MediaWiki Engineering/Runbook/Access control

Most things in Phabricator are freely editable by default to any logged-in account.

See mw:Phabricator/Permissions for a number of optional groups and how to make or request membership changes.

Shared:

• Trusted-Contributors: All staff should be in this group, and any existing member can add you. It enables common permissions such as editing workboards, editing project descriptions, and converting a public task to a security task.
• Project-Admins: When considering creation of new workboards or tags, review Phabricator/Creating and renaming projects on mediawiki.org and use the request form linked there. If you regularly create workboards, consider joining this group via the process linked there.

• Security tasks are by default only visible to the reporter and to individuals directly subscribed to the task. To see a security issue, someone must subscribe to that specific task, or you need to be a member of a group that can see all Wikimedia Foundation security issues, via the security access form:
  • acl*security_product_manager: Product managers should join this group.
  • acl*security_developer: Developers who are leads for a component or otherwise find themselves regularly needing to be subscribed to a security issue should consider joining this group.

MediaWiki Platform Team:

• acl*mediawiki_platform_team: This group controls access to granting the Web Perf Hero award badge, as well as any misc other things.

Shared:

• View list of all Gerrit team dashboards
• Add team dashboard to "Your" menu
• Edit a team dashboard

MediaWiki Platform Team:

• Gerrit dashboard: MediaWiki Platform Team
• Gerrit group: mediawiki-platform-team, controls owner access to mediawiki/php/excimer, mediawiki/libs/less.php, and other repos.

MW Interfaces Team:

• Gerrit dashboard: MW Interfaces Team
• Gerrit group: mw-interfaces
• Gerrit group: mw-interfaces-team

Content Transform Team:

• Gerrit dashboard: Content Transform Team
• Gerrit group: content-transform-team, controls owner access to mediawiki/services/parsoid and other repos.

• #mediawiki-core ^connect
• #mediawiki-core-bots ^connect

To add a team member to the channel, we grant the "Operator" flags. We have defined this to give the person a "voice" indicator (which helps others discover who's in the team and to easily remember their name), and to gives administrator rights (such as: edit the "topic" text, ban unwanted guests, and the viral ability to give Operator to other people). While in the channel, run these two commands:

/cs flags #mediawiki-core TheirNicknameHere operator

For example, to grant Operator rights to Krinkle, you'd run /cs flags #mediawiki-core Krinkle operator.

To remove special rights from someone in the channel (this does not ban them), run these two commands:

/cs flags #mediawiki-core TheirNicknameHere -*

The Operator group is defined as follows (see also ChanServ flags).

/cs template #mediawiki-core operator +ARVefiorstv

The #mediawiki-core-bots channel inherits rights from #mediawiki-core and does not have to be managed separately.

The Phabricator and Gerrit feeds are configured via the Wikibugs bot. Specifically the channels.yaml and gerrit-channels.yaml files in the wikibugs2 Git repo.

• IRC on office.wikimedia.org (restricted).
• Technology/Onboarding/Checklists/Template on office.wikimedia.org (restricted).
• Wikipedia:IRC/Tutorial on Wikipedia.
• IRC/Instructions on Meta-Wiki.
• IRC/Channels list on Meta-Wiki.