Configure permissions
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	apaskulin
	Apr 9 2020, 3:28 PM

Description

Draft a set of configuration settings to implement the permissions for the API Portal

Requirements:

Docs-editors group
- Create pages
- Edit pages
Logged-in users
- Manage app credentials
- Post to talk pages
Anonymous users
- View pages

References:

https://www.mediawiki.org/wiki/Manual:$wgNamespaceProtection

Suggested additions for pre-launch (WIP): Intended to make content private until launch

$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = false;
$wgGroupPermissions['docseditor']['read'] = true;


$wgWhitelistRead = [
    "Main Page", "Special:UserLogin"
    ];

Suggested config: Launch (WIP)

$wgGroupPermissions['user']['move'] = false;
$wgGroupPermissions['user']['move-subpages'] = false;
$wgGroupPermissions['user']['edit'] = false;
$wgGroupPermissions['user']['createpage'] = false;

$wgGroupPermissions['docseditor']['docseditor'] = true;
$wgGroupPermissions['docseditor']['move'] = true;
$wgGroupPermissions['docseditor']['move-subpages'] = true;
$wgGroupPermissions['docseditor']['edit'] = true;
$wgGroupPermissions['docseditor']['createpage'] = true;

$wgGroupPermissions['sysop']['docseditor'] = true;
$wgGroupPermissions['sysop']['move'] = true;
$wgGroupPermissions['sysop']['move-subpages'] = true;
$wgGroupPermissions['sysop']['edit'] = true;
$wgGroupPermissions['sysop']['createpage'] = true;

$wgGroupPermissions['bureaucrat']['docseditor'] = true;
$wgGroupPermissions['bureaucrat']['move'] = true;
$wgGroupPermissions['bureaucrat']['move-subpages'] = true;
$wgGroupPermissions['bureaucrat']['edit'] = true;
$wgGroupPermissions['bureaucrat']['createpage'] = true;

$wgNamespaceProtection[NS_MAIN] = [ 'docseditor' ];
$wgNamespaceProtection[NS_PROJECT] = [ 'docseditor' ];
// Local uploads are disabled...
$wgNamespaceProtection[NS_FILE] = [ 'docseditor' ];
$wgNamespaceProtection[NS_TEMPLATE] = [ 'docseditor' ];
$wgNamespaceProtection[NS_HELP] = [ 'docseditor' ];
$wgNamespaceProtection[NS_CATEGORY] = [ 'docseditor' ];

Details

	Project	Branch	Lines +/-	Subject
	operations/mediawiki-config	master	+41 -0	[beta] More config for apiportalwiki

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	• eprodromou	T235270 Wikimedia API Gateway
Resolved	apaskulin	T247837 Create API Portal MVP
Resolved	CCicalese_WMF	T249834 Configure permissions
Resolved	Reedy	T254285 Add WikimediaMessages entries for docseditor group

Event Timeline

apaskulin created this task.Apr 9 2020, 3:28 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 9 2020, 3:28 PM

apaskulin added a parent task: T247837: Create API Portal MVP.Apr 9 2020, 3:28 PM

apaskulin triaged this task as Medium priority.Apr 9 2020, 4:22 PM

@apaskulin if the only restriction needed is on talk pages, https://www.mediawiki.org/wiki/Manual:$wgNamespaceProtection is enough - just require, eg, autoconfirmed to edit other namespaces

Thanks, @DannyS712! This is super helpful information. I've updated the task description.

@apaskulin I think the hidden beast here is contributors translating content. I don't know whether that's something to target in the initial version, and how to make that happen.

That's a good point, @eprodromou. The plan lists both translation and contribution flows under future scope, so we'll need to make sure we launch those two features together.

apaskulin moved this task from Backlog to Ready on the Platform Team Workboards (Green) board.Apr 17 2020, 11:03 PM

CCicalese_WMF claimed this task.Apr 21 2020, 2:47 PM

CCicalese_WMF mentioned this in T246945: New Public Wiki for the API Portal.May 20 2020, 2:39 PM

CCicalese_WMF mentioned this in T254185: Create new wiki on the beta cluster to test API Portal.Jun 1 2020, 5:45 PM

So for further clarification/explicitness...

Docs-editors group

    Create pages
    Edit pages

Is this create and edit pages in all namespaces (Banning users from editing their own user pages would seem odd etc)? All non talk namespaces?

And for consistency...

I think it should be docseditor (or doceditor) - removing the hyphen and the plural at the end of editors; all other group names are singular

Reedy mentioned this in T254285: Add WikimediaMessages entries for docseditor group.Jun 2 2020, 10:26 PM

Is this create and edit pages in all namespaces (Banning users from editing their own user pages would seem odd etc)? All non talk namespaces?

Yes, since editing will be limited for the MVP, we'd like to ban editing non-talk namespaces.

I think it should be docseditor (or doceditor) - removing the hyphen and the plural at the end of editors; all other group names are singular

docseditor works for me!

Reedy updated the task description. (Show Details)Jun 2 2020, 10:57 PM

Reedy updated the task description. (Show Details)Jun 2 2020, 11:00 PM

Reedy updated the task description. (Show Details)Jun 2 2020, 11:05 PM

Regarding my comment on another task about extensions... Based on https://api.wikimedia.beta.wmflabs.org/w/api.php?action=query&meta=siteinfo&siprop=namespaces

Core NS:

"canonical": "Media",
"canonical": "Special",
"canonical": "Talk",
"canonical": "User",
"canonical": "User talk",
"canonical": "Project",
"canonical": "Project talk",
"canonical": "File",
"canonical": "File talk",
"canonical": "MediaWiki",
"canonical": "MediaWiki talk",
"canonical": "Template",
"canonical": "Template talk",
"canonical": "Help",
"canonical": "Help talk",
"canonical": "Category",
"canonical": "Category talk",

Extension NS:

"canonical": "Config",
"canonical": "Config talk",
"canonical": "Jade",
"canonical": "Jade talk",
"canonical": "Module",
"canonical": "Module talk",
"canonical": "Gadget",
"canonical": "Gadget talk",
"canonical": "Gadget definition",
"canonical": "Gadget definition talk",
"canonical": "Newsletter",
"canonical": "Newsletter talk",

I suspect we want to keep Scribunto (Module), probably Gadgets..

JsonConfig and Jade don't seem useful here... Newsletter is possibly useful or maybe not

How are we doing granting of docseditor? By 'crats as most wikis? Sysops? Something else?

Manage app credentials

How is this going to work? OAuth rights are mostly on metawiki... How is the extension on this wiki going to do this? Some new/seperate right?

I suspect we want to keep Scribunto (Module), probably Gadgets.. JsonConfig and Jade don't seem useful here... Newsletter is possibly useful or maybe not

That sounds good. Let's keep Scribunto (Module), Gadgets, and Newsletter. We don't need JsonConfig or Jade.

How are we doing granting of docseditor? By 'crats as most wikis? Sysops? Something else?

By bureaucrats sounds good

How is this going to work? OAuth rights are mostly on metawiki... How is the extension on this wiki going to do this? Some new/seperate right?

We don't need a new right created for this; the right associated with this will be created by the WikimediaApiPortalOAuth extension in a special page.

// TODO: Do we want to give these to sysop/bureaucrat too?

Yes, that sounds good. Thank you!

Reedy updated the task description. (Show Details)Jun 3 2020, 10:22 PM

Change 602189 had a related patch set uploaded (by Reedy; owner: Reedy):
[operations/mediawiki-config@master] [beta] More config for apiportalwiki

https://gerrit.wikimedia.org/r/602189

Change 602189 merged by jenkins-bot:
[operations/mediawiki-config@master] [beta] More config for apiportalwiki

https://gerrit.wikimedia.org/r/602189

Mentioned in SAL (#wikimedia-operations) [2020-06-03T23:06:56Z] <reedy@deploy1001> Synchronized wmf-config/InitialiseSettings-labs.php: T249834 (duration: 01m 06s)

Mentioned in SAL (#wikimedia-operations) [2020-06-03T23:08:12Z] <reedy@deploy1001> Synchronized wmf-config/CommonSettings-labs.php: T249834 (duration: 01m 06s)

Maintenance_bot removed a project: Patch-For-Review.Jun 3 2020, 11:11 PM

https://api.wikimedia.beta.wmflabs.org/wiki/Special:ListGroupRights shows the state of play.

Will look better when the patch for T254285 is merged and deployed

Reedy closed subtask T254285: Add WikimediaMessages entries for docseditor group as Resolved.Jun 4 2020, 8:42 PM

apaskulin mentioned this in T255040: Investigate a private launch for the API Portal.Jun 11 2020, 6:46 PM

apaskulin updated the task description. (Show Details)Jun 11 2020, 7:21 PM

Updated based on approach for pre-launch config proposed in T255040#6212564. Feel free to correct if I've made any mistakes.

• taavi added a subscriber: • taavi.Jun 18 2020, 2:28 PM

Resolving this task since the permissions scheme has been defined. Feel free to re-open if there are corrections or additions!

apaskulin mentioned this in T259380: API Portal: Validate permission scheme for public launch.Jul 31 2020, 6:33 PM

apaskulin mentioned this in T259568: Add User namespace protection to the API Portal beta site.Aug 3 2020, 10:45 PM

apaskulin mentioned this in T259569: API Portal: Allow Admins and Bureaucrats to manage documentation editor group.Aug 3 2020, 11:07 PM