Page MenuHomePhabricator

Require elevated session security for giving elevated permissions
Open, Needs TriagePublic

Description

For granting elevated permissions (e.g. giving checkuser permissions to an app) the user should be in a session with elevated security (in the sense of AuthManager::securitySensitiveOperationStatus()).

Event Timeline

Tgr created this task.May 10 2018, 2:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 10 2018, 2:15 PM
Tgr added a comment.May 10 2018, 2:20 PM

There is no straightforward way to map grants (or even permissions) to security levels. We could add a new mapping for that ($wgGrantSecurityLevels), or just use the grant name or permission name as security level and let everything fall back to the default reauth configuration most of the time.

Tgr added a subscriber: Anomie.May 10 2018, 3:53 PM

FWIW, the main one that I'm worried about are grants containing the "userrights" right and grants containing "editinterface"

Vvjjkkii renamed this task from Require elevated session security for giving elevated permissions to d7caaaaaaa.Jul 1 2018, 1:12 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
CommunityTechBot renamed this task from d7caaaaaaa to Require elevated session security for giving elevated permissions.Jul 2 2018, 4:19 PM
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot added a subscriber: Aklapper.