Only trusted users should be able to be added as an admin for a particular poll. This is currently not enforced in the software, so must be checked manually by the person who adds the admin to the election.
The form should only allow trusted users to become poll admins, by requiring that admins are in the electionadmin group. This should be enforced by the UsersMultiselectWidget after T270634.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | STran | T271327 Require that a user is in the electionadmin group in order to be an admin for a poll [M] | |||
| Resolved | STran | T270634 Use UsersMultiselectWidget in SecurePoll create form | |||
| Resolved | STran | T277353 electionadmin group needs to be added to testwiki to restore securepolls testing functionality |
We want only people with election-admin right to be allowed to be added as poll admins. Only people who are poll admin on an election and have the election-admin right should be allowed to modify a poll.
Election admins should be given temporary rights when assigning them the rights.
Should the user right be automatically removed upon beginning of a poll?
Election admins should be given temporary rights when assigning them the rights.
From @jrbs: no need for the software to do this if it does everything else in T271327#6726468 (correct me if I'm wrong!)
This task
Only people who are poll admin on an election and have the election-admin right should be allowed to modify a poll.
Filed as T271354
Change 655021 had a related patch set uploaded (by STran; owner: STran):
[mediawiki/extensions/SecurePoll@master] Use UsersMultiselectWidget to set election admins and validate that users are members of the electionadmin group
Change 655021 merged by jenkins-bot:
[mediawiki/extensions/SecurePoll@master] Update admin selection input for SecurePoll create/edit
Change 655481 had a related patch set uploaded (by Tchanders; owner: Tchanders):
[mediawiki/extensions/SecurePoll@master] Fix message key in CreatePage validation callback
Change 655481 merged by jenkins-bot:
[mediawiki/extensions/SecurePoll@master] Fix message key in CreatePage validation callback
You can only add a user as admin to a poll if they are in the electionadmin group.
This applies both when creating for the first time and when submitting an edit to the election. If a user gets removed from the electionadmin group in the mean-time, you will need to remove them as an election admin if you want to edit the election.
We only check the groups a user is a member of on the wiki we are creating the election on.
If, for example, we create the election on votewiki but it is "for" enwiki, only the user rights on votewiki will matter (for the purposes of creating an election at least). (I don't yet know how this functionality works or gets used.)
As far as I could tell, electionadmin only appears to be a local group, it is not a global group, so there does not seem to be any added complexity here.
I tested this both with and without javascript.
Test Environment: local vagrant MediaWiki 1.36.0-alpha (f4c63c6), SecurePoll 2.0.0 (828f8d9).
Test Browser: Firefox 78.
The patch is not how permissions are meant to be done. You should have a right for this and have the group grant the right. There should not be any group named in the code. Like @Niharika said:
We want only people with election-admin right to be allowed to be added as poll admins. Only people who are poll admin on an election and have the election-admin right should be allowed to modify a poll.
Election admins should be given temporary rights when assigning them the rights.
By default, all users should have the right, because as far as I can see, this is a WMF-specific hack which makes it a nuisance for anyone else to use the extension.
Closing this one out and instead working from T293015: Check for the election-admin right instead of the electionadmin group
@STran did I put this in the right place? I might have misplaced this task as I was creating our new sprint board
Shouldn't this one have been closed in favor of T293015: Check for the election-admin right instead of the electionadmin group? Also is AHT still working on SecurePoll things?
@STran: Removing task assignee as this open task has been assigned for more than two years - See the email sent to task assignee on Feburary 22nd, 2023.
Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome! :)
If this task has been resolved in the meantime, or should not be worked on by anybody ("declined"), please update its task status via "Add Action… 🡒 Change Status".
Also see https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator. Thanks!
Closing as resolved as this was reopened due to an issue now tracked in another task.