Page MenuHomePhabricator

Configure permissions
Closed, ResolvedPublic

Description

Draft a set of configuration settings to implement the permissions for the API Portal

Requirements:

  • Docs-editors group
    • Create pages
    • Edit pages
  • Logged-in users
    • Manage app credentials
    • Post to talk pages
  • Anonymous users
    • View pages

References:


Suggested additions for pre-launch (WIP): Intended to make content private until launch

$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = false;
$wgGroupPermissions['docseditor']['read'] = true;


$wgWhitelistRead = [
    "Main Page", "Special:UserLogin"
    ];

Suggested config: Launch (WIP)

$wgGroupPermissions['user']['move'] = false;
$wgGroupPermissions['user']['move-subpages'] = false;
$wgGroupPermissions['user']['edit'] = false;
$wgGroupPermissions['user']['createpage'] = false;

$wgGroupPermissions['docseditor']['docseditor'] = true;
$wgGroupPermissions['docseditor']['move'] = true;
$wgGroupPermissions['docseditor']['move-subpages'] = true;
$wgGroupPermissions['docseditor']['edit'] = true;
$wgGroupPermissions['docseditor']['createpage'] = true;

$wgGroupPermissions['sysop']['docseditor'] = true;
$wgGroupPermissions['sysop']['move'] = true;
$wgGroupPermissions['sysop']['move-subpages'] = true;
$wgGroupPermissions['sysop']['edit'] = true;
$wgGroupPermissions['sysop']['createpage'] = true;

$wgGroupPermissions['bureaucrat']['docseditor'] = true;
$wgGroupPermissions['bureaucrat']['move'] = true;
$wgGroupPermissions['bureaucrat']['move-subpages'] = true;
$wgGroupPermissions['bureaucrat']['edit'] = true;
$wgGroupPermissions['bureaucrat']['createpage'] = true;

$wgNamespaceProtection[NS_MAIN] = [ 'docseditor' ];
$wgNamespaceProtection[NS_PROJECT] = [ 'docseditor' ];
// Local uploads are disabled...
$wgNamespaceProtection[NS_FILE] = [ 'docseditor' ];
$wgNamespaceProtection[NS_TEMPLATE] = [ 'docseditor' ];
$wgNamespaceProtection[NS_HELP] = [ 'docseditor' ];
$wgNamespaceProtection[NS_CATEGORY] = [ 'docseditor' ];

Event Timeline

apaskulin created this task.Apr 9 2020, 3:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 9 2020, 3:28 PM
apaskulin triaged this task as Medium priority.Apr 9 2020, 4:22 PM

@apaskulin if the only restriction needed is on talk pages, https://www.mediawiki.org/wiki/Manual:$wgNamespaceProtection is enough - just require, eg, autoconfirmed to edit other namespaces

apaskulin updated the task description. (Show Details)Apr 9 2020, 6:02 PM

Thanks, @DannyS712! This is super helpful information. I've updated the task description.

@apaskulin I think the hidden beast here is contributors translating content. I don't know whether that's something to target in the initial version, and how to make that happen.

That's a good point, @eprodromou. The plan lists both translation and contribution flows under future scope, so we'll need to make sure we launch those two features together.

Reedy added a subscriber: Reedy.Jun 2 2020, 9:34 PM

So for further clarification/explicitness...

Docs-editors group

    Create pages
    Edit pages

Is this create and edit pages in all namespaces (Banning users from editing their own user pages would seem odd etc)? All non talk namespaces?

Reedy added a comment.Jun 2 2020, 10:26 PM

And for consistency...

I think it should be docseditor (or doceditor) - removing the hyphen and the plural at the end of editors; all other group names are singular

Is this create and edit pages in all namespaces (Banning users from editing their own user pages would seem odd etc)? All non talk namespaces?

Yes, since editing will be limited for the MVP, we'd like to ban editing non-talk namespaces.

I think it should be docseditor (or doceditor) - removing the hyphen and the plural at the end of editors; all other group names are singular

docseditor works for me!

Reedy updated the task description. (Show Details)Jun 2 2020, 10:57 PM
Reedy updated the task description. (Show Details)Jun 2 2020, 11:00 PM
Reedy updated the task description. (Show Details)Jun 2 2020, 11:05 PM
Reedy added a comment.Jun 2 2020, 11:13 PM

Regarding my comment on another task about extensions... Based on https://api.wikimedia.beta.wmflabs.org/w/api.php?action=query&meta=siteinfo&siprop=namespaces

Core NS:

"canonical": "Media",
"canonical": "Special",
"canonical": "Talk",
"canonical": "User",
"canonical": "User talk",
"canonical": "Project",
"canonical": "Project talk",
"canonical": "File",
"canonical": "File talk",
"canonical": "MediaWiki",
"canonical": "MediaWiki talk",
"canonical": "Template",
"canonical": "Template talk",
"canonical": "Help",
"canonical": "Help talk",
"canonical": "Category",
"canonical": "Category talk",

Extension NS:

"canonical": "Config",
"canonical": "Config talk",
"canonical": "Jade",
"canonical": "Jade talk",
"canonical": "Module",
"canonical": "Module talk",
"canonical": "Gadget",
"canonical": "Gadget talk",
"canonical": "Gadget definition",
"canonical": "Gadget definition talk",
"canonical": "Newsletter",
"canonical": "Newsletter talk",

I suspect we want to keep Scribunto (Module), probably Gadgets..

JsonConfig and Jade don't seem useful here... Newsletter is possibly useful or maybe not

Reedy added a comment.Jun 2 2020, 11:15 PM

How are we doing granting of docseditor? By 'crats as most wikis? Sysops? Something else?

Reedy added a comment.Jun 2 2020, 11:35 PM

Manage app credentials

How is this going to work? OAuth rights are mostly on metawiki... How is the extension on this wiki going to do this? Some new/seperate right?

I suspect we want to keep Scribunto (Module), probably Gadgets.. JsonConfig and Jade don't seem useful here... Newsletter is possibly useful or maybe not

That sounds good. Let's keep Scribunto (Module), Gadgets, and Newsletter. We don't need JsonConfig or Jade.

How are we doing granting of docseditor? By 'crats as most wikis? Sysops? Something else?

By bureaucrats sounds good

How is this going to work? OAuth rights are mostly on metawiki... How is the extension on this wiki going to do this? Some new/seperate right?

We don't need a new right created for this; the right associated with this will be created by the WikimediaApiPortalOAuth extension in a special page.

// TODO: Do we want to give these to sysop/bureaucrat too?

Yes, that sounds good. Thank you!

Reedy updated the task description. (Show Details)Jun 3 2020, 10:22 PM

Change 602189 had a related patch set uploaded (by Reedy; owner: Reedy):
[operations/mediawiki-config@master] [beta] More config for apiportalwiki

https://gerrit.wikimedia.org/r/602189

Change 602189 merged by jenkins-bot:
[operations/mediawiki-config@master] [beta] More config for apiportalwiki

https://gerrit.wikimedia.org/r/602189

Mentioned in SAL (#wikimedia-operations) [2020-06-03T23:06:56Z] <reedy@deploy1001> Synchronized wmf-config/InitialiseSettings-labs.php: T249834 (duration: 01m 06s)

Mentioned in SAL (#wikimedia-operations) [2020-06-03T23:08:12Z] <reedy@deploy1001> Synchronized wmf-config/CommonSettings-labs.php: T249834 (duration: 01m 06s)

Reedy added a comment.Jun 3 2020, 11:44 PM

https://api.wikimedia.beta.wmflabs.org/wiki/Special:ListGroupRights shows the state of play.

Will look better when the patch for T254285 is merged and deployed

apaskulin updated the task description. (Show Details)Jun 11 2020, 7:21 PM

Updated based on approach for pre-launch config proposed in T255040#6212564. Feel free to correct if I've made any mistakes.

apaskulin closed this task as Resolved.Wed, Jul 1, 6:03 PM

Resolving this task since the permissions scheme has been defined. Feel free to re-open if there are corrections or additions!