Page MenuHomePhabricator

[Epic] Open security and admin issues with the WMF wikiedu dashboard
Open, MediumPublic

Description

See security and admin tracking bug for the EducationProgram extension: T45975

Some of these issues also affect the Wiki Education Foundation's app, as it will be adapted to run on additional Wikimedia projects and WMF hosting.

Event Timeline

awight raised the priority of this task from to Needs Triage.
awight updated the task description. (Show Details)
awight added subscribers: awight, Elitre.

@awight, thanks for starting this. I'll involve the people I had in mind.

awight changed the visibility from "Public (No Login Required)" to "WMF-NDA (Project)".Feb 2 2016, 7:03 PM
awight set Security to None.
awight removed a subscriber: StudiesWorld.

Why has this task been added to WMF-NDA instead of setting the "Security" dropdown to "Software security bug"?

awight changed the visibility from "WMF-NDA (Project)" to "Public (No Login Required)".
awight changed Security from None to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptFeb 5 2016, 8:30 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript
awight renamed this task from Review security issues with ext-EP and determine whether they apply to the WEF app to [Epic] Open security and admin issues with the WMF wikiedu dashboard.Feb 5 2016, 8:30 PM

and WMF hosting

Are you planning to run the dashboard on WMF servers?

Warning: I'm making this task public again. Nothing confidential happened here, and I've converted it into an epic to gather together subtasks.

awight changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 5 2016, 8:51 PM
awight changed the edit policy from "Custom Policy" to "All Users".
awight changed Security from Software security bug to None.

@csteipp: Yes, but on wmflabs.

Wait, what? So it's not going to be a production service?

Wait, what? So it's not going to be a production service?

@dduvall might be able to speak more to this. No, not for this first phase of work.

Wait, what? So it's not going to be a production service?

@dduvall might be able to speak more to this. No, not for this first phase of work.

The thought behind starting in labs was that we've limited time/resources to get this up and running in the next month, but it was possibly a poor assumption on my part that doing so would mean substantially less coordination with ops/security around hardware procurement and initial review. Since we're already committing time to security review in this initial phase, would it make more sense to just go for broke and start the conversation with ops around 100% production-ization?

csteipp triaged this task as Medium priority.Feb 9 2016, 10:19 PM

@Nemo_bis sent an essay that will help guide our work:
https://www.mediawiki.org/wiki/Everything_is_a_wiki_page

Maybe we should talk more about using Wikibase (not the Wikidata instance) as the data store rather than MySQL? This gives us all of the wiki goodness.

Bawolff added a subscriber: Bawolff.

rm tag Security . imo that tag should probably not be used for tracking bugs unless the thing they are tracking is a specific issue