Talk: MassRenameRevert

This is the talk page for discussing improvements to the MassRenameRevert page.

Please sign and date your posts by typing four tildes (~~~~).
Put new text under old text. Click here to start a new topic.
If you're new to the wiki, please take a look at the talk page help.
Be polite
Assume good faith
Be welcoming

Privileges?[]

This is a great tool! And a very powerful one. As such, it could also be a dangerous one. Would it be possible to limit it’s availability/use to only those with rollback privileges (e.g., rollbackers, admins, etc.)? Thanks! :) — Spike Toronto 01:20, November 26, 2014 (UTC)

It's possible, yes, but it can be useful for regular users on wikis that are being vandalized by move vandals, so I would prefer not to restrict it to a local usergroup. However, if you want me to make a modified version to only load for rollbacks or sysops, let me know and I'll do it. I'll put an optional config when importing the script if the wiki want specific usergroups to only be able to use the script. – Ozuzanna 12:10, November 26, 2014 (UTC)

This is just too dangerous as it is. We have the occasional rename wars at our wiki. I only hope that none of them get wind of this script and load it in their personal JS. It could create nightmares for some admins. Since undoing malicious renames is generally the work of rollbackers and sysops, I still would like to be able to limit this tool to their use only. — Spike Toronto 08:27, December 2, 2014 (UTC)

A script is only a bad as the user using it. If users can't be trusted with it, the perhaps it's better to block them per 3RR (or any other applicable local policy). cqm 10:26, 2 Dec 2014 (UTC)

Per Cqm; I do the occasional CVN work and it's nice to have a tool that regular users can use to fight against vandals who abuse the rename action. And I highly doubt malicious users will seek out scripts to abuse on Fandom Developers Wiki - I don't think it has happened before. – Ozuzanna 15:44, December 2, 2014 (UTC)

┌────────────────────────────────────────────────────────────────────────────────────────────────────┘ This reminds me of the adage of the man with a new hammer: Everywhere he looks, he sees a nail. Programmers are often too close to their product to see the bigger picture. This tool has the possibility of being very dangerous. It’s akin to a tool that effectively gives a user rollback capability despite not having been granted that user right (think Twinkle versus Huggle). Moreover, it provides any user batch capability. Most wikia will not permit batch transactions on any account that has not been granted the bot user-right, bot-only sysop, and transactions limited to only those that have been approved by a request-for-bot process. This script completely bypasses that, especially if there is no code that a wikia can add to MediaWikia:Common.js to prevent it’s operation on that site by those lacking sufficient privileges. — Spike Toronto 06:48, December 15, 2014 (UTC)

I understand what you mean, but if I did add a user rights check in the core script it will not let users use it personally (such as in their global.js) when wanting to combat vandal renames. However from the feedback you gave me, I have elaborated on the main script page that it should be enclosed in at least one if statement if used wiki-wide that pertains to the user rights of the user (with a given example too). I think that's a fair compromise for both sides. – Ozuzanna 17:52, December 15, 2014 (UTC)

Oz: If we use that user-group limitation statement when importing site-wide, will that prevent a user who loads it in his global.js from using it on our site? (Fingers crossed that the answer is, “Yes”.) Thanks! :) — Spike Toronto 13:39, December 22, 2014 (UTC)

No, but you could prevent the elements from appearing on your wiki's MediaWiki.js if they are using that script in their global.js so it would render the script useless whenever loaded. – Ozuzanna 13:57, December 22, 2014 (UTC) Actually, on second thought I think the script being loaded from the user's js would have priority over site JS/CSS. – Ozuzanna 14:08, December 22, 2014 (UTC)

One thing to understand about the security of a client-sided script is that anybody determined enough to use it will find a way to use it regardless of what you put in their way. Just something to keep in mind when using things like this. — Foodbandlt (talk) 14:04, December 22, 2014 (UTC)

┌────────────────────────────────────────────────────────────────────────────────────────────────────┘ @Foodie: I’m not too worried about such sophisticated users. I’d just like local JS to be able to “block” user JS in such cases.

@Oz: I thought that the CSS/JS load order was

Wikia core CSS/JS (i.e., same as appending
?usesitecss=0&usesitejs=0&allowusercss=0&allowuserjs=0
to the URL)
site CSS/JS
user CSS/JS
- not sure, though, which of these loads last:
  - /common.js or
  - /global.js

Thanks! :) — Spike Toronto 16:38, December 22, 2014 (UTC)