Page MenuHomePhabricator
Create Task
Maniphest T245110

Should per user `Echo-whitelist` pages be protected?
Open, MediumPublicSecurity
Actions

Description

Story:
As a user,
When I learn that https://en.wikipedia.org/wiki/User:DannyS712/Echo-whitelist controls customization of my notifications
I wonder if other users should be able to edit the settings

Its not a very widely used feature, from what I've seen, but Special:MyPage/Echo-whitelist overrides MediaWiki:Echo-blacklist to show notifications from otherwise blacklisted accounts. Given that this isn't stored as a preference, but rather based on the content of a page, should other users be able to edit the setting?

Details

Author Affiliation
Wikimedia Communities

Event Timeline

DannyS712 created this task.Feb 13 2020, 7:52 AM
Restricted Application added projects: User-DannyS712, Security. · View Herald TranscriptFeb 13 2020, 7:52 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
DannyS712 added projects: Notifications, MediaWiki-User-management.Feb 13 2020, 7:53 AM
DannyS712 moved this task from Unsorted to Reports on the User-DannyS712 board.
Restricted Application added a project: Growth-Team. · View Herald TranscriptFeb 13 2020, 7:53 AM
Urbanecm added subscribers: marcella, Etonkovidova, MMiller_WMF and 5 others.Feb 13 2020, 8:12 AM

Good point. I'd say we should convert it to a JSON page (protected by default) and migrate all existing pages.

Adding Growth team members to CC to grant them access if they don't already.

DannyS712 added a comment.Feb 13 2020, 8:24 AM
In T245110#5879806, @Urbanecm wrote:

Good point. I'd say we should convert it to a JSON page (protected by default) and migrate all existing pages.

Adding Growth team members to CC to grant them access if they don't already.

Would this be at the same title, just as a JSON page, or at echo-whitelist.json?

Also has the advantage of a cleaner syntax: just a normal json array:

New format
[
	"DannyS712",
	"Sinebot",
	"Foobar"
]

sysadmins have edituserjson, so it should be pretty straight forward for them to do

DannyS712 changed Author Affiliation from N/A to Wikimedia Communities.Feb 13 2020, 8:24 AM
Urbanecm added a comment.Feb 13 2020, 7:32 PM
In T245110#5879819, @DannyS712 wrote:
In T245110#5879806, @Urbanecm wrote:

Good point. I'd say we should convert it to a JSON page (protected by default) and migrate all existing pages.

Adding Growth team members to CC to grant them access if they don't already.

Would this be at the same title, just as a JSON page, or at echo-whitelist.json?

Latter - to automatically be treated as JSON.

Also has the advantage of a cleaner syntax: just a normal json array:

New format
[
	"DannyS712",
	"Sinebot",
	"Foobar"
]

sysadmins have edituserjson, so it should be pretty straight forward for them to do

Trizek-WMF added a comment.Feb 17 2020, 5:27 PM

By default, don't ask users to use JSON or whatever that requires a sort of a syntax. Syntax is the path for the "something goes wrong" journey, even with skilled users. :)
One user per line on a blank page, as it is now, is the best we can ask.

chasemp triaged this task as Medium priority.Feb 19 2020, 4:40 PM
chasemp moved this task from Incoming to Watching on the Security-Team board.
chasemp removed a project: acl*security.Feb 20 2020, 8:06 PM
DannyS712 added a comment.Mar 24 2020, 12:24 AM
In T245110#5890744, @Trizek-WMF wrote:

By default, don't ask users to use JSON or whatever that requires a sort of a syntax. Syntax is the path for the "something goes wrong" journey, even with skilled users. :)
One user per line on a blank page, as it is now, is the best we can ask.

If we want to keep the current structure, but protect it from others, what level of protection is desired? I would suggest requiring edituserjson (similar to above) to allow admins, etc to remove any inappropriate content while still allowing users to be safe with the knowledge that it is as protected as their json pages.
If this approach is used, we could

  • Add a hook to Title::isUserJsonConfigPage
  • Add a handler to EchoHooks
Trizek-WMF added a comment.Mar 31 2020, 9:43 AM

What is the usual standard concerning editing json files? IF any, it should be applied here to keeps things simple and logical.

Tgr added a comment.Mar 31 2020, 10:40 AM

If we are going to extend edituserjson to non-JSON pages, it should probably be renamed. edituserconfig would be a good name, except it conflicts with Title::is[Site|User]ConfigPage which somewhat misleadingly considers CSS/JS pages as config.
(Also, please don't make isUserJsonConfigPage return true on non-JSON pages.)

DannyS712 added a comment.Jun 28 2020, 6:31 AM
In T245110#6014142, @Tgr wrote:

If we are going to extend edituserjson to non-JSON pages, it should probably be renamed. edituserconfig would be a good name, except it conflicts with Title::is[Site|User]ConfigPage which somewhat misleadingly considers CSS/JS pages as config.
(Also, please don't make isUserJsonConfigPage return true on non-JSON pages.)

Then what about having Title::isUserConfigPage trigger a hook for extensions?

Tgr added a comment.Jun 28 2020, 3:04 PM
In T245110#6262200, @DannyS712 wrote:

Then what about having Title::isUserConfigPage trigger a hook for extensions?

Yeah, that seems like a reasonable thing to do.

DannyS712 added a comment.Jun 28 2020, 3:06 PM
In T245110#6262568, @Tgr wrote:
In T245110#6262200, @DannyS712 wrote:

Then what about having Title::isUserConfigPage trigger a hook for extensions?

Yeah, that seems like a reasonable thing to do.

Since this would require two patches (core to add the hook, and echo to use it), is it okay to have the core patch public, given the scope (adding a new hook) as long as we don't say why its needed?

Tgr added a comment.Jun 28 2020, 4:42 PM

Personally I don't see much value in making any task/patch private. There is no security issue here.

sbassett subscribed.Jun 29 2020, 3:55 PM
In T245110#6262570, @DannyS712 wrote:

Since this would require two patches (core to add the hook, and echo to use it), is it okay to have the core patch public, given the scope (adding a new hook) as long as we don't say why its needed?

I think this is a minor enough issue, that should be fine. I'll make the task public.

In T245110#6262636, @Tgr wrote:

Personally I don't see much value in making any task/patch private. There is no security issue here.

In a very minor way, I think it at least falls under this class of vulns. And there have been similar issues in the past: https://www.mediawiki.org/wiki/Topic:Uirl8i2lzklbbpy9.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 29 2020, 3:55 PM
JJMC89 moved this task from Backlog to Other on the MediaWiki-User-management board.Nov 28 2020, 4:46 PM
JJMC89 subscribed.

Can the edit policy be reset too?

JJMC89 unsubscribed.Nov 28 2020, 4:47 PM
Legoktm changed the edit policy from "Custom Policy" to "All Users".Nov 28 2020, 9:42 PM
Legoktm subscribed.Nov 28 2020, 9:47 PM

Realistically, I think using a wiki page for this was a quick hack and it would make more sense as a user preference long-term (rather than trying to figure out whether it should be protected...).

DannyS712 renamed this task from Should per user `Echo-whitelist` pages be protected to Should per user `Echo-whitelist` pages be protected?.Nov 28 2020, 11:13 PM
MBinder_WMF added a project: Growth-Team-Filtering.Apr 15 2021, 6:51 PM
Htriedman removed a project: Security-Team.Nov 3 2021, 7:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL