23/05/2009 19:24:09
You should be able to tell I'm a real newbie.
Do administrators enable the MediaWiki:Common.js function on their wiki sites? The one I am working on is one of many running under an umbrella MediaWiki system. All the sub-sites have the same LocalSettings.php file. I'm wondering if it really is an issue having the Common.js enabled. I thought if all sub-wiki admins were to protect the Common.js file then only locally appointed admins could add code to the file. Any 'mistakes' would, I assume, only affect the local sub-wiki, not other sub-wikis.
Are these fair assumptions or am I completely crazy? :-)
___________ Greg
All pages within the Mediawiki: namespace are automatically full protected [hard so they can't be unprotected], so only users with sysop/admin rights on the wiki would be able to edit it.
23/05/2009 21:06:58 Hi:
That's good to know. Do many MW admin/sysops allow the use of Common.js through the settings switch $wgUseSiteJs? Some people seem to think that it is 'dangerous'. I don't know the capabilities of JavaScript but my IT experience would say that JavaScript cannot write to areas that it is not permitted to write to. Hence I would conclude that any changes I made using JavaScript on my sub-wiki would only be able to address my sub-wiki, not the top level one and not any other sub-wiki. That doesn't sound dangerous to the users of other wikis. Is this argument flawed?
Why do I want access to Common.js? Very simple application, I want to set my own Favicon and not use the one set at the top level. :-)
___________ Greg
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of K. Peachey Sent: Saturday, 23 May 2009 7:37 PM To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] Enabling the Common.js feature
All pages within the Mediawiki: namespace are automatically full protected [hard so they can't be unprotected], so only users with sysop/admin rights on the wiki would be able to edit it.
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Hi, do pages need to be enabled? I think the question of enabling does not arise.
PM Poon
On Sat, May 23, 2009 at 7:19 PM, Greg Webb gregw@zip.com.au wrote:
23/05/2009 21:06:58 Hi:
That's good to know. Do many MW admin/sysops allow the use of Common.js through the settings switch $wgUseSiteJs? Some people seem to think that it is 'dangerous'. I don't know the capabilities of JavaScript but my IT experience would say that JavaScript cannot write to areas that it is not permitted to write to. Hence I would conclude that any changes I made using JavaScript on my sub-wiki would only be able to address my sub-wiki, not the top level one and not any other sub-wiki. That doesn't sound dangerous to the users of other wikis. Is this argument flawed?
Why do I want access to Common.js? Very simple application, I want to set my own Favicon and not use the one set at the top level. :-)
Greg
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of K. Peachey Sent: Saturday, 23 May 2009 7:37 PM To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] Enabling the Common.js feature
All pages within the Mediawiki: namespace are automatically full protected [hard so they can't be unprotected], so only users with sysop/admin rights on the wiki would be able to edit it.
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
24/05/2009 10:45:58 Hi Poon,
On our wiki the Common.js feature needs to be turned on. I am the admin for a sub-wiki, not the whole wiki. The sysop runs the whole wiki and the settings files (DefaultSettings.php and LocalSettings.php) have the switch '$wgUseSiteJs' turned off. The sysop's attitude is that any change to the settings is going to affect all sub-wikis, ours being just one of them. My argument is that the sysop can turn on the Common.js feature, which will affect all sub-wikis, and it is safe to do so. With this feature on I will be able to change the settings that I want changed without it affecting all the other sub-wikis.
If you have a one-wiki system this will not be an issue for you. You will not need the Common.js file. As the sysop you can change the settings in the LocalSettings.php file.
I'm trying to convince my sysop that it is safe to turn on '$wgUseSiteJs' because:
* only sub-wiki admins will be able to change their own sub-wiki Common.js file, not normal users. (The common.js file is protected by default) * any JavaScript run from a local sub-wiki is unable to affect other sub-wikis.
I'm hoping to draw on the expertise of this group to support my argument. :-)
___________ Greg
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Ekompute .info Sent: Sunday, 24 May 2009 4:19 AM To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] Enabling the Common.js feature
Hi, do pages need to be enabled? I think the question of enabling does not arise.
PM Poon
On Sat, May 23, 2009 at 7:19 PM, Greg Webb gregw@zip.com.au wrote:
23/05/2009 21:06:58 Hi:
That's good to know. Do many MW admin/sysops allow the use of Common.js through the settings switch $wgUseSiteJs? Some people seem to think that it is 'dangerous'. I don't know the capabilities of JavaScript but my IT experience would say that JavaScript cannot write to areas that it is not permitted to write to. Hence I would conclude that any changes I made using JavaScript on my sub-wiki would only be able to address my sub-wiki, not the top level one and not any other sub-wiki. That doesn't sound dangerous to the users of other wikis. Is this argument flawed?
Why do I want access to Common.js? Very simple application, I want to set my own Favicon and not use the one set at the top level. :-)
Greg
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of K. Peachey Sent: Saturday, 23 May 2009 7:37 PM To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] Enabling the Common.js feature
All pages within the Mediawiki: namespace are automatically full protected [hard so they can't be unprotected], so only users with sysop/admin rights on the wiki would be able to edit it.
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
One rather obvious point you could make is that $wgUseSiteJs is enabled by default (and on Wikimedia projects!); if it were a gaping security vulnerability, it would be disabled. Somebody could potentially do nasty things with JS, of course, but to do that he would need to have already compromised your admin account, and at that point you'd already be screwed. :-)
Beyond that, a good farm setup will allow your sysop to set different settings for different wikis, so he shouldn't need to enable this for all the wikis if he doesn't want to. Changes to one wiki's JS shouldn't be able to to affect anything on another wiki (assuming they're on separate subdomains).
Of course, if you really just want this so you can change the favicon location, why don't you ask your sysop to set $wgFavicon for your sub-wiki?
On Sat, May 23, 2009 at 8:57 PM, Greg Webb gregw@zip.com.au wrote:
24/05/2009 10:45:58 Hi Poon,
On our wiki the Common.js feature needs to be turned on. I am the admin for a sub-wiki, not the whole wiki. The sysop runs the whole wiki and the settings files (DefaultSettings.php and LocalSettings.php) have the switch '$wgUseSiteJs' turned off. The sysop's attitude is that any change to the settings is going to affect all sub-wikis, ours being just one of them. My argument is that the sysop can turn on the Common.js feature, which will affect all sub-wikis, and it is safe to do so. With this feature on I will be able to change the settings that I want changed without it affecting all the other sub-wikis.
If you have a one-wiki system this will not be an issue for you. You will not need the Common.js file. As the sysop you can change the settings in the LocalSettings.php file.
I'm trying to convince my sysop that it is safe to turn on '$wgUseSiteJs' because:
- only sub-wiki admins will be able to change their own sub-wiki Common.js
file, not normal users. (The common.js file is protected by default)
- any JavaScript run from a local sub-wiki is unable to affect other
sub-wikis.
I'm hoping to draw on the expertise of this group to support my argument. :-)
Greg
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Ekompute .info Sent: Sunday, 24 May 2009 4:19 AM To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] Enabling the Common.js feature
Hi, do pages need to be enabled? I think the question of enabling does not arise.
PM Poon
On Sat, May 23, 2009 at 7:19 PM, Greg Webb gregw@zip.com.au wrote:
23/05/2009 21:06:58 Hi:
That's good to know. Do many MW admin/sysops allow the use of Common.js through the settings switch $wgUseSiteJs? Some people seem to think that it is 'dangerous'. I don't know the capabilities of JavaScript but my IT experience would say that JavaScript cannot write to areas that it is not permitted to write to. Hence I would conclude that any changes I made using JavaScript on my sub-wiki would only be able to address my sub-wiki, not the top level one and not any other sub-wiki. That doesn't sound dangerous to the users of other wikis. Is this argument flawed?
Why do I want access to Common.js? Very simple application, I want to set my own Favicon and not use the one set at the top level. :-)
Greg
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of K. Peachey Sent: Saturday, 23 May 2009 7:37 PM To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] Enabling the Common.js feature
All pages within the Mediawiki: namespace are automatically full protected [hard so they can't be unprotected], so only users with sysop/admin rights on the wiki would be able to edit it.
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org