On Thu, Jul 23, 2009 at 2:32 PM, Cody Jung<funkycat32(a)gmail.com> wrote:
Wouldn't adding a salt fix this? They would have
to have both the
username, the database, and the salt value to decrypt the wiki list.
In other words, they would have to have access to your server, nothing
more. No, it wouldn't fix it.
After some discussion in #wikimedia-toolserver, Duesentrieb pointed
out that a) this issue would be solved if MediaWiki just allowed RSS
feeds for watchlists, and b) it would probably take less work for me
to add that feature to MediaWiki than to develop an authentication
framework that would allow users to securely permit toolserver apps
access to their watchlists. MrZ-man helpfully pointed out that the
API already supports watchlist feeds, so I was able to hack on support
for token-based authentication pretty easily:
http://www.mediawiki.org/wiki/Special:Code/MediaWiki/53703
Major limitations right now are 1) the default is an empty string,
which means "don't use", so it's opt-in; 2) the URL for the feed
isn't
actually output anywhere. Watchlist aggregators should now be easy to
set up, plus people can just use their favorite feed reader.
On Thu, Jul 23, 2009 at 6:47 PM, Brion Vibber<brion(a)wikimedia.org> wrote:
At the moment, yes. However additional information is
likely to end up
existing in the future; some more social features ("friend" graph,
mentor/mentee relationships, private messaging) would have obvious
benefits to making new-user workflow smoother.
I hope MediaWiki doesn't start tacking on random social networking
features, though!