On Wed, Jul 22, 2009 at 7:07 PM, Sage Ross<ragesoss+wikipedia(a)gmail.com> wrote:
I'm not sure what to do about this; it seems like
a good idea but a
major security risk:
http://www.watchlistr.com/ is a site that creates aggregate watchlists
across multiple projects. See
http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_…
I think the thing to do about it is block it at the firewall and tell
the user to immediately delete all the data they gathered and never do
anything like it again. We aren't even just talking about malice
here, if someone else compromises the server they could get access to
a whole bunch of admin accounts if it becomes popular.
The proper way to handle this would either be some form or other of
software support, or use a toolserver tool with direct database
access.
On Wed, Jul 22, 2009 at 7:59 PM, David Gerard<dgerard(a)gmail.com> wrote:
Would something on the toolserver be safe enough in
these terms?
Toolserver projects are forbidden from asking users for login info.
However, the watchlist tables are replicated to the toolserver, just
not made available to unprivileged users. If a user wanted to make a
script like this, it would be simple to give special access to the
tables to allow it (possibly restricted in such a fashion that the
script author didn't get access, only his vetted code). The tool
could deal with authentication by, e.g., giving the user an
autogenerated URL and a confirmation code to add to a magic user
subpage (it could check what user created the page).
On Wed, Jul 22, 2009 at 10:40 PM, Happy-melon<happy-melon(a)live.com> wrote:
I have a Greasemonkey script that does this, IMO, very
nicely. I'm not 100%
sure how GM script distribution works, but can't a server put files in a
particular directory to have them be automatically suggested for
installation by Greasemonkey?
Greasemonkey is far from ideal. It only works on the computer you
install it on, and only works for Firefox users.