In T11946#239568, @labster wrote:Finally, I want to get a link to the documentation of the entire process of installing an extension -- repos to edit, deploy steps, testing.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Yesterday
Yesterday
Sun, Mar 31
Sun, Mar 31
MacFan4000 updated subscribers of T12013: When domain is set by RequestSSL, wiki cache isn't purged.
MacFan4000 added a project to T12013: When domain is set by RequestSSL, wiki cache isn't purged: ManageWiki.
Tue, Mar 26
Tue, Mar 26
Sat, Mar 23
Sat, Mar 23
Mar 16 2024
Mar 16 2024
Mar 15 2024
Mar 15 2024
Fixed Snapblocks with https://github.com/miraheze/mw-config/commit/7d1c571166aab78174812c50cdb21ae73a3b48e4
From my testing, Extension:UnlinkedWikibase is now working.
Mar 14 2024
Mar 14 2024
It should have been installed in https://github.com/miraheze/mw-config/pull/5481 . Let me see what went wrong.
Mar 13 2024
Mar 13 2024
Same with Snap! Blocks on snapwikiwiki.
Mar 6 2024
Mar 6 2024
Is it possible to have it changed in LocalWiki if I make a PR? I want to make an extended confirmed protection group like on Wikipedia
Due to custom rights being used almost always in this is why it can't be because we can't add custom rights to ManageWiki right now.
This won't be possible in ManageWiki at this time, not to say it won't be eventually.
Feb 28 2024
Feb 28 2024
PixDeVl moved T11913: Add warning to ManageWiki/permissions when dealing with managewiki- permissions from Backlog to Features on the ManageWiki board.
PixDeVl removed projects from T11913: Add warning to ManageWiki/permissions when dealing with managewiki- permissions: Extensions, MediaWiki (SRE).
Whoops Extension tags prob not right
PixDeVl triaged T11913: Add warning to ManageWiki/permissions when dealing with managewiki- permissions as Low priority.
Feb 27 2024
Feb 27 2024
Great then, this is resolved then
Confirmation that the wikis undelete worked
Feb 26 2024
Feb 26 2024
Can you please try undeleting a wiki now?
Feb 25 2024
Feb 25 2024
Original_Authority moved T10527: Create comprehensive flagging and investigation system for wikis from Backlog to Features on the CreateWiki board.
Original_Authority moved T11883: Split CreateWiki's inactivity-related functionality to a new extension from Backlog to Features on the CreateWiki board.
Original_Authority added a project to T11888: Wiki undeletions through ManageWiki are unsuccessful : ManageWiki.
Feb 23 2024
Feb 23 2024
Original_Authority added a comment to T11595: It seems the user permissions system has broken suddenly in my wiki site.
array_search(): Argument #2 ($haystack) must be of type array, null given from /srv/mediawiki/1.41/extensions/ManageWiki/includes/FormFactory/ManageWikiFormFactoryBuilder.php(1146) #0 /srv/mediawiki/1.41/extensions/ManageWiki/includes/FormFactory/ManageWikiFormFactoryBuilder.php(1146): array_search(string, NULL) #1 /srv/mediawiki/1.41/extensions/ManageWiki/includes/FormFactory/ManageWikiFormFactoryBuilder.php(821): Miraheze\ManageWiki\FormFactory\ManageWikiFormFactoryBuilder::submissionPermissions(array, string, string, MediaWiki\Config\GlobalVarConfig) #2 /srv/mediawiki/1.41/extensions/ManageWiki/includes/FormFactory/ManageWikiFormFactory.php(96): Miraheze\ManageWiki\FormFactory\ManageWikiFormFactoryBuilder::submissionHandler(array, Miraheze\ManageWiki\Helpers\ManageWikiOOUIForm, string, string, RequestContext, Miraheze\CreateWiki\RemoteWiki, Wikimedia\Rdbms\DBConnRef, MediaWiki\Config\GlobalVarConfig, string, string) #3 /srv/mediawiki/1.41/extensions/ManageWiki/includes/FormFactory/ManageWikiFormFactory.php(67): Miraheze\ManageWiki\FormFactory\ManageWikiFormFactory->submitForm(array, Miraheze\ManageWiki\Helpers\ManageWikiOOUIForm, string, boolean, string, Miraheze\CreateWiki\RemoteWiki, Wikimedia\Rdbms\DBConnRef, MediaWiki\Config\GlobalVarConfig, string, string) #4 /srv/mediawiki/1.41/includes/htmlform/HTMLForm.php(751): Miraheze\ManageWiki\FormFactory\ManageWikiFormFactory->Miraheze\ManageWiki\FormFactory\{closure}(array, Miraheze\ManageWiki\Helpers\ManageWikiOOUIForm) #5 /srv/mediawiki/1.41/includes/htmlform/HTMLForm.php(631): HTMLForm->trySubmit() #6 /srv/mediawiki/1.41/includes/htmlform/HTMLForm.php(647): HTMLForm->tryAuthorizedSubmit() #7 /srv/mediawiki/1.41/extensions/ManageWiki/includes/Specials/SpecialManageWiki.php(184): HTMLForm->show() #8 /srv/mediawiki/1.41/extensions/ManageWiki/includes/Specials/SpecialManageWiki.php(63): Miraheze\ManageWiki\Specials\SpecialManageWiki->showWikiForm(string, string, string, string) #9 /srv/mediawiki/1.41/includes/specialpage/SpecialPage.php(727): Miraheze\ManageWiki\Specials\SpecialManageWiki->execute(array) #10 /srv/mediawiki/1.41/includes/specialpage/SpecialPageFactory.php(1621): MediaWiki\SpecialPage\SpecialPage->run(string) #11 /srv/mediawiki/1.41/includes/MediaWiki.php(357): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext) #12 /srv/mediawiki/1.41/includes/MediaWiki.php(960): MediaWiki->performRequest() #13 /srv/mediawiki/1.41/includes/MediaWiki.php(613): MediaWiki->main() #14 /srv/mediawiki/config/initialise/entrypoints/index.php(100): MediaWiki->run() #15 /srv/mediawiki/config/initialise/entrypoints/index.php(95): wfIndexMain() #16 {main}
EmiliaBear reopened T11595: It seems the user permissions system has broken suddenly in my wiki site as "Open".
The problem still exists (or happened again?). Still when I try to assgin permissions to the sysop group, it returns "Fatal exception of type "TypeError" ".
Feb 21 2024
Feb 21 2024
OrangeStar updated the task description for T11883: Split CreateWiki's inactivity-related functionality to a new extension.
OrangeStar moved T11883: Split CreateWiki's inactivity-related functionality to a new extension from Radar to Investigate on the OrangeStar board.
OrangeStar triaged T11883: Split CreateWiki's inactivity-related functionality to a new extension as Low priority.
Feb 16 2024
Feb 16 2024
won't be working on this for the foreseeable future.
Feb 10 2024
Feb 10 2024
Universal_Omega moved T11812: Numerous confirmed XSS in ManageWiki from Backlog to Bugs on the ManageWiki board.
Universal_Omega moved T11812: Numerous confirmed XSS in ManageWiki from Backlog to Short Term on the MediaWiki (SRE) board.
Feb 9 2024
Feb 9 2024
Security advisory is now published. This task should be good for opening to the public now. For those reading this, we actually found some more XSS vectors when deploying the fixes to prod, so we actually have multiple patches in the GHSA for this one.
Should be fixed.
Universal_Omega changed the status of T11831: Broken search in Special:ManageWiki/extensions from Open to In progress.
Universal_Omega moved T11831: Broken search in Special:ManageWiki/extensions from Backlog to Short Term on the MediaWiki (SRE) board.
Universal_Omega moved T11831: Broken search in Special:ManageWiki/extensions from Backlog to Bugs on the ManageWiki board.
I just realized it will be better to just leave deploying the fixes to someone with access to mwtask181. Removing myself as assignee as my part is done, I think.
I've set confidentiality to high, since you could read private ManageWiki settings (for example, the Discord webhook for wikis using that extension) with XSS on those pages.
I'm going to create a new draft GHSA, GitHub got bugged and thinks there are no changes waiting to be merged from the private fork sigh.
Feb 8 2024
Feb 8 2024
security advisory draft (https://github.com/miraheze/ManageWiki/security/advisories/GHSA-42fh-6pcr-3j58) is ready, all the changes have been made to the private fork if I'm not missing anything. Waiting for an SRE to review everything and give me the okay (or merge the changes themselves) so that they can double check my work and we can deploy the fixes to production as soon as possible.
Please do a security merge not a normal PR, should be fairly easy to do security with GitHub
I think I'm good to go to squash all of these and make a PR.
0004-Fix-the-permissions-XSS.patch969 BDownload
Adding all the messages that has an issue to wgRawHtmlMessages is a mitigation to this but it might be to complex with to many at this time.
@Universal_Omega You mean making the help messages in MWS.php, like https://github.com/miraheze/mw-config/blob/master/ManageWikiSettings.php#L109, interface messages? Because if so that looks like a complex rewrite. Also, all of those messages as well as managewiki-requires, managewiki-conflicts, and all the various right-* messages from core that are also XSS vectors in the permissions subpage must be added to wgRawHtmlMessages. We can do that, if you want, but after this.
Feb 7 2024
Feb 7 2024
I think what we should do is allow raw messages in MWS to be defined in config, and if it is, add them to $wgRawHtmlMessages, which prevents true security vulnerabilities by not only require editinterface, but also the same rights to editsitecss/js which would mean absolutely no difference from Common.js, etc...
Yeah there's no way my last patch is right.
0002-Attempt-at-fixing-the-permissions-XSS.patch1 KBDownload
Confirmed in Special:ManageWikiDefaultPermissions also
New patch superseding the other patch. Only thing missing is I think the XSS on the permissions subpage, which seems a bit more complex.
Also, just to clarify my previous message.
I think I know what is causing this, so I'll try to get this fixed tomorrow at the latest.
Assuming that patch fixes that for the extensions subpage, I can more or less make a theory (the form descriptor is passed around through so many functions that it is hard to keep track).
Looking at meta.miraheze.org, that is indeed supposed to be the "label" (it is not actually a label HTML element)
https://github.com/miraheze/ManageWiki/blob/75510297a32ed8881c98212f29001d226f0a833e/includes/FormFactory/ManageWikiFormFactoryBuilder.php#L269 where required and conflicting extensions are added to the form.
/extensions and /settings confirmed busted. /core doesn't give any alerts.
Feb 4 2024
Feb 4 2024
If that would be more performant, then I'll try to do it that way. I didn't have any ideas on how to show to the users the existence of global extensions anyway, and showing them alongside regular extensions would be the best way.
We can use ExtensionRegistry::getAllThings() to get a list of all installed extensions, and compare it against $wgManageWikiExtensions
I agree with this task and was going to propose something like this but for most of them users should not be permitted to disable them and it should be made clear that they're "global extensions" and they shouldn't try to ask for us to disable them (as I feel like there's always going to be some who want to get rid of extensions they think they're not using)
We can use ExtensionRegistry::getAllThings() to get a list of all installed extensions, and compare it against $wgManageWikiExtensions to know which ones are being loaded outside of ManageWiki. As for showing this information to users, I don't yet know how to approach that.
Jan 31 2024
Jan 31 2024
Got it. Thank you.
Universal_Omega closed T11595: It seems the user permissions system has broken suddenly in my wiki site as Resolved.
Nocturnal-Galatea added a comment to T11595: It seems the user permissions system has broken suddenly in my wiki site.
Just tried, the error persists, this is the ID:
[87edcc51ad4131f2c978cf16] 2024-01-31 20:53:16
Universal_Omega added a comment to T11595: It seems the user permissions system has broken suddenly in my wiki site.
Hi, I tried something, can you please see if it works for you now?
I think since investigating would be quite tricky it might be preferable to try a reset of all permissions. Would that be okay?
Jan 27 2024
Jan 27 2024
Jan 22 2024
Jan 22 2024
Original_Authority triaged T11716: ManageWikiDefaultPermissions should be renamed on child wikis as Low priority.
Original_Authority added a comment to T11716: ManageWikiDefaultPermissions should be renamed on child wikis.
In T11716#234939, @Universal_Omega wrote:It would only create technical debt to be renamed on certain wikis, if its renamed at all a name that covers central and child wikis would be good. However we could just add an alias for something else and have it change page title while in a technical aspect it is the same page is possible.
Universal_Omega added a comment to T11716: ManageWikiDefaultPermissions should be renamed on child wikis.
It would only create technical debt to be renamed on certain wikis, if its renamed at all a name that covers central and child wikis would be good. However we could just add an alias for something else and have it change page title while in a technical aspect it is the same page is possible.
Original_Authority updated the task description for T11716: ManageWikiDefaultPermissions should be renamed on child wikis.
Original_Authority updated the task description for T11716: ManageWikiDefaultPermissions should be renamed on child wikis.
Jan 10 2024
Jan 10 2024
Tali64 added a comment to T11634: Give local bureaucrats the ability to mark their wikis as queued for deletion via ManageWiki.
- The main reason for giving bureaucrats the ability to queue their wikis for deletion is to allow them to get rid of their unwanted wikis faster without requiring Steward intervention, speeding up the deletion process and allowing other users to use the subdomain quicker. Asking "why do bureaucrats need the ability to mark their wikis as queued for deletion when they can just mark them as closed?" is basically the same as asking "why do bureaucrats need the ability to mark their wikis as closed when they can just mark them as inactive?"
- Other bureaucrats can untick the "Queued for deletion" box if a rogue bureaucrat ticks the box; this inherently provides community consensus, though your idea would also be helpful in ensuring that. Another way would be to prevent wikis queued for deletion less than two weeks ago from being deleted when the deletion script is run, giving local communities time to dispute controversial deletion queue additions.
- The sitenotice part of my proposal is mostly aimed at preventing confusion regarding wiki requests with the same subdomain as a "deleted" wiki; a special page stating that the wiki is queued for deletion might still cause confusion, as some users upon reading it may think, "No wiki exists here anymore, this subdomain is free to use." A sitenotice + having the wiki's content still be readable is the only way to ensure that confusion is minimized.
I agree that automatic backups are a necessity, though they may not necessarily help here.
Jan 9 2024
Jan 9 2024
Reception123 added a comment to T11595: It seems the user permissions system has broken suddenly in my wiki site.
count(): Argument #1 ($value) must be of type Countable|array, null given from /srv/mediawiki/1.40/extensions/ManageWiki/includes/FormFactory/ManageWikiFormFactoryBuilder.php(782) #0 /srv/mediawiki/1.40/extensions/ManageWiki/includes/FormFactory/ManageWikiFormFactoryBuilder.php(782): count(NULL) #1 /srv/mediawiki/1.40/extensions/ManageWiki/includes/FormFactory/ManageWikiFormFactoryBuilder.php(52): Miraheze\ManageWiki\FormFactory\ManageWikiFormFactoryBuilder::buildDescriptorPermissions(string, boolean, string, GlobalVarConfig) #2 /srv/mediawiki/1.40/extensions/ManageWiki/includes/FormFactory/ManageWikiFormFactory.php(33): Miraheze\ManageWiki\FormFactory\ManageWikiFormFactoryBuilder::buildDescriptor(string, string, boolean, RequestContext, Miraheze\CreateWiki\RemoteWiki, string, string, GlobalVarConfig) #3 /srv/mediawiki/1.40/extensions/ManageWiki/includes/FormFactory/ManageWikiFormFactory.php(52): Miraheze\ManageWiki\FormFactory\ManageWikiFormFactory->getFormDescriptor(string, string, boolean, RequestContext, Miraheze\CreateWiki\RemoteWiki, GlobalVarConfig, string, string) #4 /srv/mediawiki/1.40/extensions/ManageWiki/includes/Specials/SpecialManageWiki.php(170): Miraheze\ManageWiki\FormFactory\ManageWikiFormFactory->getForm(string, Miraheze\CreateWiki\RemoteWiki, RequestContext, GlobalVarConfig, string, string, string) #5 /srv/mediawiki/1.40/extensions/ManageWiki/includes/Specials/SpecialManageWiki.php(63): Miraheze\ManageWiki\Specials\SpecialManageWiki->showWikiForm(string, string, string, string) #6 /srv/mediawiki/1.40/includes/specialpage/SpecialPage.php(701): Miraheze\ManageWiki\Specials\SpecialManageWiki->execute(array) #7 /srv/mediawiki/1.40/includes/specialpage/SpecialPageFactory.php(1475): SpecialPage->run(string) #8 /srv/mediawiki/1.40/includes/MediaWiki.php(327): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext) #9 /srv/mediawiki/1.40/includes/MediaWiki.php(923): MediaWiki->performRequest() #10 /srv/mediawiki/1.40/includes/MediaWiki.php(576): MediaWiki->main() #11 /srv/mediawiki/config/initialise/entrypoints/index.php(86): MediaWiki->run() #12 /srv/mediawiki/config/initialise/entrypoints/index.php(82): wfIndexMain() #13 {main}
Nocturnal-Galatea added a comment to T11595: It seems the user permissions system has broken suddenly in my wiki site.
Same here. ID I just got by trying back: 14e8797367faead87e2bc0e0. Only able to see the source code, but not to edit.
Ora added a comment to T11595: It seems the user permissions system has broken suddenly in my wiki site.
In T11595#233602, @Universal_Omega wrote:Does this still happen?
NOTE: This is a mass message and not specific to any particular task.
Universal_Omega added a comment to T11595: It seems the user permissions system has broken suddenly in my wiki site.
Does this still happen?
Jan 7 2024
Jan 7 2024
Reception123 added a comment to T11634: Give local bureaucrats the ability to mark their wikis as queued for deletion via ManageWiki.
Blocked/waiting on T11520 since that's the best way to be able to implement my idea (if there's no objections to this approach that is)
Reception123 added a comment to T11634: Give local bureaucrats the ability to mark their wikis as queued for deletion via ManageWiki.
After further reflection, this is what I'd propose. It might not be convenient technically but I feel like there's a reason we don't currently allow single bureaucrats to delete/undelete and there have certainly been controversial cases where bureaucrats have been in disagreement about closures so I can imagine it would be very similar for deletions.
Reception123 edited projects for T11634: Give local bureaucrats the ability to mark their wikis as queued for deletion via ManageWiki, added: ManageWiki; removed MediaWiki.
Jan 4 2024
Jan 4 2024
Should be fixed