[Labs-l] Labs privacy policy questions

[Brad Jorsch (Anomie)]

On Tue, Mar 15, 2016 at 9:08 PM, Platonides <platonides at gmail.com> wrote:

> A problem I find with OAuth is that often you don't know at all what it is
> going to do.
>
> So, taking wikimetrics as an example, it says:
> «In order to complete your request, Wikimetrics Website needs permission
> to access information on meta.wikimedia.org on your behalf. No changes
> will be made with your account.»
>
> Which information does it access? Your account name? Your watchlist? The
> checkuser log (supposing you were a CU)?
>

That particular message is used when it will only be able to get some
information about your user account: your username, edit count, whether you
confirmed your email address, whether you're blocked, when your account was
created, what groups your account is a member of, what user rights are
available to your account, what grants are available to the OAuth
application, and (sometimes[1]) your "real name"[2] and email address.
Since the OAuth application isn't being allowed to use the 'read' right, it
won't be able to access much of anything else.

If you'd like to suggest improvements to the message, the messages are
mwoauth-form-description-allwikis-nogrants and
mwoauth-form-description-onewiki-nogrants. You could reply here with
suggestions, although it might be easier to track in Phabricator, or you
could submit a patch yourself with better wording.


[1]: It depends if the OAuth consumer was registered as "Authentication
only, no API access" or "Authentication only with access to real name and
email address via Special:OAuth/identify, no API access".
[2]: MediaWiki can have a "Real name" field in Special:Preferences, but
this is hidden on WMF wikis.

-- 
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/labs-l/attachments/20160316/b76fcabe/attachment.html>