Page MenuHomePhabricator
Create Task
Maniphest T125433

[Epic] Open security and admin issues with the WMF wikiedu dashboard
Open, MediumPublic
Actions

Description

See security and admin tracking bug for the EducationProgram extension: T45975

Some of these issues also affect the Wiki Education Foundation's app, as it will be adapted to run on additional Wikimedia projects and WMF hosting.

Related Objects
Search...

Event Timeline

awight created this task.Feb 1 2016, 8:26 PM
awight raised the priority of this task from to Needs Triage.
awight updated the task description. (Show Details)
awight added a project: Education-Program-Dashboard.
awight added subscribers: awight, Elitre.
Restricted Application added subscribers: StudiesWorld, Base, Aklapper. · View Herald TranscriptFeb 1 2016, 8:26 PM
Elitre added a comment.Feb 2 2016, 5:46 PM

@awight, thanks for starting this. I'll involve the people I had in mind.

Elitre mentioned this in T124300: Q3 personal goal: Start supporting the Education team with Dashboard-related work.Feb 2 2016, 6:45 PM
awight changed the visibility from "Public (No Login Required)" to "WMF-NDA (Project)".Feb 2 2016, 7:03 PM
awight set Security to None.
awight removed a subscriber: StudiesWorld.
Aklapper added a comment.Feb 3 2016, 10:03 AM

Why has this task been added to WMF-NDA instead of setting the "Security" dropdown to "Software security bug"?

awight added a comment.Feb 5 2016, 8:28 PM

@Aklapper: Thanks, it was just ignorance!

awight updated the task description. (Show Details)Feb 5 2016, 8:30 PM
awight changed the visibility from "WMF-NDA (Project)" to "Public (No Login Required)".
awight changed Security from None to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptFeb 5 2016, 8:30 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript
awight renamed this task from Review security issues with ext-EP and determine whether they apply to the WEF app to [Epic] Open security and admin issues with the WMF wikiedu dashboard.Feb 5 2016, 8:30 PM
Krenair removed a subscriber: Base.Feb 5 2016, 8:32 PM
csteipp subscribed.Feb 5 2016, 8:44 PM

and WMF hosting

Are you planning to run the dashboard on WMF servers?

awight added a comment.Feb 5 2016, 8:49 PM

@csteipp: Yes, but on wmflabs.

awight added a comment.Feb 5 2016, 8:51 PM

Warning: I'm making this task public again. Nothing confidential happened here, and I've converted it into an epic to gather together subtasks.

awight changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 5 2016, 8:51 PM
awight changed the edit policy from "Custom Policy" to "All Users".
awight changed Security from Software security bug to None.
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptFeb 5 2016, 8:51 PM
Krenair subscribed.Feb 5 2016, 9:18 PM
In T125433#2003679, @awight wrote:

@csteipp: Yes, but on wmflabs.

Wait, what? So it's not going to be a production service?

awight added a subscriber: dduvall.Feb 5 2016, 10:00 PM
In T125433#2003814, @Krenair wrote:

Wait, what? So it's not going to be a production service?

@dduvall might be able to speak more to this. No, not for this first phase of work.

dduvall added a comment.Feb 8 2016, 6:28 PM
In T125433#2003975, @awight wrote:
In T125433#2003814, @Krenair wrote:

Wait, what? So it's not going to be a production service?

@dduvall might be able to speak more to this. No, not for this first phase of work.

The thought behind starting in labs was that we've limited time/resources to get this up and running in the next month, but it was possibly a poor assumption on my part that doing so would mean substantially less coordination with ops/security around hardware procurement and initial review. Since we're already committing time to security review in this initial phase, would it make more sense to just go for broke and start the conversation with ops around 100% production-ization?

csteipp triaged this task as Medium priority.Feb 9 2016, 10:19 PM
FloNight subscribed.Feb 11 2016, 10:21 PM
dduvall moved this task from Backlog to Stabilize deployment on the Education-Program-Dashboard board.Feb 16 2016, 5:50 PM
dduvall added a project: Program Dashboard Sprint 1.Feb 18 2016, 7:07 PM
awight edited projects, added Programs-and-Events-Dashboard-Sprint 2; removed Program Dashboard Sprint 1.Feb 18 2016, 7:43 PM
awight added a parent task: T128250: Release Programs dashboard 1.0 beta.Feb 27 2016, 6:49 AM
awight added a project: Epic.Feb 27 2016, 6:51 AM
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptFeb 27 2016, 6:51 AM
awight added a subscriber: Nemo_bis.Mar 2 2016, 7:21 PM

@Nemo_bis sent an essay that will help guide our work:
https://www.mediawiki.org/wiki/Everything_is_a_wiki_page

Maybe we should talk more about using Wikibase (not the Wikidata instance) as the data store rather than MySQL? This gives us all of the wiki goodness.

Bawolff moved this task from Backlog / Other to External (Non-WMF) Issues on the acl*security board.Mar 10 2016, 7:13 PM
Bawolff mentioned this in T146768: Possible access to security locked tasks?.Sep 27 2016, 9:03 PM
DStrine removed a subscriber: awight.Oct 31 2016, 2:16 PM
Bawolff removed a project: acl*security.Aug 5 2017, 7:02 AM
Bawolff subscribed.

rm tag Security . imo that tag should probably not be used for tracking bugs unless the thing they are tracking is a specific issue

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits