tlaqua@svn.wikimedia.org wrote:
- Making unmergable user ID(s) configurable rather than assuming ID 1 (on recommendation from Simetrical)
- Now allows defining unmergable users by ID or user_name
Hmm, I notice a couple issues here still.
First, there's no blanket prohibition on numeric usernames in MediaWiki (though some blacklist extensions forbid it). The weak comparisons here will match both ID numbers *and* names, which may be a little odd.
Second, setting the default at 1 is a bit arbitrary and imho not a great idea.
It probably would be cleaner to set the default limit by group membership or permission key, since there's not necessarily anything unique or special about id 1, and have the explicit user blacklist be by username only for easier management.
-- brion vibber (brion @ wikimedia.org)
On Feb 11, 2008 8:57 PM, Brion Vibber brion@wikimedia.org wrote:
It probably would be cleaner to set the default limit by group membership or permission key, since there's not necessarily anything unique or special about id 1, and have the explicit user blacklist be by username only for easier management.
Since someone with merge rights is not unlikely to have rename rights as well, allowing usernames to be used for the blacklist at all seems fairly insecure, unless a similar option is added to Renameuser.
Simetrical wrote:
On Feb 11, 2008 8:57 PM, Brion Vibber brion@wikimedia.org wrote:
It probably would be cleaner to set the default limit by group membership or permission key, since there's not necessarily anything unique or special about id 1, and have the explicit user blacklist be by username only for easier management.
Since someone with merge rights is not unlikely to have rename rights as well, allowing usernames to be used for the blacklist at all seems fairly insecure, unless a similar option is added to Renameuser.
Well what's the point of blacklisting merges when you can do a bunch of other arbitrary things to prevent the administrator from ever logging in? :)
-- brion
On Feb 12, 2008 12:13 PM, Brion Vibber brion@wikimedia.org wrote:
Well what's the point of blacklisting merges when you can do a bunch of other arbitrary things to prevent the administrator from ever logging in? :)
That's maybe an argument to not bother with a blacklist at all, but it's not much of an argument for using a (in many cases) totally ineffectual blacklist. :) I assume that these user merges are more or less irreversible, which is why the precaution is being taken. Stuff like renames and desysopping are trivially reversible with database access.
wikitech-l@lists.wikimedia.org