One rather obvious point you could make is that $wgUseSiteJs is enabled by
default (and on Wikimedia projects!); if it were a gaping security
vulnerability, it would be disabled. Somebody could potentially do nasty
things with JS, of course, but to do that he would need to have already
compromised your admin account, and at that point you'd already be screwed.
:-)
Beyond that, a good farm setup will allow your sysop to set different
settings for different wikis, so he shouldn't need to enable this for all
the wikis if he doesn't want to. Changes to one wiki's JS shouldn't be able
to to affect anything on another wiki (assuming they're on separate
subdomains).
Of course, if you really just want this so you can change the favicon
location, why don't you ask your sysop to set $wgFavicon for your sub-wiki?
On Sat, May 23, 2009 at 8:57 PM, Greg Webb <gregw(a)zip.com.au> wrote:
24/05/2009 10:45:58
Hi Poon,
On our wiki the Common.js feature needs to be turned on. I am the admin for
a sub-wiki, not the whole wiki. The sysop runs the whole wiki and the
settings files (DefaultSettings.php and LocalSettings.php) have the switch
'$wgUseSiteJs' turned off. The sysop's attitude is that any change to the
settings is going to affect all sub-wikis, ours being just one of them. My
argument is that the sysop can turn on the Common.js feature, which will
affect all sub-wikis, and it is safe to do so. With this feature on I will
be able to change the settings that I want changed without it affecting all
the other sub-wikis.
If you have a one-wiki system this will not be an issue for you. You will
not need the Common.js file. As the sysop you can change the settings in
the
LocalSettings.php file.
I'm trying to convince my sysop that it is safe to turn on '$wgUseSiteJs'
because:
* only sub-wiki admins will be able to change their own sub-wiki Common.js
file, not normal users. (The common.js file is protected by default)
* any JavaScript run from a local sub-wiki is unable to affect other
sub-wikis.
I'm hoping to draw on the expertise of this group to support my argument.
:-)
___________
Greg
-----Original Message-----
From: mediawiki-l-bounces(a)lists.wikimedia.org
[mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Ekompute
.info
Sent: Sunday, 24 May 2009 4:19 AM
To: MediaWiki announcements and site admin list
Subject: Re: [Mediawiki-l] Enabling the Common.js feature
Hi, do pages need to be enabled? I think the question of enabling does not
arise.
PM Poon
On Sat, May 23, 2009 at 7:19 PM, Greg Webb <gregw(a)zip.com.au> wrote:
23/05/2009 21:06:58
Hi:
That's good to know. Do many MW admin/sysops allow the use of
Common.js through the settings switch $wgUseSiteJs? Some people seem
to think that it is 'dangerous'. I don't know the capabilities of
JavaScript but my IT experience would say that JavaScript cannot write
to areas that it is not permitted to write to. Hence I would conclude
that any changes I made using JavaScript on my sub-wiki would only be
able to address my sub-wiki, not the top level one and not any other
sub-wiki. That doesn't sound dangerous to the users of other wikis. Is
this argument flawed?
Why do I want access to Common.js? Very simple application, I want to
set my own Favicon and not use the one set at the top level. :-)
___________
Greg
-----Original Message-----
From: mediawiki-l-bounces(a)lists.wikimedia.org
[mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of K.
Peachey
Sent: Saturday, 23 May 2009 7:37 PM
To: MediaWiki announcements and site admin list
Subject: Re: [Mediawiki-l] Enabling the Common.js feature
All pages within the Mediawiki: namespace are automatically full
protected [hard so they can't be unprotected], so only users with
sysop/admin rights on the wiki would be able to edit it.
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l