OK, this sounds like a level of sensitivity greater than what I think is appropriate for a standard wiki page, and possibly greater than for standard admin "full protection". If Special:* is the only or best way to achieve that, so be it.
Pine
On Tue, Aug 11, 2015 at 2:11 PM, Gergo Tisza gtisza@wikimedia.org wrote:
To refocus the discussion on OAuth (no superprotect and copyright issues here please :), the field with legal relevance is the privacy policy of the application (and maybe its terms of service if we add such a thing in the future). Any time you use, say, CropTool, the tool operator has access to checkuser-type information. The tool operator publishes a privacy policy (which is legally binding for them), and the OAuth admins approve or reject the tool based on that policy (for example if it contains that the operator can pass private data to any third party, that tool application is going to get rejected). If the tool operator can change the privacy policy without any oversight, that can be problematic. On the other hand, if they can't change it at all, that's also problematic, and we probably won't have the resources to build some kind of complicated change review system anytime soon.
As for attack vectors, some of the information (such as the application's icon and short description) is presented on the authorization dialog and users will have to decide based on that dialog whether they trust that application to, say, delete pages in their name. An attacker could create an innocent description, get the tool approved, and then change the description to pretend it is some other, widely trusted tool, and trick users into authorizing it. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l