On Mon, Jun 11, 2018 at 6:26 PM, Nathan <nawr...@gmail.com> wrote: > Is the risk of an attacker taking over an account with CSS/JS edit > permissions any more or less because that person knows how to use CSS/JS? > If the criteria will be that only people who know how to use CSS/JS will > get access to make those edits, I'm not sure that is perfectly tailored to > the need being identified - security from outside threats.
That's a good point that I hadn't considered, and that I think further supports the approach that Steven advocated instead of the approach of developing a new user permission. > Can we make the > edit right temporary, so someone can request it through a normal simple > process, execute their edits, and then relinquish it? It can be a right > that admins could grant to each other, as long as they can't gift it to > themselves. > I think that a per-edit review would be preferable, so that someone can't request what they say will be benevolent edits and then do something malicious before anyone else has enough time to review all of the changes that they made. _______________________________________________ Wikitech-l mailing list Wikitechemail@example.com https://lists.wikimedia.org/mailman/listinfo/wikitech-l