On Tue, 04 Jun 2013 18:50:38 -0700, Brad Jorsch bjorsch@wikimedia.org wrote:
On Tue, Jun 4, 2013 at 7:56 PM, Tyler Romeo tylerromeo@gmail.com wrote: If you go by module, then you have problems where you need to grant specific rights for using modules like list=categorymembers and prop=revisions, but you can't grant the ability to edit normal pages without also granting the ability to edit your user CSS/JS, and (if you're an admin) the MediaWiki namespace and so on.
"but you can't grant the ability to edit normal pages without also granting the ability to edit your user CSS/JS" We only need to introduce one (well two if you separate js and css) more right to restrict that. Then that point becomes a non-issue.
"and (if you're an admin) the MediaWiki namespace and so on." Flat out false. Editing the MediaWiki namespace is part of the interface right. If standard MediaWiki permissions are used and you don't grant the client editinterface rights then the client can't edit the MediaWiki interface. Same for protected pages, that requires the protect right (though with or without OAuth we probably want to separate the actual protect/unprotect right from the right to edit things that are protected).
The situation with user rights isn't any better. Editing a page requires 'edit' and 'writeapi' (and also 'read' unless you're blindly overwriting pages), and likely 'minoredit' and 'skipcaptcha' would also be wanted, and maybe also 'createpage', 'createtalk', 'autoreview', 'autopatrol', 'autoconfirmed', and 'bot'. And at the same time, you can't avoid granting the permission to write to your user CSS/JS.
There's nothing wrong with having a large list of fine-grained rights to grant as long as you format them properly for the user. Rights like autopatrol and skipcaptcha are special rights just meant to deal with new accounts used to spam, not for OAuth type control. They would probably fit in a special list of registered rights that we don't need to not give to OAuth clients. Likewise minoredit is merely for admins to stop say anons from making piles of minor edits. There's no point in restricting it's use in OAuth.
As for writeapi. Besides that being one we could just automatically give to anything that requires edit rights I have doubts that there is even any point in that right continuing to exist.