Page MenuHomePhabricator
Create Task
Maniphest T254628

Security Readiness Review For Diff (diff.wikimedia.org)
Closed, ResolvedPublic
Actions

Description

Project Information

(This is a private repository, please contact @Varnent for access)

Description of the tool/project:
A community news site running on WordPress VIP, a hosting platform by Automattic.

Description of how the tool will be used at WMF:
Wikimedia volunteers can authenticate (using Oauth and their Wikimedia account) to submit news for publication and comment on existing news articles.

Dependencies
Relies on WordPress, hosted by WordPress VIP. We are using the following plugins (extensions to WordPress' capabilities)

The theme is custom-built, based upon _u (Underscores) a starter theme for WordPress.

Has this project been reviewed before?
No. A security preview was requested, but I was directed to fill out this and a privacy review. (T249042)

Working test environment
Development instance: https://blog-wikimedia-org-develop.go-vip.net
Instructions for running a local instance: https://wpvip.com/documentation/vip-go/local-vip-go-development-environment/
We use git to manage code. Repo located at: https://github.com/wpcomvip/wikimedia-blog-wikimedia-org/tree/develop (develop branch is for the current development instance)

Post-deployment
Communications - Chris Koerner

Related Objects

Event Timeline

CKoerner_WMF created this task.Jun 5 2020, 8:55 PM
Restricted Application added a project: secscrum. · View Herald TranscriptJun 5 2020, 8:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Peachey88 subscribed.Jun 5 2020, 11:10 PM
Peachey88 renamed this task from Security Readiness Review For Diff (diff.wikimedia.org to Security Readiness Review For Diff (diff.wikimedia.org).Jun 6 2020, 6:11 AM
chasemp subscribed.Jun 8 2020, 3:18 PM

The referenced code link is dead here https://github.com/wpcomvip/wikimedia-blog-wikimedia-org/

chasemp updated the task description. (Show Details)Jun 12 2020, 2:21 PM
chasemp added a subscriber: Varnent.
chasemp triaged this task as Medium priority.Jun 12 2020, 2:32 PM
JFishback_WMF added a project: Privacy Engineering.Jun 13 2020, 7:18 PM
JFishback_WMF moved this task from Incoming to Watching on the Privacy Engineering board.
sbassett added subscribers: Reedy, sbassett.Jun 17 2020, 6:22 PM

@Varnent - can @Reedy and I get access to the private github repo? I'm sbassett29 on gh and Sam is reedy.

sbassett moved this task from Incoming to In Progress on the secscrum board.Jun 17 2020, 6:24 PM
JFishback_WMF subscribed.Jun 17 2020, 6:26 PM

@Varnent can you also please give access to me (jagspecx) for the privacy review. Thx.

Varnent added a comment.Jun 18 2020, 3:50 PM

@Reedy, @sbassett, and @JFishback_WMF - you should now have access. :)

Varnent added a comment.Jun 18 2020, 3:52 PM

Also, just as a quick note, the plan is to make a public copy of this repo available once it launches - as is done with Foundation website. We are also discussing making the private repos public, but that is lower down the discussion list at this exact moment. :)

sbassett added a comment.Jun 18 2020, 4:49 PM
In T254628#6235233, @Varnent wrote:

@Reedy, @sbassett, and @JFishback_WMF - you should now have access. :)

Great, thanks.

sbassett added a comment.Jun 18 2020, 4:50 PM

@Varnent - I heard mention of a wpDiscuz plugin that was to be purchased. Is that listed here under a different name? If not, can we get that one listed as well and make sure all relevant plugins are up-to-date? Thanks.

Varnent added a comment.Jun 18 2020, 4:51 PM

@sbassett - @CKoerner_WMF would have more up to date info on that than me. :)

CKoerner_WMF added a comment.Jun 18 2020, 5:26 PM

Take a look at the /develop branch. It should be in there.

https://github.com/wpcomvip/wikimedia-blog-wikimedia-org/tree/develop/plugins

CKoerner_WMF updated the task description. (Show Details)Jun 18 2020, 9:23 PM
CKoerner_WMF updated the task description. (Show Details)
Jcross assigned this task to Reedy.Jun 24 2020, 7:36 PM
CKoerner_WMF updated the task description. (Show Details)Jun 30 2020, 6:51 PM
Reedy added a comment.Jul 7 2020, 2:10 PM

Development instance: https://blog-wikimedia-org-develop.go-vip.net

Can I get an account on this blog/setup? Ideally with admin (super admin?) rights to poke around a bit furhter?

Thanks!

CKoerner_WMF added a comment.Jul 7 2020, 3:16 PM

@Reedy You have an account (reedy) and I just assigned your account the super admin role. You will have to set up two factor authentication once logged in to get access to all the bits an admin can see/do. :)

Reedy added a comment.Jul 10 2020, 1:23 PM

Thanks!

Mostly good to go (from the security side) next week. I note there isn't a seperate task for Privacy, and I don't know if James has anything too much to say, but will leave it open for him.

I've mostly updated the documentation on officewiki about the basic config, plugins etc.

So a few notes. There are some plugins enabled on other hosted WP blogs that aren't enabled here, that potentially should be, both for security and more general usability issues. Just because we're using OAuth against Wikimedia sites, doesn't necessarily prevent spam (see also Phab).

From a security point of view, things like https://wordpress.org/plugins/akismet/ might be useful (and we already have on other hosted blogs) to deal with comment spam that are still able to post even after signing up via OAuth. There might be a few others that come in handy down the line.

From "usability" pov (but off topic for this), I suspect extensions like https://wordpress.org/plugins/code-syntax-block might be useful (on the tech blog) too

CKoerner_WMF added a comment.Jul 14 2020, 8:19 PM

Hey @Reedy legal was curious as to the privacy review. Do I need to create a new task for that? Legal has given their OK for launching Diff, but were wanting to know if you all hand any concerns.

Aklapper added a comment.Jul 17 2020, 1:15 PM
In T254628#6296752, @Reedy wrote:

(but off topic for this), I suspect extensions like https://wordpress.org/plugins/code-syntax-block might be useful (on the tech blog) too

If I understand T243398 correctly then code-syntax-block is in use on the tech blog already

sbassett closed this task as Resolved.Jul 29 2020, 4:11 PM

Closing out this public review for now. New or ongoing issues can (and are: T257335, T258129, T259082) being tracked within separate tasks.

sbassett moved this task from In Progress to Our Part Is Done on the secscrum board.Jul 29 2020, 4:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits