Page MenuHomePhabricator
Create Task
Maniphest T203129

Define Suppress grants
Open, MediumPublic
Actions

Description

I'm now using API with OAuth clients for some tasks for semi automated.
However, currently can not oversight stuff via API with OAuth Clients due to not defined related GrantPermissions for Oversight stuff.
Of course, I can use APIs if I set a main session to bot. but I don't want share my main sessions with bot for insecure.

For this, I propose to define a related GrantPermissions (hideuser, suppressrevision, viewsuppressed, suppressionlog).

If we had this, we do not need to share a passwords or an user sessions with bots for using automated process.

It means we can be improve our security for user not sharing password with bots or similar .

Related tasks: T192025 , T192024

Details

ProjectBranchLines +/-Subject
mediawiki/coremaster+10 -4Add suppress related permissions to $wgGrantPermissionGroups
mediawiki/coremaster+10 -4Add suppress related permissions to $wgGrantPermissionGroups
mediawiki/coremaster+10 -4Add suppress related permissions to $wgGrantPermissionGroups
mediawiki/coremaster+10 -4Add suppress related permissions to $wgGrantPermissionGroups
Customize query in gerrit

Related Objects

Event Timeline

Rxy created this task.Aug 29 2018, 11:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 29 2018, 11:00 PM
gerritbot added a subscriber: gerritbot.Aug 29 2018, 11:41 PM

Change 456305 had a related patch set uploaded (by Rxy; owner: Rxy):
[mediawiki/core@master] Add suppress related permissions to $wgGrantPermissionGroups

https://gerrit.wikimedia.org/r/456305

gerritbot added a project: Patch-For-Review.Aug 29 2018, 11:41 PM
Rxy triaged this task as Medium priority.Aug 29 2018, 11:44 PM
Rxy added a project: User-Rxy.
Rxy moved this task from Backlog to In progress - Development on the User-Rxy board.
gerritbot added a comment.Aug 31 2018, 3:11 PM

Change 456651 had a related patch set uploaded (by Rxy; owner: Rxy):
[mediawiki/core@master] Add suppress related permissions to $wgGrantPermissionGroups

https://gerrit.wikimedia.org/r/456651

gerritbot added a comment.Aug 31 2018, 3:20 PM

Change 456651 abandoned by Rxy:
Add suppress related permissions to $wgGrantPermissionGroups

https://gerrit.wikimedia.org/r/456651

Rxy added a subscriber: Anomie.Sep 11 2018, 3:10 AM
gerritbot added a comment.Sep 16 2018, 5:48 AM

Change 460727 had a related patch set uploaded (by Rxy; owner: Rxy):
[mediawiki/core@master] Add suppress related permissions to $wgGrantPermissionGroups

https://gerrit.wikimedia.org/r/460727

gerritbot added a comment.Sep 16 2018, 5:49 AM

Change 460727 abandoned by Rxy:
Add suppress related permissions to $wgGrantPermissionGroups

https://gerrit.wikimedia.org/r/460727

gerritbot added a comment.Sep 16 2018, 5:51 AM

Change 460728 had a related patch set uploaded (by Rxy; owner: Rxy):
[mediawiki/core@master] Add suppress related permissions to $wgGrantPermissionGroups

https://gerrit.wikimedia.org/r/460728

gerritbot added a comment.Sep 16 2018, 5:52 AM

Change 460728 abandoned by Rxy:
Add suppress related permissions to $wgGrantPermissionGroups

https://gerrit.wikimedia.org/r/460728

Tgr added projects: WMF-Legal, Security-Team, Privacy.Sep 21 2018, 2:51 PM
Tgr added a subscriber: Tgr.

Can someone from Legal and/or security check if there are any legal/privacy concerns about this? (E.g., enforcement concerns of Access to nonpublic information policy.) A web application with this grant could show an authorization dialog with potentially misleading description / a suppress grant that's hard to spot in the list of all grants, and if an oversighter carelessly clicks it through without realizing what grants are given, the application would then have access to nonpublic information as it pleases.

(Note that suppress would not be the first grant that gives access to nonpublic information - CheckUser already provides a grant.)

Presumably this kind of thing should be prevented by OAuth admins vetting such consumers, but then it would be nice to have some guidelines on what the vetting requirements should be.
(A simple approach could be that such consumers are never accepted. That would still allow people to use the grant with bot passwords / owner-only OAuth consumers for their own bots.)

Rxy reassigned this task from Rxy to Jalexander.Sep 25 2018, 10:34 AM
jrbs added a project: Trust-and-Safety.Jan 2 2019, 11:40 PM
revi removed Jalexander as the assignee of this task.Jan 19 2019, 1:37 PM
revi added subscribers: Jalexander, revi.

Removed James from assignee since he is no longer working for the Foundation. Someone else from Trust-and-Safety should review this but not sure who exactly will be that 'someone else'.

Rxy moved this task from In progress - Development to Development on the User-Rxy board.Jan 28 2019, 8:54 AM
jrbs moved this task from Backlog to Security/Abuse on the Trust-and-Safety board.Jan 28 2019, 10:18 PM
Rxy moved this task from Development to Stalled on the User-Rxy board.Mar 18 2019, 4:15 PM
Yyn1312 moved this task from Security/Abuse to Backlog on the Trust-and-Safety board.May 15 2019, 7:35 AM
Aklapper moved this task from Backlog to Security/Abuse on the Trust-and-Safety board.May 16 2019, 11:56 AM
DannyS712 added a subscriber: DannyS712.Sep 10 2019, 3:01 AM

Is this still desired / has it been approved by Trust&Safety to implement?

Rxy assigned this task to jrbs.Sep 10 2019, 9:53 AM
jrbs added a comment.Sep 12 2019, 7:03 PM

I'm sorry, but I don't really follow this task. What exactly is a "grant"? Just something that provides access to this information?

DannyS712 added a comment.Sep 12 2019, 7:11 PM

See https://www.mediawiki.org/wiki/Manual:$wgGrantPermissions and https://www.mediawiki.org/wiki/Manual:User_rights#Adding_new_rights

Anomie added a project: Platform Engineering.Sep 12 2019, 7:14 PM

I have no idea why T&S would be asked instead of Security.

Currently it is not possible for clients using OAuth to access actions/information protected by the 'hideuser', 'suppressrevision', 'viewsuppressed', and 'suppressionlog' user rights. In other words, it's not possible for someone to write a tool to do Oversight stuff.

This task is asking to make it possible for such a tool to request access to those rights (a "grant"). Note the grant does not actually give any rights to a user of the tool, it just lets the tool take advantage of rights the user already has.

The potential risk would be someone writing a somehow-malicious tool and convincing oversighters to use it. On the other hand, someone could instead write a malicious tool without using OAuth and convince oversighters to use that instead.

Anomie moved this task from Inbox to Tracking/Watching on the Platform Engineering board.Sep 12 2019, 7:15 PM
jrbs added a comment.Sep 12 2019, 7:31 PM

I think it's worth T&S knowing about this, but yes, Security is a much more technically-minded team who would be better placed to actually work on this.

Tgr added a comment.Sep 12 2019, 7:50 PM

This is a trivial change, just needs approval (IMO more legal/security than T&S). And possibly some guidance around when applications with access to that right should be allowed.

sbassett added a subscriber: sbassett.Sep 12 2019, 8:14 PM

Some thoughts:

  • In general, I don't feel making such grants available is too risky since, as mentioned, we already allow some privileged rights via the API and while it would be instinctual for a security-conscious individual to want to limit these rights as much as possible, usability of the API must also be considered.
In T203129#5488782, @Anomie wrote:

The potential risk would be someone writing a somehow-malicious tool and convincing oversighters to use it.

  • Indeed, though I'd hope this would be prevented during the OAuth consumer proposal phase. And further mitigated by the very hopeful assumption that individuals with oversight rights are at least somewhat less susceptible than the average user to social-engineering attacks.

I can bring this up for discussion at the Security-Team's weekly meeting, but for now I'd personally rate this proposal as low to medium risk.

sbassett moved this task from Incoming to Watching on the Security-Team board.Oct 4 2019, 5:02 PM
jrbs removed jrbs as the assignee of this task.Feb 11 2020, 11:04 PM
jrbs added a subscriber: jrbs.

Removing me as assignee, I imagine I was added in place of James but I really don't know what this is about.

JFishback_WMF added a project: Privacy Engineering.Mar 24 2020, 3:17 PM
JFishback_WMF moved this task from Intake to Backlog on the Privacy board.
JFishback_WMF moved this task from Incoming to Backlog on the Privacy Engineering board.
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:02 PM
Mstyles edited projects, added SecTeam-Processed; removed Security-Team.Oct 13 2021, 7:34 PM
Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Apr 2 2023, 11:56 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL