https://bugzilla.wikimedia.org/show_bug.cgi?id=50344

John Mark Vandenberg jayvdb@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Priority|Normal |High

--- Comment #3 from John Mark Vandenberg jayvdb@gmail.com --- If I understand correctly, the concern is that changesets are not trustable, so they can not be allowed to do anything crazy.

The jenkins job can be set to run only for known people, or after a known person has +1'd the change.

The test suite runs correctly with config.simulate enabled, which prevents a set of API actions specified in config.actions_to_block, which defaults to ['edit', 'watch', 'move', 'delete', 'undelete', 'protect','emailuser'].

There are several other actions that should be in that default set, including 'upload', and others added if the source is untrusted, such as 'createaccount'.

A more certain method is the bot user (Pywikibot-test) could be blocked - I dont think there are many tests which would fail because of that. We could skip any tests which dont like being a blocked user.

However, running any code means a changeset could alter config.*, which means the patch uploader could disable simulate, or they could add unblocked credentials.

There are almost perfect ways to lock down 'config', and we could prevent running the job if there are changes to pwb.py or api.py from an untrusted patch uploader.