Shortcuts: WS:RfC, WS:RFC, WS:R

Wikispecies:Requests for Comment

From Wikispecies
Jump to navigation Jump to search

Welcome to Requests for Comment. This space is for any conversations that might require the opinions of the community to decide policy or the application of policy. Start a new conversation. For general conversation, see Wikispecies:Village Pump.

Post a comment

If you use the title box, you don't need to put a title in the message body.


New user group for editing sitewide CSS and JavaScripts

Dear fellow Wikispecians, please note that in order to improve the security of our readers and editors, permission handling for editing CSS and JavaScript ("JS") pages has changed throughout Wikimedia. These are pages like MediaWiki:Common.css and MediaWiki:Vector.js which contain code that is executed in the browsers of users of the site.

One of the changes includes the creation of a new user group called Interface administrators (interface-admin). Starting two weeks from now, only members of this group will be able edit CSS/JS pages that they do not own (that is, any page ending with .css or .js that is either in the MediaWiki: namespace or is another user's user subpage). You can learn more about the motivation behind the change here.

We need to realize that this is a potentially dangerous permission to hand out; a malicious user or a hacker taking over the account of a careless interface-admin can abuse it in far worse ways than "standard" admin permissions could be abused. Therefore this permission should only be assigned to users who really need it, who are trusted by the community, and who follow common basic password and computer security practices – and preferably also use two-factor authentication when logging in to Wikispecies (which by the way is a good idea regardless of user rights).

I'm not at all sure we actually need any interface-admin's on Wikispecies, but if we want to they can be added the same way as new administrators are appointed, i.e. by Wikimedia stewards or our own Wikispecies bureaucrats (not by admins). It's important to remember that our local bureaucrats can only assign this user right to a user, but not revoke it. Hence we will require the help of a Wikimedia steward to remove a user from this user group, if need be. Here are some details, and a proposal:

The WMF has decided that the following will take place on August 27, 2018
  • The ability to change .js and .css pages is removed from administrators and bureaucrats
  • Instead, a new group of interface-admin will be created
  • The reason is increased security

We need a plan for how we intend to handle this. Here's my proposal.

  • Neither administrators nor bureaucrats should automatically become interface administrators
  • No bureaucrat should assign himself to the interface-admin user goup
  • If an administrator needs to edit JavaScript- or CSS files he should ask a bureaucrat about this on Wikispecies Administrators: Requests for adminship. Since this privilege entails a security risk, a request for interface adminship should not lead to a public poll.
  • When assessing whether a person is to be authorized, the bureaucrat should take the following into account:
    • Has the person shown technical skills involving JavaScript and CSS?
    • Has the person proven responsible?
    • Most often it isn't necessary to edit JavaScripts or CSS files on a frequent basis. Therefore it is likely that the assignment of the privilege should be time-limited, after which it will be automatically revoked by the software
    • If uncertain, the bureaucrat is invited to ask other trusted users for their opinion
  • Interface administrators should consider the following:
    • Use a good, unique password for your account. Using two-factor authentication for logins is highly recommended. (This can be set globally using Special:Preferences. However be careful to read up on the details first, or you might be unable to at all login to Wikimedia later on. A simple password reset wont help if you are locked out, and due to security related technical limitations the Wikimedia staff may not be able to help you if that's the case.)
    • Never copy-paste JavaScript or CSS code that you do not understand
    • Never include anything from an external URL (such as fonts, images) as it violates Wikimedia's policies
    • If you leave Wikispecies, ask a bureaucrat to revoke your interface administrator user rights

Tommy Kronkvist (talk), 04:22, 14 August 2018 (UTC).


  • Oppose high barriers to entry I agree that editing the site CSS and JS can be pretty devastating but I don't see the problem with allowing admins and bureaucrats to have the right as we've never experienced a problem with it. I've tooled around with it in the past couple of years and so has User:Pigsonthewing and unless I'm mistaken, it's never lead to anything disastrous. —Justin (koavf)TCM 06:11, 14 August 2018 (UTC)
I get your point and to some degree also agree with you (as I most often do, btw). However I suspect that rather few people understand how badly this user right might be misused. Meta-Wiki lists some of the problems that can occur. Here's an excerpt from the above mentioned "motivation behind the change"-link:
"By editing pages such as Common.js interface-editors can instantly execute code on the machines of our millions of readers and thousands of editors. By sending malicious code to readers/editors, one can basically do anything: phish passwords or credit card numbers, redirect monetary donations, deanonymize editors, make edits in another editors' name, trick people into installing malware, send spam, orchestrate DDoS attacks against third-party sites, etc.
Unlike other dangerous powers (e.g. CheckUser) which cannot be monetized, this is a lucrative target for an attacker. Recently we have seen someone abuse their privileges to run bitcoin miners on visitors' machines; there are far worse things that are attractive to any attacker looking for some easy income. The damage is not limited to a single wiki. Due to Wikimedia wikis all using a single global login system, an exploit on one wiki can be used to take over admin accounts on any other wiki and extend the attack further. Thus, rogue admins and hackers stealing admin accounts present a serious threat, and we should do what we can to reduce it. It's a small miracle no major incident has happened so far, even though admin accounts are stolen regularly; we need to reduce our reliance on miracles.
At the same time, Wikimedia communities' ability to shape the workings of their sites is extremely valuable and should be preserved."
Because of the above I think that at the very least any assignment to the interface-admin user group should be time-limited. One of the reasons for this is that after August 27, edits to JavaScript- and CSS files in the MediaWiki namespace can't be reverted by "ordinary" admins or bureaucrats. They can only be reverted by interface-admins, and we certainly don't want any lengthy "edit wars" between a couple of interface-admins reverting each others edits, recurrently changing site-wide code and layout in the process. –Tommy Kronkvist (talk), 23:44, 14 August 2018 (UTC).
I support a time-limited assignment, given temporarily by a bureaucrat. I think I may be among the few who updated such files in the past, when noone else seemed concearned, but I welcome a higher security in those matters, and agree that different changes should reflect a higher security demand, so noone just change relevant files on their own wish, like I used to do in the past. Dan Koehl (talk) 09:08, 15 August 2018 (UTC)
  • Symbol oppose vote.svg Oppose I think this proposal is somewhat exaggerated in the case of administrators/bureaucrats (maybe these rules would apply better for the case of normal users), it would be strange to think that any of us could insert, intentionally or maliciously, spam or destroy the CSS/JS pages of Wikispecies (unless your account was compromised). We should be able to rely on our sound judgment and that administrators or bureaucrats are sufficiently aware of the security measures and risks involved in the permission. For example, in Commons all administrators can obtain permission on request from bureaucrats without having to go through a vote; here maybe we could do that with the current administrators, and for the future that the candidates be put to a vote, but without so many requirements (suffice it to have a secure account and maybe, that you have at least 6 months as administrator [like the bureaucrats on Meta]). Regards. —AlvaroMolina ( - ) 16:50, 15 August 2018 (UTC)
In the strictest sense there are only two Wikispecies-specific requirements stated in the above proposal, namely that (after the 27th of August): "no admin or bureaucrat should automatically be assigned to the interface admin group", and that "no bureaucrat should assign him/herself to the interface-admin user group". The third requirement ("If an administrator needs to edit JavaScript- or CSS files he should ask a bureaucrat on the 'Requests for adminship' page") is in effect a Wikimedia global requirement and nothing we can decide locally for Wikispecies, since on all Wikimedia sister projects only bureaucrats can assign a user to this particular user group. Admins can't.
As for Commons and admins being "promoted" to the interface-admin user group without having to go through a vote: yes, you're right. However again, one must remember that there is a huge difference in user level capabilities between admins and interface-admins, and perhaps not even all bureaucrats know this. First of all, a "regular" admin in a wiki project can't really do anything outside of that specific wiki project. This is not true for interface-admins. For example an interface-admin on any wiki project can instantly and automatically make all visitors on all Wikimedia sister projects start to send spam and/or set off a DDoS attack towards for example the United Nations, the Central Bank of Russia‎, or the FBI. Yes: all who even visits any of the currently 882 Wikimedia projects are affected, even if they've never made a single edit (registered or not). Considering that all together the different Wikipedia, Commons, Wikispecies, Wikivoyage etc. sites have several millions of visitors every day, this is potentially a huge security risk.
Lastly I wish to remind everyone that after August 27 only interface-admins will be able to edit JavaScript and CSS files in the Wikimedia namespace. Our admins and bureaucrats will not. This is a global Wikimedia decision we can't change locally here at Wikispecies. We can only decide whether we want interface-admins or not, and if so, how to assign them. And after they're assigned we can't take them away. –Tommy Kronkvist (talk), 11:38, 16 August 2018 (UTC).
Symbol oppose vote.svg Oppose Apologies I have been at a conference. Hence unavailable last few days. I agree with @AlvaroMolina: that this is probably a little overboard. When this came up I asked what advice Meta had and the response was not as exclusive as this. That basically said that account security, ability to do this and experience were basically the main issues. Above it has been suggested that a time limited access to this user right be considered. I can see this being appropriate, since I would suspect anyone wanting it legitimately has a single objective in mind anyway. This could all be negotiated between the user and our current admins etc at the time. Then given accordingly if deemed appropriate. Not really a formal vote just a discussion and a decision. Maybe it would be better to develop a policy of what we expect from people wanting this in terms of their account security, demonstrated experience etc, and outline of what they are attempting to do. Then any applicant can provide the information we need when asking and we can all just decide based on this. Keeping it a semi informal process with a few checks. Cheers Scott Thomson (Faendalimas) talk 23:27, 16 August 2018 (UTC)
As for formal votes I already in my first draft above propose that "Since this privilege entails a security risk, a request for interface adminship should not lead to a public poll", so no argues there. :-)
We will need a formal Wikispecies:Interface administrators page listed in Category:Wikispecies user access levels (analogous to Wikispecies:Administrators, Wikispecies:Checkusers and Wikispecies:Oversighters etc.) so that users can find information about the policy and at any given time check a list of current interface administrators. The user group itself has already been created globally and may henceforth be populated by our bureaucrats so in theory our interface-admin page could be created right away, but I guess there's no real point in doing so before we have an agreed upon policy? –Tommy Kronkvist (talk), 12:42, 17 August 2018 (UTC).
Btw here's the current proposal for the equivalent policy at English Wikipedia: Interface administrators. (As noted on the page local enWP bureaucrats have the ability to not only assign but also remove users from the interface-admin (and admin) user groups. At present this ability is not a part of the toolset available to our bureaucrats; see Special:ListGroupRights.) –Tommy Kronkvist (talk), 00:14, 18 August 2018 (UTC).
That is a fair point. Considering the potential risks for this type of user right, at present our only option to stop someone abusing it would be to block them and request assistance from a Steward. Maybe before we assign any of these the capacity to remove this right immediately should be considered. As we can for bots with admin rights. I am hopeful such an issue could be avoided by careful decisions on who to give it to, but things can go wrong. Cheers Scott Thomson (Faendalimas) talk 01:00, 18 August 2018 (UTC)
Agreed, however the process of granting bureaucrats the technical ability to remove admin flags isn't altogether trivial: see for example RFC: Granting bureaucrats the ability to remove the admin flag and RFC: Bureaucrat removal of adminship policy at enWP. Also, since only interface-admins are allowed to edit CSS and (more importantly) JS files (in Wikimedia: namespace) I guess that implies only interface-admins can revert them as well. Not 100% sure about that though, but it seems logical. –Tommy Kronkvist (talk), 02:00, 18 August 2018 (UTC).