Re: [Wikitech-l] Could someone relatively new to Python please QA the Accuracy review login framework?

[James Salsman]

>>> Have you looked at using OAuth for authentication?
>>
>> Yes; the modules in use support OAuth but we made a conscious decision to
>> support anonymity. Lack of anonymity can interfere with the operation of the
>> reviewer reputation database.
>
> I'd love to read the background discussion that led to that decision.

Here is the pertinent excerpt:

"I would prefer to have text presented to reviewers anonymously. While
we can and do make reputation decisions about particular users,
wikipedia editing is generally pseudonymous with little control over
identity and password security. There are already tools for addressing
user-oriented issues. All of the accuracy review contemplated in the
original assignment assumes that review is anonymous so that reviewers
can not be influenced by, e.g., commercial loyalties or bribery."

> Could you identify which part of MediaWiki's OAuth implementation has
> unacceptable problems regarding anonymity?

Let me think about that and respond later, please. Upgrading to do
that might be more configuration than re-coding.

> If you are setting high standards/promises in that regard, your
> alternative implementation of user authentication will need to be
> extremely carefully written (as will your entire codebase need very
> good security auditing).

Hence my request for people to have a look at it. The Python Flask
default login system is being used.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Could someone relatively new to Python please QA the Accuracy review login framework?

[James Salsman]

> Have you looked at using OAuth for authentication?

Yes; the modules in use support OAuth but we made a conscious decision to
support anonymity. Lack of anonymity can interfere with the operation of
the reviewer reputation database.

On Tuesday, January 12, 2016, James Salsman  wrote:

> An Outreachy candidate for http://mediawiki.org/wiki/Accuracy_review who
> went ahead and started unpaid has been making good progress, and is about
> to land the central guts of the project on github. It's a new way to
> transition from creating to maintaining Wikipedia articles, with an
> emphasis on detecting outdated statistics, fighting bias including paid
> advocacy of all kinds, and proofreading WEP student work. It's been going
> slow, mostly because the original trial run architecture was too dependent
> on email.
>
> However, before she gets there, could one or two people who are maybe
> beginner or intermediate with Python but advanced with Mediawiki or PHP
> please test her user authentication and login framework?
>
> https://github.com/priyankamandikal/wikireview/
> 
>
> It's built for PythonAnywhere because it shouldn't run on Wikimedia
> servers, because of the safe harbor DMCA provisions precluding editorial
> control by web hosts. Please report any issues on github and note your
> results on the Phabricator task to prevent duplication of effort.
>
> Thanks in advance!
>
> Best regards,
> Jim Salsman
>
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Could someone relatively new to Python please QA the Accuracy review login framework?

[John Mark Vandenberg]

On Tue, Jan 19, 2016 at 4:22 PM, James Salsman  wrote:
>> Have you looked at using OAuth for authentication?
>
> Yes; the modules in use support OAuth but we made a conscious decision to
> support anonymity. Lack of anonymity can interfere with the operation of the
> reviewer reputation database.

I'd love to read the background discussion that led to that decision.

Could you identify which part of MediaWiki's OAuth implementation has
unacceptable problems regarding anonymity?

If you are setting high standards/promises in that regard, your
alternative implementation of user authentication will need to be
extremely carefully written (as will your entire codebase need very
good security auditing).

-- 
John Vandenberg

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Could someone relatively new to Python please QA the Accuracy review login framework?

[John Mark Vandenberg]

On Wed, Jan 13, 2016 at 9:25 AM, James Salsman  wrote:
>..
> please test her user authentication and login framework?

Have you looked at using OAuth for authentication?  There are numerous
OAuth providers, and using them removes the largest possible problem
from the app.

> It's built for PythonAnywhere because it shouldn't run on Wikimedia
> servers, because of the safe harbor DMCA provisions precluding editorial
> control by web hosts.

IMO it should be set up on Tool labs, where more people can play with
it.  It isnt editorial control if it uses logic to *identify*
potential problems in content.  That isn't exerting editorial control.
Editorial decisions are being made by reviewers who are not the WMF
webhost.

-- 
John Vandenberg

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Could someone relatively new to Python please QA the Accuracy review login framework?

[James Salsman]

An Outreachy candidate for http://mediawiki.org/wiki/Accuracy_review who
went ahead and started unpaid has been making good progress, and is about
to land the central guts of the project on github. It's a new way to
transition from creating to maintaining Wikipedia articles, with an
emphasis on detecting outdated statistics, fighting bias including paid
advocacy of all kinds, and proofreading WEP student work. It's been going
slow, mostly because the original trial run architecture was too dependent
on email.

However, before she gets there, could one or two people who are maybe
beginner or intermediate with Python but advanced with Mediawiki or PHP
please test her user authentication and login framework?

https://github.com/priyankamandikal/wikireview/


It's built for PythonAnywhere because it shouldn't run on Wikimedia
servers, because of the safe harbor DMCA provisions precluding editorial
control by web hosts. Please report any issues on github and note your
results on the Phabricator task to prevent duplication of effort.

Thanks in advance!

Best regards,
Jim Salsman
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l