Page MenuHomePhabricator

Investigate security concerns on enabling OAuth or BotPasswords for stewardwiki
Closed, ResolvedPublic


According to this discussion and configuration at rOMWC, OAuth and BotPasswords are not enabled for private wikis. Please assess the security issues on allowing those to work on stewardwiki (or other private wikis as well). Thank you.

Event Timeline

Adding @Tgr as the person which I've been talking about this.

I believe the only reason BotPasswords aren't enabled on private wikis is that each non-SUL wiki needs the bot_passwords database table created before it can be enabled.

OAuth is probably a similar situation. There it would need the relevant database tables created and also CommonSettings.php would need updating since it currently assumes every wiki with OAuth enabled is SUL (except for labswiki and labstestwiki, which are hardcoded as exceptions).

Thanks @Anomie for your reply. I was told that indeed either the OAuth or BotPasswords table needs to be created on those wikis for the feature to work. Given that stewardwiki requires a high level of security, I'd go with OAuth, but I'd like to hear from the Security-Team first (ping @Bawolff and @dpatrick) for any blockers they might think about this. Regards.

@MarcoAurelio, the Security team concurs with @Anomie. The main reason is not related to security concerns. We're okay with OAuth and BotPasswords on these wikis.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 21 2017, 8:25 PM
Bawolff triaged this task as Medium priority.Mar 21 2017, 8:25 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".
Dsfjdsfj raised the priority of this task from Medium to Unbreak Now!.Apr 13 2017, 3:57 PM
Dsfjdsfj updated the task description. (Show Details)
Reedy lowered the priority of this task from Unbreak Now! to Medium.Apr 13 2017, 4:02 PM
Bawolff claimed this task.
Bawolff moved this task from External (Non-WMF) Issues to Backlog / Other on the acl*security board.

Hi, I'm going to mark this resolved, as the security concern question was answered. If you want to have bot_passwords or oAuth enabled on any particular wiki its not currently available on, please file whatever-the-modern-name for a shell-request bug is, with community consensus if applicable.