From 1cd02c300158caea6b538f6933fef583eb1ac7d2 Mon Sep 17 00:00:00 2001
From: RhinosF1 <rhinosf1@miraheze.org>
Date: Thu, 14 Apr 2022 23:22:10 +0100
Subject: [PATCH] [SECURITY]: avoid global sensitive rights; 2FA for js on meta
 (#4587)

---
 LocalSettings.php | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/LocalSettings.php b/LocalSettings.php
index 1ecdcec9dd..df5390030e 100644
--- a/LocalSettings.php
+++ b/LocalSettings.php
@@ -2479,6 +2479,20 @@
 				'noratelimit' => true,
 				'userrights' => true,
 				'userrights-interwiki' => true,
+				'globalgroupmembership' => true,
+				'globalgrouppermissions' => true,
+			],
+			'sysadmin' => [
+				'userrights' => true,
+				'globalgroupmembership' => true,
+				'globalgrouppermissions' => true,
+				'userrights-interwiki' => true,
+			],
+			'trustandsafety' => [
+				'userrights' => true,
+				'globalgroupmembership' => true,
+				'globalgrouppermissions' => true,
+				'userrights-interwiki' => true,
 			],
 			'sysop' => [
 				'interwiki' => true,
@@ -2662,6 +2676,8 @@
 			'steward',
 			'staff',
 			'interwiki-admin',
+			'sysadmin',
+			'trustandsafety',
 		],
 	],
 	'wgManageWikiPermissionsDefaultPrivateGroup' => [
@@ -3155,7 +3171,12 @@
 		'ldapwikiwiki' => 'ldapwikiwiki',
 		'betaheze' => 'testglobal',
 	],
-
+	'wgOATHExclusiveRights' => [
+		'metawiki' => [
+			'edituserjs',
+			'editsitejs',
+		],
+	],
 	// OAuth
 	'wgMWOAuthCentralWiki' => [
 		'default' => 'metawiki',