<div dir="ltr">In this specific case, Wikimetrics is really just using OAuth for authentication. I've been told that's not ideal but the result of that conversation is usually that it's better than using Google OAuth and that there's no better way currently. Though I appreciate that it's confusing.</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 16, 2016 at 10:46 AM, Brad Jorsch (Anomie) <span dir="ltr"><<a href="mailto:bjorsch@wikimedia.org" target="_blank">bjorsch@wikimedia.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span class="">On Tue, Mar 15, 2016 at 9:08 PM, Platonides <span dir="ltr"><<a href="mailto:platonides@gmail.com" target="_blank">platonides@gmail.com</a>></span> wrote:<br></span><div class="gmail_extra"><div class="gmail_quote"><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span></span>
A problem I find with OAuth is that often you don't know at all what it is going to do.<br>
<br>
So, taking wikimetrics as an example, it says:<br>
«In order to complete your request, Wikimetrics Website needs permission to access information on <a href="http://meta.wikimedia.org" rel="noreferrer" target="_blank">meta.wikimedia.org</a> on your behalf. No changes will be made with your account.»<br>
<br>
Which information does it access? Your account name? Your watchlist? The checkuser log (supposing you were a CU)?<br></blockquote><div><br></div></span><div>That particular message is used when it will only be able to get some information about your user account: your username, edit count, whether you confirmed your email address, whether you're blocked, when your account was created, what groups your account is a member of, what user rights are available to your account, what grants are available to the OAuth application, and (sometimes[1]) your "real name"[2] and email address. Since the OAuth application isn't being allowed to use the 'read' right, it won't be able to access much of anything else.<br><br></div><div>If you'd like to suggest improvements to the message, the messages are mwoauth-form-description-allwikis-nogrants and mwoauth-form-description-onewiki-nogrants. You could reply here with suggestions, although it might be easier to track in Phabricator, or you could submit a patch yourself with better wording.<br></div><div><br><br></div><div>[1]: It depends if the OAuth consumer was registered as "Authentication only, no API access" or "Authentication only with access to real name and email address via Special:OAuth/identify, no API access". </div><div>[2]: MediaWiki can have a "Real name" field in Special:Preferences, but this is hidden on WMF wikis.<span class="HOEnZb"><font color="#888888"><br></font></span></div></div><span class="HOEnZb"><font color="#888888"><br>-- <br><div><div dir="ltr"><div>Brad Jorsch (Anomie)<br>Senior Software Engineer<br>Wikimedia Foundation</div></div></div>
</font></span></div></div>
<br>_______________________________________________<br>
Labs-l mailing list<br>
<a href="mailto:Labs-l@lists.wikimedia.org">Labs-l@lists.wikimedia.org</a><br>
<a href="https://lists.wikimedia.org/mailman/listinfo/labs-l" rel="noreferrer" target="_blank">https://lists.wikimedia.org/mailman/listinfo/labs-l</a><br>
<br></blockquote></div><br></div>