Currently administrators of the Hungarian Wikipedia are able to add and remove editor right, although they should not be able. Only bureaucrats should have this right locally. We are not sure since when it is happening. Please fix it.
Pinging Hungarian users (@Tgr, @Samat and @Tacsipacsi); please confirm.
See last comment on https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/518759 .
Administrators can be trusted not to abuse accidental rights so not an urgent problem.
@Bencemac I’m not a huwiki admin. How could I confirm it apart from looking at the special page you linked, which can be done by anyone?
The special page is visible for everyone, but non-huwiki editors probably do not know that edit right is granted by bureaucrats, so that is why I needed confirmation. I was not clear enough, sorry about that.
Change 526492 had a related patch set uploaded (by Urbanecm; owner: Urbanecm):
[operations/mediawiki-config@master] flaggedrevs.php: Allow wikis to remove ability to promote to/demote from autoreview/editor
Since the responsible lines needs to know if the group exists (=needs to be after per-wiki configuration), I've uploaded a patch that adds $allowSysopsAssignEditor, $allowSysopsAssignAutoreview and $allowSysopsAssignAutoreview and sets $allowSysopsAssignEditor to false for huwiki. @Tgr, please review!
Yes, I can confirm that. But I agree Tgr that it’s not a big security concern, I don’t know of any abuses of such higher access in the past 16 years.
I can confirm the bug. One of the huwiki admins tested the function here:
https://hu.wikipedia.org/wiki/Speci%C3%A1lis:Rendszernapl%C3%B3k?type=rights&user=Hungarikusz+Firk%C3%A1sz&page=Szerkeszt%C5%91%3AMax+von+O
@Urbanecm thank you for the patch.
Note my patch also re-grants the ability to promote users to ip block exemptions, which was unintentionally removed from huwiki admins. If it's not correct, let me know and I'll change the configuration appropriatelly.
What @Tgr mentioned at T226410#5375822 in fine is still true however. We should investigate how to make FR config easier and less prone to cause breaks each time we have to modify it.
[offtopic] What about adding tests for flaggedrevs wikis? At least some of them. That way, anyone who would want to change FR revision would have to implement the same thing twice => reduced probability of screwing things up. Not ideal, but something. What do you think?
Change 526492 merged by jenkins-bot:
[operations/mediawiki-config@master] flaggedrevs.php: Allow wikis to remove ability to promote to/demote from autoreview/editor
Mentioned in SAL (#wikimedia-operations) [2019-08-01T11:05:08Z] <urbanecm@deploy1001> Synchronized wmf-config/flaggedrevs.php: SWAT: aa82657: flaggedrevs.php: Allow wikis to remove ability to promote to/demote from autoreview/editor (T229346) (duration: 00m 54s)