide CSS/JS

https://gerrit.wikimedia.org/r/448168

gerritbot added a comment.Jul 30 2018, 10:52 AM

Change 449153 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@wmf/1.32.0-wmf.13] Segregate right to edit sitewide CSS/JS

https://gerrit.wikimedia.org/r/449153

gerritbot added a comment.Jul 30 2018, 11:20 AM

Change 448168 merged by jenkins-bot:
[mediawiki/core@wmf/1.32.0-wmf.14] Segregate right to edit sitewide CSS/JS

https://gerrit.wikimedia.org/r/448168

gerritbot added a comment.Jul 30 2018, 11:24 AM

Change 449153 merged by jenkins-bot:
[mediawiki/core@wmf/1.32.0-wmf.13] Segregate right to edit sitewide CSS/JS

https://gerrit.wikimedia.org/r/449153

Tgr closed this task as Resolved.Aug 1 2018, 12:43 PM
Tgr claimed this task.

Done, except for dealing with raw messages and other non-standard ways of editing sitewide JavaScript, which have their own bugs.

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits