Il 11/08/2015 20:10, Risker ha scritto:
On 11 August 2015 at 13:07, Mr. Stradivarius misterstrad@gmail.com wrote:
On Wed, Aug 12, 2015 at 1:44 AM, Pine W wiki.pine@gmail.com wrote:
Would keeping sensitive pages in wikitext format under "full protection" (meaning that only local administrators can edit) be sufficient?
This is asking for trouble. Even if all our admins acted sensibly all the time - and if you've been around here long enough, you know that's not true
- there is still the very real possibility of admin accounts being
compromised. I have personally fixed XSS flaws in widely used user scripts, and a determined attacker would be highly likely to find others. This is best kept out of the control of admins so that if an admin account is compromised it will not affect other accounts. _______________________________________________
Just so we're clear here - "locking down" these kinds of pages is pretty much what the Superprotect extension does. It is (to put it mildly) not well-loved by the Wikimedia community; however, it may be possible to persuade them that there are certain key pages that must not even be altered by local admins (copyright being the primary example, but probably some others as well).
This would require very diplomatic discussion. And given that this is the 'anniversary' of the introduction of Superprotect, it might be better to wait for a while to really have that conversation.
Risker/Anne _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
OAuth applications' details must remain editable by the app's author. Superprotect does not account for them.