Page MenuHomePhabricator

JSON pages need to be locked for editing by users without rights
Closed, DuplicatePublic

Description

I think JSON user (User:Username/pagename.json) pages need to move into JS pages' group. These pages look like on-duty pages for user and I think only the user can edit them ('editmyuserjs' right) and users with 'edituserjs' right. For security reasons.

Event Timeline

New feature request, I think this can't be done by changing a config variable.

What Json pages in particular pose security issues?

Krenair set Security to Software security bug.Jan 21 2017, 5:34 PM
Krenair added a project: acl*security.
Krenair changed the visibility from "Public (No Login Required)" to "Custom Policy".

What Json pages in particular pose security issues?

These pages may contain user settings which used by scripts.

Scripts should not be putting any security-sensitive settings on openly-editable pages. That's a problem with the scripts, not MediaWiki's handling of json pages.

What Json pages in particular pose security issues?

These pages may contain user settings which used by scripts.

Can you provide some examples please?

Scripts should not be putting any security-sensitive settings on openly-editable pages. That's a problem with the scripts, not MediaWiki's handling of json pages.

I know, but why JSON pages openly-editable? What difference between JSON page content and JS page content in user namespace?

Can you provide some examples please?

For example, this gadget has this localization page. If I want to save this gadget in 'User' namespace, and localize it in other way than one day somebody can come in and break the translation. Put the virus links, pictures smth else.

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".