Page MenuHomePhabricator

Administrators of the Hungarian Wikipedia have unapproved right
Closed, ResolvedPublic

Description

Currently administrators of the Hungarian Wikipedia are able to add and remove editor right, although they should not be able. Only bureaucrats should have this right locally. We are not sure since when it is happening. Please fix it.

Pinging Hungarian users (@Tgr, @Samat and @Tacsipacsi); please confirm.

Event Timeline

Bencemac created this task.Tue, Jul 30, 3:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptTue, Jul 30, 3:22 PM
Tgr triaged this task as Low priority.Tue, Jul 30, 4:13 PM

See last comment on https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/518759 .

Administrators can be trusted not to abuse accidental rights so not an urgent problem.

Urbanecm claimed this task.Tue, Jul 30, 4:15 PM
Restricted Application added a project: User-Urbanecm. · View Herald TranscriptTue, Jul 30, 4:15 PM

@Bencemac I’m not a huwiki admin. How could I confirm it apart from looking at the special page you linked, which can be done by anyone?

@Bencemac I’m not a huwiki admin. How could I confirm it apart from looking at the special page you linked, which can be done by anyone?

The special page is visible for everyone, but non-huwiki editors probably do not know that edit right is granted by bureaucrats, so that is why I needed confirmation. I was not clear enough, sorry about that.

Change 526492 had a related patch set uploaded (by Urbanecm; owner: Urbanecm):
[operations/mediawiki-config@master] flaggedrevs.php: Allow wikis to remove ability to promote to/demote from autoreview/editor

https://gerrit.wikimedia.org/r/526492

Since the responsible lines needs to know if the group exists (=needs to be after per-wiki configuration), I've uploaded a patch that adds $allowSysopsAssignEditor, $allowSysopsAssignAutoreview and $allowSysopsAssignAutoreview and sets $allowSysopsAssignEditor to false for huwiki. @Tgr, please review!

The special page is visible for everyone, but non-huwiki editors probably do not know that edit right is granted by bureaucrats, so that is why I needed confirmation. I was not clear enough, sorry about that.

Yes, I can confirm that. But I agree Tgr that it’s not a big security concern, I don’t know of any abuses of such higher access in the past 16 years.

Note my patch also re-grants the ability to promote users to ip block exemptions, which was unintentionally removed from huwiki admins. If it's not correct, let me know and I'll change the configuration appropriatelly.

What @Tgr mentioned at T226410#5375822 in fine is still true however. We should investigate how to make FR config easier and less prone to cause breaks each time we have to modify it.

What @Tgr mentioned at T226410#5375822 in fine is still true however. We should investigate how to make FR config easier and less prone to cause breaks each time we have to modify it.

[offtopic] What about adding tests for flaggedrevs wikis? At least some of them. That way, anyone who would want to change FR revision would have to implement the same thing twice => reduced probability of screwing things up. Not ideal, but something. What do you think?

Change 526492 merged by jenkins-bot:
[operations/mediawiki-config@master] flaggedrevs.php: Allow wikis to remove ability to promote to/demote from autoreview/editor

https://gerrit.wikimedia.org/r/526492

Mentioned in SAL (#wikimedia-operations) [2019-08-01T11:05:08Z] <urbanecm@deploy1001> Synchronized wmf-config/flaggedrevs.php: SWAT: aa82657: flaggedrevs.php: Allow wikis to remove ability to promote to/demote from autoreview/editor (T229346) (duration: 00m 54s)

Urbanecm closed this task as Resolved.Thu, Aug 1, 11:05 AM

Fixed.

Thanks @Urbanecm!

Happy to help!

Samat awarded a token.Fri, Aug 2, 4:10 PM