Page MenuHomePhabricator
Create Task
Maniphest T7882

Admin session protection by requiring to re-enter their password to use any admin operation (a feature like "sudo")
Closed, DeclinedPublic
Actions

Description

Author: anon.hui

Description:
This is a feature that has a "sudo"-like behavior for any admin operation.

Any admins (sysop, bureaucrat) must be required to re-enter their password to
use any admin operation.

  1. When the admin user first login, they have all privileges with exactly the

same as normal login user.

  1. When the admin user first click the link that require admin privileges (such

as, delete, protect, block user), they will be prompted with password dialog
box. They must re-enter their password to gain the admin privilege session, so
that they can continue the admin operation.

  1. They won't be required to re-enter the password, to do any subsequent admin

operation, within the limited expiration time (since last admin operation).

  1. The session with admin privilege will expire, after a limited time since last

admin operation.

  1. When the session expire, they need to re-enter the password, to do the

subsequent admin operation.

  1. Must have logs for every admin operation. Not only delete/protect/block

operations which are already logged, the other admin operations, such as,
viewing the deleted page, editing the protected page, rollback the page, should
also be logged.

  1. Optionally, the admin may be required to give their reason to view any

deleted page. The reason will be shown in the log that record the viewing of
deleted page.

Rationale

See
http://meta.wikimedia.org/wiki/Proposal_for_a_sudo-like_behavior_for_admin_operations

Version: unspecified
Severity: enhancement
URL: http://meta.wikimedia.org/wiki/Proposal_for_a_sudo-like_behavior_for_admin_operations

Details

Reference
bz5882

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 21 2014, 9:14 PM
bzimport added a project: MediaWiki-Special-pages.
bzimport set Reference to bz5882.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.May 9 2006, 12:15 PM
bzimport added a comment.May 9 2006, 12:31 PM

robchur wrote:

I'd be inclined to WONTFIX this, to be honest; the rationale being that it would
place too great an emphasis on administrator permissions and it would get in the
way of administrators responding to both casual issues and time-sensitive
"threats". The other two main concerns this report raises are auditing. Editing
protected pages is logged in the pages' histories as any other edit would be;
rollback operations are also logged here.

Viewing of deleted pages might be a problem in some cases, but I'd be inclined
to suggest that pages which have been deleted for legal reasons, etc. should be
deleted using the [hopefully] forthcoming improved revision deletion mechanism.
Alternatively, they should be wiped from the database.

bzimport added a comment.May 9 2006, 1:19 PM

anon.hui wrote:

For a time-sensitive "threats", a session timeout can solve this problem.
The session timer will be reset whenever the admin operation is used.
This is alike to "sudo" command in most unix-like system.
If the admin use the admin-privileged command continuously or periodically, they
will never be required to re-enter their password.
But this doesn't mean to encourage the admin to continuously overuse the admin
operation.
It means that if they "really" need to continuously use the admin operation,
such as in a time-sensitive situation, they can do that in time.

BTW: I just added the 4th item in rationale session of,
http://meta.wikimedia.org/wiki/Proposal_for_a_sudo-like_behavior_for_admin_operations#Rationale

bzimport added a comment.May 9 2006, 2:45 PM

robchur wrote:

I still don't understand why you'd bother to add "sudo"-like functions in the
first place. And what's with the "overuse" argument? It makes no sense
whatsoever to add needless crippling of functionality like this.

Platonides added a comment.May 10 2006, 2:59 PM

I answered on that page your arguments. Please try to get some consensous on
problematic changes before asking them to be done.

bzimport added a comment.May 10 2006, 3:04 PM

robchur wrote:

It's not that the change was problematic, it's that the idea doesn't fit the
direction the software should be following.

Platonides added a comment.May 10 2006, 4:12 PM

I meant "socially problematic" :)

bzimport added a comment.May 15 2006, 12:20 PM

anon.hui wrote:

Ok, I will revise the feature to be the more relax and flexible, to not affect
the existing culture/tradition (in case they have consensus not to change them).
The feature may be disabled by default when upgrading, to not have impact on the
existing project.
Some new project using mediawiki may want this feature.
I, personally, as an admin of http://th.lug.wikia.com, extremely need this
feature in that wikia sub-domain.

bzimport added a comment.May 15 2006, 1:26 PM

anon.hui wrote:

Hi, adding more compromise specification,

  1. It will depend on the config on each wiki project to allow admin user to

setup the session expire time (or to not expire at all) in his/her preferences.

  1. When upgrading mediawiki, the admin session expire time will be, by default,

not expire at all, to not have impact on the existing project.

See
http://meta.wikimedia.org/wiki/Proposal_for_a_sudo-like_behavior_for_admin_operations
for more details of change.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL