Page MenuHomeMiraheze

Prevent Steward access to staffwiki per board motion
Closed, ResolvedPublic

Event Timeline

Reception123 triaged this task as Normal priority.Jan 22 2021, 08:23

Is anyone taking responsibility for this? I imagine the Board want this done sooner rather than later, and as a priority?

Per https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRights#Usage, the https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRightsRemove hook is the better choice. We are interested in a MirahezeMagic hook that:

  1. checks if the user has read rights, either by global or local rights; and
  2. verifies the user by looking at an immutable key (immutable unless you have shell access), so the centralauth user ID is good enough (whereas a username isn't, since a steward can rename a user); and
  3. revokes the read right if the user did not pass the check from 2).

@RhinosF1 do you feel comfortable implementing this?

@RhinosF1 do you feel comfortable implementing this?

I will look if I get time as I hope towards the end of the week but leaving unassigned in case anyone wants to look sooner or that changes. I'll claim if I do end up doing it. If things change, I'll get someone else to look.

For what it's worth, I think the solution is to move sensitive information off of staffwiki, into a private, non-wiki venue readable by only those the board has authorized, then delete & recreate staffwiki with still private / confidential information but no sensitive information, or suppress revisions of any sensitive information

Per https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRights#Usage, the https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRightsRemove hook is the better choice. We are interested in a MirahezeMagic hook that:

  1. checks if the user has read rights, either by global or local rights; and
  2. verifies the user by looking at an immutable key (immutable unless you have shell access), so the centralauth user ID is good enough (whereas a username isn't, since a steward can rename a user); and
  3. revokes the read right if the user did not pass the check from 2).

A much easier step 2 would be to check for a local user group assigned to the user, if that's not met, remove 'read'.

In T6756#133156, @John wrote:

Per https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRights#Usage, the https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRightsRemove hook is the better choice. We are interested in a MirahezeMagic hook that:

  1. checks if the user has read rights, either by global or local rights; and
  2. verifies the user by looking at an immutable key (immutable unless you have shell access), so the centralauth user ID is good enough (whereas a username isn't, since a steward can rename a user); and
  3. revokes the read right if the user did not pass the check from 2).

A much easier step 2 would be to check for a local user group assigned to the user, if that's not met, remove 'read'.

How would that affect a steward doing a global rename (in either that easier step 2 or SPF's step 2)?

In T6756#133156, @John wrote:

Per https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRights#Usage, the https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRightsRemove hook is the better choice. We are interested in a MirahezeMagic hook that:

  1. checks if the user has read rights, either by global or local rights; and
  2. verifies the user by looking at an immutable key (immutable unless you have shell access), so the centralauth user ID is good enough (whereas a username isn't, since a steward can rename a user); and
  3. revokes the read right if the user did not pass the check from 2).

A much easier step 2 would be to check for a local user group assigned to the user, if that's not met, remove 'read'.

How would that affect a steward doing a global rename (in either that easier step 2 or SPF's step 2)?

Read rights aren't need to do a rename.

In T6756#133168, @John wrote:
In T6756#133156, @John wrote:

Per https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRights#Usage, the https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRightsRemove hook is the better choice. We are interested in a MirahezeMagic hook that:

  1. checks if the user has read rights, either by global or local rights; and
  2. verifies the user by looking at an immutable key (immutable unless you have shell access), so the centralauth user ID is good enough (whereas a username isn't, since a steward can rename a user); and
  3. revokes the read right if the user did not pass the check from 2).

A much easier step 2 would be to check for a local user group assigned to the user, if that's not met, remove 'read'.

How would that affect a steward doing a global rename (in either that easier step 2 or SPF's step 2)?

Read rights aren't need to do a rename.

Okay, my only other concern would be with needing to clear Echo notifications if a steward was pinged, so perhaps whitelisting certain special pages would be possible?

In T6756#133168, @John wrote:
In T6756#133156, @John wrote:

Per https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRights#Usage, the https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRightsRemove hook is the better choice. We are interested in a MirahezeMagic hook that:

  1. checks if the user has read rights, either by global or local rights; and
  2. verifies the user by looking at an immutable key (immutable unless you have shell access), so the centralauth user ID is good enough (whereas a username isn't, since a steward can rename a user); and
  3. revokes the read right if the user did not pass the check from 2).

A much easier step 2 would be to check for a local user group assigned to the user, if that's not met, remove 'read'.

How would that affect a steward doing a global rename (in either that easier step 2 or SPF's step 2)?

Read rights aren't need to do a rename.

Okay, my only other concern would be with needing to clear Echo notifications if a steward was pinged, so perhaps whitelisting certain special pages would be possible?

Stewards shouldn't be pinged.

In T6756#133156, @John wrote:

Per https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRights#Usage, the https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRightsRemove hook is the better choice. We are interested in a MirahezeMagic hook that:

  1. checks if the user has read rights, either by global or local rights; and
  2. verifies the user by looking at an immutable key (immutable unless you have shell access), so the centralauth user ID is good enough (whereas a username isn't, since a steward can rename a user); and
  3. revokes the read right if the user did not pass the check from 2).

A much easier step 2 would be to check for a local user group assigned to the user, if that's not met, remove 'read'.

Users with the userrights-interwiki right can overrule this behavior, though. Unfortunately, rights are not variables that are immutable to people without shell access.

In T6756#133156, @John wrote:

Per https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRights#Usage, the https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRightsRemove hook is the better choice. We are interested in a MirahezeMagic hook that:

  1. checks if the user has read rights, either by global or local rights; and
  2. verifies the user by looking at an immutable key (immutable unless you have shell access), so the centralauth user ID is good enough (whereas a username isn't, since a steward can rename a user); and
  3. revokes the read right if the user did not pass the check from 2).

A much easier step 2 would be to check for a local user group assigned to the user, if that's not met, remove 'read'.

Users with the userrights-interwiki right can overrule this behavior, though. Unfortunately, rights are not variables that are immutable to people without shell access.

I am aware, however that is logged and is a serious abuse of power.

It appears removing read from both https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRights#Usage and https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRights#Usage does not work.

I've done the following to test but wouldn't work (as in block read for me):

        public static function onUserGetRights( $user, &$rights ) {
//var_dump($rights);
//nset($rights['read']);
$config = MediaWikiServices::getInstance()->getConfigFactory()->makeConfig( 'mirahezemagic' );
unset( $config->get( 'GroupPermissions' )['*']['read'] );
                        foreach ( $rights as $i => $right ) {
                                if ( $right == 'read' ) {
                                        unset( $rights[$i] );
                                        //
                                }
                        }
var_dump($rights);
return true;
        }

It says use onGetUserRightsRemove

well I have this:

"UserGetRightsRemove": [
        "MirahezeMagicHooks::onUserGetRights"
]

the function gets executed but I can still view every page even after removing read using the above.

the function gets executed but I can still view every page even after removing read using the above.

Can you log somewhere what's it's doing at each stage and then you'll see where it should be doing what you expect and where it goes wrong.