On 11 August 2015 at 13:07, Mr. Stradivarius
<misterstrad(a)gmail.com> wrote:
On Wed, Aug 12, 2015 at 1:44 AM, Pine W
<wiki.pine(a)gmail.com> wrote:
Would keeping sensitive pages in wikitext format
under "full protection"
(meaning that only local administrators can edit) be sufficient?
This is asking for trouble. Even if all our admins acted sensibly all the
time - and if you've been around here long enough, you know that's not true
- there is still the very real possibility of admin accounts being
compromised. I have personally fixed XSS flaws in widely used user scripts,
and a determined attacker would be highly likely to find others. This is
best kept out of the control of admins so that if an admin account is
compromised it will not affect other accounts.
_______________________________________________
Just so we're clear here - "locking down" these kinds of pages is
pretty
much what the Superprotect extension does. It is (to put it mildly) not
well-loved by the Wikimedia community; however, it may be possible to
persuade them that there are certain key pages that must not even be
altered by local admins (copyright being the primary example, but probably
some others as well).
This would require very diplomatic discussion. And given that this is the
'anniversary' of the introduction of Superprotect, it might be better to
wait for a while to really have that conversation.
Risker/Anne
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
OAuth applications' details must remain editable by the app's author.
Superprotect does not account for them.