Page MenuHomePhabricator

Configure API Portal wiki
Closed, ResolvedPublic

Description

Following the deployment of the API Portal wiki at api.wikimedia.org, configure the wiki to match the configuration used in api.wikimedia.beta.wmflabs.org with the addition of the extra config needed for private launch:

$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = false;
$wgGroupPermissions['docseditor']['read'] = true;


$wgWhitelistRead = [
    "Main Page", "Special:UserLogin"
    ];

In addition to the config described above, we also need to disable the Collection Extension. (See T260309 for details.)

To do:

  • Apply config
  • Make APaskulin (WMF) a bureaucrat
  • Verify that all users outside the docseditor group can only view the main page and the login page

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptThu, Aug 27, 3:53 PM
WDoranWMF assigned this task to hnowlan.Thu, Aug 27, 5:14 PM
WDoranWMF moved this task from Backlog to Ready on the Platform Team Workboards (Green) board.

@hnowlan Just positioning on the board so it's ready when we are at this point.

Thanks @apaskulin for setting this up!

Change 624750 had a related patch set uploaded (by Hnowlan; owner: Hnowlan):
[operations/mediawiki-config@master] api-portal: required extended configuration

https://gerrit.wikimedia.org/r/624750

Change 624750 merged by jenkins-bot:
[operations/mediawiki-config@master] api-portal: required extended configuration

https://gerrit.wikimedia.org/r/624750

Mentioned in SAL (#wikimedia-operations) [2020-09-09T11:34:40Z] <awight@deploy1001> Synchronized wmf-config: Config: [[gerrit:624750|api-portal: required extended configuration (T261425)]] (duration: 01m 08s)

The new config has been deployed and the wiki is now reskinned and locked down.

apaskulin updated the task description. (Show Details)Wed, Sep 9, 4:04 PM

@CCicalese_WMF Can you help us troubleshoot the permissions for this? My user APaskulin_(WMF) has bureaucrat rights, but I'm still seeing a permissions error. The same thing is happening on the beta site: my user (Apaskulin) with docs editor permissions is getting a permissions error. Hugh and I suspect there is an issue with the config.

@CCicalese_WMF Can you help us troubleshoot the permissions for this? My user APaskulin_(WMF) has bureaucrat rights, but I'm still seeing a permissions error. The same thing is happening on the beta site: my user (Apaskulin) with docs editor permissions is getting a permissions error. Hugh and I suspect there is an issue with the config.

Do you have docseditor permissions in api.wikimedia? It looks reading is limited to that group only. I can try to grant those to you if needed.

It turns out that adding a user to docseditor fixes this issue - but our change was in theory supposed to make bureaucrat automatically part of that group.

The deployed config (3f4529d) does not make bureaucrats part of docseditors or viceversa. They're two different groups. But you may grant bureaucrats 'read' permissions as well.

CCicalese_WMF added a comment.EditedWed, Sep 9, 4:54 PM

There is a docseditor group as well a a docseditor right. That is confusing and should be fixed. The right should be something like editdocs. I will create a patch to the skin to fix that as well as a patch to the config to match.

The config allows bureaucrats to add and users from the docseditor group, but it does not give bureaucrats the docseditor right. It does give docseditor to sysops. Bureaucrats don't really need the docseditor right, but they do need to be able to read at least Special:UserRights.

Majavah added a subscriber: Majavah.Wed, Sep 9, 4:56 PM

Change 626188 had a related patch set uploaded (by Cicalese; owner: Cicalese):
[mediawiki/skins/WikimediaApiPortal@master] Rename docseditor right to edit-docs

https://gerrit.wikimedia.org/r/626188

Change 626190 had a related patch set uploaded (by Cicalese; owner: Cicalese):
[operations/mediawiki-config@master] Rename docseditor right to edit-docs. Allow bureaucrats to read.

https://gerrit.wikimedia.org/r/626190

Change 626044 had a related patch set uploaded (by Ppchelko; owner: Cicalese):
[mediawiki/skins/WikimediaApiPortal@wmf/1.36.0-wmf.8] Rename docseditor right to edit-docs

https://gerrit.wikimedia.org/r/626044

Change 626188 merged by jenkins-bot:
[mediawiki/skins/WikimediaApiPortal@master] Rename docseditor right to edit-docs

https://gerrit.wikimedia.org/r/626188

Change 626190 merged by jenkins-bot:
[operations/mediawiki-config@master] Rename docseditor right to edit-docs. Allow bureaucrats to read.

https://gerrit.wikimedia.org/r/626190

Change 626044 merged by jenkins-bot:
[mediawiki/skins/WikimediaApiPortal@wmf/1.36.0-wmf.8] Rename docseditor right to edit-docs

https://gerrit.wikimedia.org/r/626044

Mentioned in SAL (#wikimedia-operations) [2020-09-09T20:01:57Z] <ppchelko@deploy1001> Synchronized php-1.36.0-wmf.8/skins/WikimediaApiPortal: Backport gerrit:626044, T261425 (duration: 01m 12s)

Mentioned in SAL (#wikimedia-operations) [2020-09-09T20:03:43Z] <ppchelko@deploy1001> Synchronized wmf-config/InitialiseSettings.php: gerrit:626190 T261425 (duration: 01m 03s)

apaskulin closed this task as Resolved.Wed, Sep 9, 8:12 PM
apaskulin updated the task description. (Show Details)
apaskulin moved this task from Doing to Done on the Platform Team Workboards (Green) board.

Verified on beta and prod. Thanks all!