On Tue, Jun 4, 2013 at 4:56 PM, Tyler Romeo <tylerromeo(a)gmail.com> wrote:
On Tue, Jun 4, 2013 at 7:46 PM, Rob Lanphier
<robla(a)wikimedia.org> wrote:
This page is more relevant to our immediate
plans:
https://www.mediawiki.org/wiki/Auth_systems/OAuth
I would be really happy to see someone do some cleanup of this page,
archive the bits written in 2011, and make the Auth_systems/OAuth page
more prevalent, possibly merging with OAuth (though please don't mix
in the obsolete stuff)..
This page is, arguably, even worse. My favorite quotes from this page:
The list of granted permissions will be supplied by the AuthPlugin
AuthPlugin never used to handle this kind of stuff. The only extensions
that use AuthPlugin are those that provide *supplemental* authentication
services. Notice that E:LDAPAuthentication uses AuthPlugin, but
E:TwoFactorAuthentication does not. AuthPlugin has never handled additional
authorization logic, and I don't see any reason why it should.
Granted permissions are identified by string
tokens. These are entirely
independent of the existing user rights system: to successfully execute a
module, both the existing user rights checks and the granted permissions
check have to pass.
Why?! What exactly is so bad about just using our own permissions, which
already exists, as the permissions for OAuth tokens. It allows the highest
level of granularity for permissions and allows us to easily display to the
user exactly what the application will be allowed to do.
The biggest issue we hit with the permissions was trying to balance
fine granularity and not overwhelming the user with the list of what
was being requested and have them blindly agree to it.
We initially were going to use your patch and limit based on module,
but there were a few places where that seemed too course. But then if
we just used user rights, then to edit a page the user needed to grant
8 (iirc) permissions.
I would certainly welcome discussion on the tradeoffs.