On Mon, Jun 11, 2018 at 6:26 PM, Nathan <nawr...@gmail.com> wrote:

> Is the risk of an attacker taking over an account with CSS/JS edit
> permissions any more or less because that person knows how to use CSS/JS?
> If the criteria will be that only people who know how to use CSS/JS will
> get access to make those edits, I'm not sure that is perfectly tailored to
> the need being identified - security from outside threats.

That's a good point that I hadn't considered, and that I think further
supports the approach that Steven advocated instead of the approach of
developing a new user permission.

> Can we make the
> edit right temporary, so someone can request it through a normal simple
> process, execute their edits, and then relinquish it? It can be a right
> that admins could grant to each other, as long as they can't gift it to
> themselves.

I think that a per-edit review would be preferable, so that someone can't
request what they say will be benevolent edits and then do something
malicious before anyone else has enough time to review all of the changes
that they made.
Wikitech-l mailing list

Reply via email to