Page MenuHomePhabricator
Create Task
Maniphest T165981

Implement a prototype JavaScript review system for MediaWiki
Open, LowPublic
Actions

Description

MediaWiki allows interface administrators to customize site behavior by adding custom JavaScript and CSS. This feature implicitly assumes that interface administrators are trusted users - while this is true for projects such as Wikipedia, it results in problems on shared installs or wiki hosting services, where it is possible to create a new wiki and add malicious site JS that can then be used to take over accounts with global rights that visit the page.

At Wikia, a JavaScript review system is provided by MediaWiki extension ContentReview which ensures that changes made to site JS are not live for other users until they have been approved by someone with appropriate rights. The goal of this project is to create a prototype that implements the basic functionality of the Wikia ContentReview extension while being compatible with the latest versions of core MediaWiki.

Workflow:

  • Edits made to JavaScript pages have to be submitted for review.
  • Reviewers may approve or reject submitted edits.
  • If an edit is approved, the changes will be visible to all users of the site.
  • Changes made in unsubmitted, pending, and rejected edits do not affect users of the site.

Related Objects
Search...

Event Timeline

TK-999 created this task.May 21 2017, 11:59 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 21 2017, 11:59 AM
Reedy updated the task description. (Show Details)May 21 2017, 12:01 PM
TK-999 added a comment.May 21 2017, 1:59 PM

Demo produced during hackathon is at https://github.com/TK-999/mediawiki-extensions-ContentReview

Paladox added a subscriber: Paladox.May 21 2017, 2:09 PM
Trizek-WMF mentioned this in T159334: Discussion: Create a Central Gadget Taskforce.May 21 2017, 2:26 PM
Trizek-WMF mentioned this in T71445: Implement a proper code-review process for MediaWiki JS/CSS pages on Wikimedia sites.
He7d3r added a subscriber: He7d3r.May 21 2017, 4:32 PM
TK-999 added a comment.May 21 2017, 5:07 PM

A few notes on how we can progress from here:

Reviews in the current prototype are atomic (1 click approve/reject). We should probably introduce In Review state as found in the original Wikia ContentReview extension, where the reviewer starts a review before approving or rejecting a revision. Then we can also tie any automatic review processes (linter, CI build) to the review start event.

zhuyifei1999 added a subscriber: zhuyifei1999.May 22 2017, 2:53 AM
Qgil awarded a token.May 23 2017, 12:42 PM
Qgil added a subscriber: Qgil.

(I hope the cookie is not misinterpreted, I just wanted to say Thank You for working on this!)

Qgil added projects: JavaScript, Security-General.May 23 2017, 12:44 PM
Quiddity added a parent task: T71445: Implement a proper code-review process for MediaWiki JS/CSS pages on Wikimedia sites.May 23 2017, 1:41 PM
Nemo_bis added a subscriber: Nemo_bis.May 23 2017, 2:00 PM
Nemo_bis triaged this task as Medium priority.May 26 2017, 7:05 AM
Nemo_bis added a project: MediaWiki-extension-requests.
Nemo_bis added subscribers: ShoutWiki, Brickimedia, Yaron_Koren and 4 others.
Nemo_bis added a comment.May 26 2017, 7:12 AM

Going by the list of open farms with most sysops (https://wikiapiary.com/wiki/Farm:Farms ), I wonder if any of them (e.g. (Gamepedia, Referata, Uncyclomedia, Miraheze, Brickimedia) has a similar use case, i.e. wikis where the admins aren't necessarily trusted to be in good faith and where somebody would be interested in handling a central queue of JavaScript changes.

If I understand correctly, TK-999 is looking for at least one non-Wikimedia farm interested in trying his extension, so that he can ascertain its usefulness and be guided in its further development.

Alexia added a comment.May 26 2017, 8:20 AM

On Gamepedia we use a vetting process before giving people administrator level access and we actively engage with the administrators in our IRC/Slack channels. However, an extension like this would be useful once the number of wikis/admins grow past what is reasonable to handle. As for taking over accounts we have our own AuthenticationProvider and SessionProvider that more or less mitigates those possibilities.(I won't say it is impossible though!)

While I want to give TK-999's extension a try on our stack I know it will be blocked by our(Amazon's) legal acceptance process. GPL-3.0 licensed projects/extensions are unfortunately prohibited.

Side note: I see that MW 1.29 or higher is required. I just finished merging MW 1.29-rc0 into a Hydra testing branch yesterday. It could one to two months before it actually goes out to live servers so it would be a while before we could actually test it assuming I could get an exception granted for the GPL-3.0 licensing policy.

TheDJ added a subscriber: TheDJ.May 26 2017, 8:25 AM
Qgil added projects: Community-Relations-Support, Developer-Advocacy.May 27 2017, 8:12 AM
Qgil moved this task from Backlog to Team radar on the Community-Relations-Support board.
Qgil moved this task from To triage to Team radar on the Developer-Advocacy board.
Nemo_bis added a subscriber: MediaWiki-Farmers.May 29 2017, 10:05 AM
Enterprisey added a subscriber: Enterprisey.Jun 24 2017, 6:22 AM
TerraCodes added a subscriber: TerraCodes.Aug 8 2017, 2:49 AM
MGChecker added a subscriber: MGChecker.Aug 20 2017, 8:07 PM
Mattflaschen-WMF mentioned this in T174307: Separate the user rights to edit MediaWiki: namespace scripts and viewable texts.Aug 28 2017, 6:14 AM
Harej moved this task from Incoming to Confirmed Extension Requests on the MediaWiki-extension-requests board.Jan 29 2018, 8:32 PM
Aklapper mentioned this in T185586: Growing the MediaWiki Technical Community additional topics.Apr 18 2018, 1:32 PM
Qgil removed a project: Community-Relations-Support.Jul 4 2018, 1:11 PM
BethNaught added a subscriber: BethNaught.Jul 8 2018, 2:36 PM
SMcCandlish added a subscriber: SMcCandlish.Jul 25 2018, 7:52 PM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM
Izno added a subscriber: Izno.Oct 11 2018, 1:44 PM
Amorymeltzer added a subscriber: Amorymeltzer.Dec 16 2018, 3:44 PM
Alsee added a subscriber: Alsee.Apr 13 2019, 12:43 AM
DannyS712 updated the task description. (Show Details)Nov 18 2019, 11:06 AM
Aklapper removed a project: Security-General.Dec 13 2019, 10:46 AM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
TK-999 removed TK-999 as the assignee of this task.Mar 18 2020, 5:43 PM
ExE-Boss added a subscriber: ExE-Boss.Jun 11 2021, 12:00 AM
Aklapper lowered the priority of this task from Medium to Low.Mar 7 2023, 8:43 AM
Aklapper added projects: MediaWiki-Farmers, ShoutWiki, Brickimedia.
Aklapper removed subscribers: MediaWiki-Farmers, Brickimedia, ShoutWiki.
Eragon_Shadeslayer added a subscriber: Eragon_Shadeslayer.Jul 11 2023, 5:16 PM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL