Page MenuHomePhabricator

Design an architecture proposal for user authorization that can use the data returned from WikilambdaDiff to restrict access
Open, Needs TriagePublic

Description

Description

WikiLambdaDiff currently calculates Diffs returning the following format:

{
	"root.Z2K3.Z12K1.1.Z11K2": {
		"type": "change",
		"oldvalue": "Some string",
		"newvalue": "Some monolingual text"
	}
}

Where, for each atomic change, we are extracting:

  • The path: root.Z2K3.Z12K1.1.Z11K2
  • The operation: change | add | remove
  • The old and/or new values

Desired behavior/Acceptance criteria (returned value, expected error, performance expectations, etc.)

Using the "path" and "operation" information, the system should be able to:

  • Check if there's any restriction that applies to that tuple
    • E.g. [ "$.root.Z2K3.Z12K1", "add" ] is allowed for anyone: (Anyone can add a new label to a persisted ZObject)
    • E.g. [ "$.root.Z2K2.Z8K3", "add" ] is only allowed for sysadmins: (Only sysadmins can attach testers to a persisted ZFunction)
  • Check if the current user privileges allow for this operation
  • If the user cannot do a particular operation, don't perform it
  • Return an understandable and accessible error report to the user

This task requires:

  • Research and understand Mediawiki architecture and standard practices reg. user and group authorization
  • Design an architecture proposal for how to integrate this process in the WikiLambda edit/creation process
  • Design a format proposal for how/where to record path-operation-group rules that is easily usable from the system and can be easily edited and augmented by the engineers

Completion checklist

Related Objects