On Wed, Jul 22, 2009 at 7:07 PM, Sage Ross<[email protected]> wrote: > I'm not sure what to do about this; it seems like a good idea but a > major security risk: > > http://www.watchlistr.com/ is a site that creates aggregate watchlists > across multiple projects. See > http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool
I think the thing to do about it is block it at the firewall and tell the user to immediately delete all the data they gathered and never do anything like it again. We aren't even just talking about malice here, if someone else compromises the server they could get access to a whole bunch of admin accounts if it becomes popular. The proper way to handle this would either be some form or other of software support, or use a toolserver tool with direct database access. On Wed, Jul 22, 2009 at 7:59 PM, David Gerard<[email protected]> wrote: > Would something on the toolserver be safe enough in these terms? Toolserver projects are forbidden from asking users for login info. However, the watchlist tables are replicated to the toolserver, just not made available to unprivileged users. If a user wanted to make a script like this, it would be simple to give special access to the tables to allow it (possibly restricted in such a fashion that the script author didn't get access, only his vetted code). The tool could deal with authentication by, e.g., giving the user an autogenerated URL and a confirmation code to add to a magic user subpage (it could check what user created the page). On Wed, Jul 22, 2009 at 10:40 PM, Happy-melon<[email protected]> wrote: > I have a Greasemonkey script that does this, IMO, very nicely. I'm not 100% > sure how GM script distribution works, but can't a server put files in a > particular directory to have them be automatically suggested for > installation by Greasemonkey? Greasemonkey is far from ideal. It only works on the computer you install it on, and only works for Firefox users. _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
