According to this discussion and configuration at rOMWC, OAuth and BotPasswords are not enabled for private wikis. Please assess the security issues on allowing those to work on stewardwiki (or other private wikis as well). Thank you.
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Urbanecm | T258356 Allow users at all private/fishbowl wikis to use botpasswords | |||
Resolved | Bawolff | T159519 Investigate security concerns on enabling OAuth or BotPasswords for stewardwiki |
Event Timeline
I believe the only reason BotPasswords aren't enabled on private wikis is that each non-SUL wiki needs the bot_passwords database table created before it can be enabled.
OAuth is probably a similar situation. There it would need the relevant database tables created and also CommonSettings.php would need updating since it currently assumes every wiki with OAuth enabled is SUL (except for labswiki and labstestwiki, which are hardcoded as exceptions).
Thanks @Anomie for your reply. I was told that indeed either the OAuth or BotPasswords table needs to be created on those wikis for the feature to work. Given that stewardwiki requires a high level of security, I'd go with OAuth, but I'd like to hear from the Security-Team first (ping @Bawolff and @dpatrick) for any blockers they might think about this. Regards.
@MarcoAurelio, the Security team concurs with @Anomie. The main reason is not related to security concerns. We're okay with OAuth and BotPasswords on these wikis.
Hi, I'm going to mark this resolved, as the security concern question was answered. If you want to have bot_passwords or oAuth enabled on any particular wiki its not currently available on, please file whatever-the-modern-name for a shell-request bug is, with community consensus if applicable.