On Tue, Jun 4, 2013 at 4:56 PM, Tyler Romeo tylerromeo@gmail.com wrote:
On Tue, Jun 4, 2013 at 7:46 PM, Rob Lanphier robla@wikimedia.org wrote:
This page is more relevant to our immediate plans: https://www.mediawiki.org/wiki/Auth_systems/OAuth
I would be really happy to see someone do some cleanup of this page, archive the bits written in 2011, and make the Auth_systems/OAuth page more prevalent, possibly merging with OAuth (though please don't mix in the obsolete stuff)..
This page is, arguably, even worse. My favorite quotes from this page:
The list of granted permissions will be supplied by the AuthPlugin
AuthPlugin never used to handle this kind of stuff. The only extensions that use AuthPlugin are those that provide *supplemental* authentication services. Notice that E:LDAPAuthentication uses AuthPlugin, but E:TwoFactorAuthentication does not. AuthPlugin has never handled additional authorization logic, and I don't see any reason why it should.
Granted permissions are identified by string tokens. These are entirely independent of the existing user rights system: to successfully execute a module, both the existing user rights checks and the granted permissions check have to pass.
Why?! What exactly is so bad about just using our own permissions, which already exists, as the permissions for OAuth tokens. It allows the highest level of granularity for permissions and allows us to easily display to the user exactly what the application will be allowed to do.
The biggest issue we hit with the permissions was trying to balance fine granularity and not overwhelming the user with the list of what was being requested and have them blindly agree to it.
We initially were going to use your patch and limit based on module, but there were a few places where that seemed too course. But then if we just used user rights, then to edit a page the user needed to grant 8 (iirc) permissions.
I would certainly welcome discussion on the tradeoffs.