Page MenuHomePhabricator
Create Task
Maniphest T230805

Confirmation of flag assignment by other bureaucrats
Open, MediumPublicFeature
Actions

Description

This proposal is mainly for large Foundation projects, but I think, for other major projects based on MediaWiki, it will also be useful.

Sometimes it happens that the flag of the bureaucrat is given or want to give out to participants who don't have an administrator flag. But the administrator’s flag can be given by bureaucrat’s clicking one mouse button, without any control. This can be done by an angry community member or the person who stole the account.

What if you create a setting that would allow you to give an administrator flag or any other only with the confirmation of another bureaucrat? This will protect the community from sudden violations with the flag of the bureaucrat. It will also allow the flag of the bureaucrat to be given without an administrator flag, since there will be no worries that the bureaucrat will give an admin flag for himself.

Related Objects

Event Timeline

Iniquity created this task.Aug 20 2019, 2:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 20 2019, 2:35 PM
Iniquity changed the subtype of this task from "Task" to "Feature Request".Aug 20 2019, 2:36 PM
Iniquity updated the task description. (Show Details)
Iniquity renamed this task from Flag confirmation by other bureaucrats to Confirmation of flag assignment by other bureaucrats.Aug 20 2019, 2:42 PM
DannyS712 subscribed.EditedAug 20 2019, 2:42 PM

The second use case (not granting self admin) is similar to T44072. It can also be implemented separately - this task calls for requiring two 'crat accounts working together to be able to grant +sysop, while the second idea here and the linked task call for, similar to the distinction between wgGroupsAddToSelf and wgAddGroups, something like wgGroupsAddToOthers (and remove)

DannyS712 moved this task from Backlog to User rights on the MediaWiki-User-management board.Aug 20 2019, 2:43 PM
sbassett triaged this task as Medium priority.Aug 20 2019, 2:47 PM
sbassett removed a project: deprecated-security-team-reviews.
DannyS712 mentioned this in T44072: Add option to prevent users from adding themselves to or removing themselves from a user group.Aug 20 2019, 2:58 PM
Dinoguy1000 subscribed.Aug 20 2019, 5:42 PM

If the first use-case (requiring a second bureaucrat's confirmation to promote admins) is done, it should be opt-in only, and should not have any effect if a wiki only has a single bureaucrat for (hopefully) obvious reasons.

gerritbot added a comment.Aug 20 2019, 11:08 PM

Change 531319 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[mediawiki/core@master] Add wgGroupsRemoveFromOthers and wgGroupsAddToOthers user group configuration options.

https://gerrit.wikimedia.org/r/531319

gerritbot added a project: Patch-For-Review.Aug 20 2019, 11:08 PM
DannyS712 removed a project: Patch-For-Review.Aug 20 2019, 11:11 PM

Sorry, that patch is primarily for T44072

Xiplus subscribed.Aug 23 2019, 11:25 AM
Wong128hk subscribed.Aug 23 2019, 11:40 AM

I'm wondering why the problems cannot be solved by simply removing the b'crat flag from the angry community member or stolen account. why don't we keep things simple stupid? if the logic goes like this, do we need two CUer to CU; two OSer to OS? or we need to have two stewards together to do somethings?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits