Page MenuHomePhabricator

Make only allowed user can use debug toolbar
Open, NormalPublic

Description

When $wgDebugToolbar is true, all users can access to debug toolbar now. But maybe someone want to show debug toolbar to specific users, not to all users. So can hide internal infomation to normal users.


Version: 1.23.0
Severity: enhancement
URL: https://www.mediawiki.org/wiki/Requests_for_comment/Debugging_at_production_server

Details

Reference
bz62718

Event Timeline

bzimport raised the priority of this task from to Normal.
bzimport set Reference to bz62718.
devunt created this task.Mar 17 2014, 4:10 AM

Hmmm. I suppose it wouldn't hurt to bind this feature to a MediaWiki user right. And perhaps even give this user right only to sysops by default. Maybe. This needs further consideration.

Change 119002 had a related patch set uploaded by devunt:
Make only allowed user can use debug toolbar

https://gerrit.wikimedia.org/r/119002

I committed some changes. And we need some more discussion about this issue.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2016, 10:13 AM
Cavila added a subscriber: Cavila.Aug 5 2017, 10:40 AM

+ !

I'm not sure how much discussion we still need. For a smooth transition, I'd say: if the toolbar is enabled, show it to all users by default (current situation) and offer a config setting to tie its visibility to specific user rights.

devunt added a comment.Aug 5 2017, 1:11 PM

+ !

I'm not sure how much discussion we still need. For a smooth transition, I'd say: if the toolbar is enabled, show it to all users by default (current situation) and offer a config setting to tie its visibility to specific user rights.

Debug toolbar on the production environment is usually needed when doing some sort of troubleshooting. And not surprisingly, it is usually used by server administrator, who is capable of editing server settings.
Consider these two scenarios:

  1. Method #1
    1. Make a group that have usedebugtoolbar permission and give it to system administrators' wiki account.
    2. When issue arised, connect to the server, set $wgDebugToolbar as true, let administrators debug the issue, and unset it.
  1. Method #2
    1. Make a group that have usedebugtoolbar permission.
    2. When issue arised, give that group to each system administrators' wiki account, let them debug the issue, and remove that group from each of them.

I prefer method #1, which is current implementation.

Cavila added a comment.EditedAug 5 2017, 6:35 PM

It makes sense to restrict the envisaged 'usedebugtoolbar' permission to sysops or bureaucrats by default. It would be a breaking change so that's why I made the suggestion but I'm fine with either approach.

Method 2 does not seem right to me. By "current implementation" I suppose you mean current best practice?