Page MenuHomePhabricator

Agree first user group that will be able to create newsletters in Wikimedia
Closed, ResolvedPublic

Description

@Qgil I think it's fine to go ahead and remove AbuseFilter integration as a blocker, as long as initial permission is restricted to a set of trusted users.

OK, we have different options:

  • By default the extension sets the permission to create newsletters to a specific user group: 'newsletter-create'. In practice, this means that administrators should give this right on a case by case basis.
  • MassMessage_senders would be the next sensible option. This user groups is only available in Meta. This is fine for the initial deployment of the Newsletter extension (which targets Meta only). (the first wiki will be mediawiki.org, where this user right is not available)
  • Autopatrollers would be a next logical step, using a standard MediaWiki user group.
  • Confirmed users would be probably the most open and still sensible option. We are trusting confirmed users for many actions, and Newsletters are ultimately no different than wiki pages.

Whatever works for the Security review and the mediawiki.org admins will work for us Newsletter maintainers too.

(I'm not sure Wikimedia-Site-requests applies here, feel free to remove it if not.)

Event Timeline

QuimGil created this task.Dec 28 2016, 11:12 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 28 2016, 11:12 AM
QuimGil updated the task description. (Show Details)Dec 28 2016, 12:03 PM

Er... silly me, the first wiki will be mediawiki.org, not Meta (T116271#2344835).

I have mentioned this task in mw:Project:Current issues.

I'd say initial phase should be restricted to administrators and that 'newsletter-create' should be part of the sysop grants by default, at least for now. MM-sender is a group that only exists on few projects but can be enabled w/o much fuss for every project that requests it. I'd not advocate granting this to autopatrollers or other 'easy-to-get' user groups due to the heterogeneous composition of its members and to avoid abuse of the system.

I'd say initial phase should be restricted to administrators and that 'newsletter-create' should be part of the sysop grants by default, at least for now.

Sounds sensible. Let's do it.

@01tonythomas, how is this defined in the extension today. Hardcoded, or is there a configuration variable for LocalSettings.php?

Qgil closed this task as Resolved.Jan 6 2017, 4:56 PM
Qgil claimed this task.

Agreed (only sysops will be able to create newsletters initially) and implemented: T154534: Restrict 'newsletter-{create,manage,destroy}' only to 'sysop' by default.

Resolving.