Reputation: 10228
Prevent users from unwanted changes to their personal scripts
Before considering additions to MediaWiki:Common.js or MediaWiki:Vector.js, it makes sense to test it in limited scope. I assume that this is what user-specific scripts can be used for provided that $wgAllowUserJs has been set.
I suggested to enable user scripts to the sysop and I claimed that no harm could be done because the scripts would only be executed for the logged-in user who loads the page, so he/she is responsible for what he/she does with the scripts. But then I realized that user scripts can be changed by other users. Is there a way - besides having a great team of wiki administrators - to prevent users from unwanted changes? Or should I better withdraw my request?
I wished that there were a built-in lock but this seems not to be the case.
Is there a way to restrict changes in the user namespace to the same-name logged-in user?
Upvotes: 1
Views: 64
Answers (2)
Reputation: 28160
User scripts are not terribly useful for testing changes to site scripts, since they won't replace site scripts, just run alongside them. They are rather meant to empower people to be able to write tools for themselves, without having to depend on administrators to install it. Which they do, but they are also a maintenance burden, result in spurious bug reports and enable some social-engineering attack vectors.
If you want to ease testing, I'd move away from site scripts entirely, and use the Gadgets extension instead.
Upvotes: 1
Reputation: 10228
Only now I read in Wikipedia:User scripts, section A word about security:
However, unlike a standard userspace template, you don't need to worry about vandalism – JavaScript code in user space is protected from other users. Only interface administrators and the user in whose space the script lies can edit it.
So Wikipedia has exactly the built-in security I was hoping for. But such information is not as easy to find in the description of the switch within the MediaWiki manual:
If
$wgAllowUserJsis set to true, users can customize the interface for only themselves by creating and importing personal scripts in user subpages with lowercase titles
This inconspicuous and brief note suggests it is implemented in the MediaWiki software itself.
Upvotes: 0
Related Questions
- Prevent Users from Manually Editing the Spreadsheet
- Prevent External Users from Updating or adding Wiki Pages
- Block access to history for anonymous users on Mediawiki?
- Prevent users from changing their passwords in Mediawiki
- how to prevent users to disable scripts with browser options
- How to encourage non-anonymous editing on MediaWiki?
- Is there a way to protect my PHP script from being edited?
- Don't allow <script> tags to be modified
- How to secure DataBase settings from other users that have shell access to the server
- Prevent user tampering with html