Page MenuHomePhabricator

Special:BotPassword grant managment can cause confusion if help text is not read closely
Closed, ResolvedPublic

Description

Now, I assume (and hope, but haven't checked) that if I allow my bot to have access to CheckUser data when I am not a CU with my bot account, that won't actually let the bot access the data. That being said, it is misleading to have those options there when a user doesn't have the corresponding rights.

Marking it very high priority because there is a chance I am wrong and this actually allows bots to access sensitive data.

Event Timeline

Huji created this task.Nov 5 2016, 1:35 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 5 2016, 1:35 AM
Huji triaged this task as Unbreak Now! priority.Nov 5 2016, 1:35 AM
Restricted Application added subscribers: Jay8g, Luke081515, TerraCodes. · View Herald TranscriptNov 5 2016, 1:35 AM
Tgr added a subscriber: Tgr.Nov 5 2016, 1:41 AM

See discussion in T94478 (that's for OAuth but basically the same feature). In short, if we hide rights from grants which you don't currently have, you can get those rights later (by being promoted to an admin etc) and not realize that those rights are now being granted to your bot.

Reedy added a subscriber: Reedy.Nov 5 2016, 1:43 AM

Note, this has no relation to any separate MW bot accounts you may have

See also https://www.mediawiki.org/wiki/Manual:Bot_passwords

Reedy lowered the priority of this task from Unbreak Now! to Normal.Nov 5 2016, 1:43 AM
Tgr added a comment.Nov 5 2016, 1:59 AM

Special:BotPasswords says Each grant gives access to listed user rights that a user account already has. See the table of grants for more information. and the table of grants says Users can authorize applications to use their account, but with limited permissions based on the grants the user gave to the application. An application acting on behalf of a user cannot actually use rights that the user does not have however. Suggestions on what wording or design changes would make this harder to miss are welcome.

bd808 renamed this task from Special:BotPassword allows users with admin/suppress/checkuser rights to check a box that would allow their bot to access such sensitive tools to Special:BotPassword grant managment can cause confusion if help text is not read closely.Nov 5 2016, 5:37 PM
bd808 added a subscriber: bd808.Nov 5 2016, 5:48 PM

How about changing the

Each grant gives access to listed user rights that a user account already has.

help text to something like

Grants can only allow a bot password access to rights held to the user account. Enabling a grant here does not provide new access permissions to the user account. All rights must be earned through normal procedures which vary by wiki.

Change 320110 had a related patch set uploaded (by Huji):
Rewording BotPasswords message to reflect what "grant" really does

https://gerrit.wikimedia.org/r/320110

Change 320110 merged by jenkins-bot:
Rewording BotPasswords message to reflect what "grant" really does

https://gerrit.wikimedia.org/r/320110

Tgr closed this task as Resolved.Nov 7 2016, 6:20 AM
Tgr assigned this task to Huji.