Decide which group(s) will be able to manage 'shell' on wikitech
Closed, ResolvedPublic

Restricted Application added a project: Cloud-Services. · View Herald TranscriptFeb 19 2017, 7:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
MarcoAurelio triaged this task as Normal priority.

I'd say 'sysop' add/remove is just fine.

scfc added a subscriber: scfc.Feb 19 2017, 8:12 PM

Note that shellmanagers only had/have the ability to add the right shell. My $ 0.02: Looking at the size and the members of the bureaucrat group, I think allowing them to manually grant or revoke the shell right is sufficient.

Bureaucrat looks safe enough to me as well. I'll patch it.

Change 338751 had a related patch set uploaded (by MarcoAurelio):
Configuration changes for

MarcoAurelio lowered the priority of this task from Normal to Low.Feb 20 2017, 12:31 PM
scfc added a comment.Feb 20 2017, 1:11 PM

I don't have a very strong opinion on this, but for me bureaucrat in the MediaWiki context roughly means "can give all users all rights" and sysop means "can do anything except make other users sysop". On this principle is upheld and there is contentadmin who can't do as much as sysop, but enough for most of the work to be done. Why should bureaucrats on not be able to give sysop to a user and that function be moved (?) to the cloudadmin group? This insinuates that bureaucrat could/should be given out freelier on

IMHO this is a wrong approach: Instead there should be a general understanding that (any) rights on require careful consideration, just like other special wikis where bureaucrat still has the same meaning, but only selected people are given this right (or others) on these wikis.

I don't have any issues with bureaucrats granting sysop as well. If this is desired, it only takes a couple of minutes for me to update that patch 🌝 In any case, I strongly agree that rights require careful consideration, be it wikitech or any other place. @bd808 could you weight in as well, please? Thanks.

I broadly agree with @scfc's analysis. I don't have an particular reason why bureaucrat should not be able to manage sysop membership. I mentioned it in a related discussion without thinking the model through well.

The sysop/contentadmin distinction on wikitech is really what causes us issues occasionally. Much of this confusion may have come from me personally. I was given very broad rights on wikitech without any initial knowledge of the sysop/contentadmin distinction. I did not understand for a long time just how much power I had there. I in turn handed out sysop to several people without actually remembering/knowing that on wikitech contentadmin would have been a better fit. As @Nemo_bis has pointed out recently, we do not seem to have done a through job of documenting why sysop is such a scary right on wikitech. I think doing that would be good idea as well as making some local message override on wikitech that would remind all of us to think about that carefully when using

I think doing that would be good idea as well as making some local message override on wikitech that would remind all of us to think about that carefully when using

I have T158417: Group messages for Wikitech and related patch waiting to be merged for months already which precisely deals with this one :-)

I'll amend the patch and have bureaucrats add (and remove?) the sysop bit. Shall bureaucrats be also able to remove bureaucrat rights?


MarcoAurelio closed this task as Resolved.Feb 22 2017, 6:57 PM

Bureaucrats (and cloudadmins since they have 'userrights' will be able to manage the 'shell' permission).

Change 338751 merged by jenkins-bot:
Configuration changes for

Mentioned in SAL (#wikimedia-operations) [2017-02-22T19:14:36Z] <thcipriani@tin> Synchronized wmf-config/InitialiseSettings.php: SWAT: [[gerrit:338751|Configuration changes for]] T158516 T158554 T158482 (duration: 00m 40s)