Meta-PokéBase Q&A
1 vote
1,263 views

We all know that the DB is far from perfect, and one of the bigger issues is that PM just doesn't have the time to make small edits to the site on a consistent basis. The site is also missing pages for several spin-off titles, which I feel should at least be documented. But why let Moderators edit pages? Mainly because they're trusted, active and responsible. No Moderator is going to change a page to be something innacurate/inappropriate - if they do, they probably shouldn't be a mod

(This is also coming from the viewpoint of a user, not a mod - please take this into consideration)

by
Maybe moderators can't edit the site because PokeMaster doesn't want another gligurr accident.
I very highly doubt that a Gligurr incident would happen with a mod. Mods are trusted users and wouldn't try to screw up stuff on the site.
I dunno, Fizz seems like he’s got something planned...
Na, DT* is the one trying to overthrow this site. :P

I believe editors should be able to edit pages as well (I mean, they are called editors, and we all know HT is great at that stuff) :P



*When DT is active and isn't working on his game/whatever normal individuals do during their daily lives.
@HT, That's just my opinion. But hey, you can't be too safe, right? ¯\_(ツ)_/¯
Even if Mods cannot be given complete control to create and edit pages, I still hold on to the opinion that mods and editors should be able to edit that grey box that says "Welcome to the PokéBase, the...".

Also they might as well e given access to the maps and puzzles page, that hasn't been updated since Gen V.
Yes, more updates to pages and and new pages that aren’t the Pokédex or main series games would be nice.

1 Answer

8 votes
 
Best answer

Don't take this as Pokemaster's official answer, but I'd like to give my take on this.

Giving mods access to editing the pages of this site would include giving them access to the source code of this site in some way. The pages on this site aren't edited the same way as these Pokebase posts are, but use HTML instead of Markdown.
And if Pokemaster gave them access to editing HTML, then a number of security issues like XSS and CSRF vulnerabilites arise. Mods could sneak in their own JavaScript code and compromise user data or make users do unwanted things, just by a user visiting the page with malicious JavaScript code in it. I don't want to get too technical, but if something like that were to happen, let's just say it wouldn't be pretty.

You could do things to prevent against these kinds of attacks, generally, but you can't do things like HTML-encode dangerous characters like < > " ' \ & because the site needs those for its genuine purpose, too.

A lot of the site is also most likely stored in a database and accessed server-side, and so some kind of edit-system would need to be implemented, and it'd need to be safe from security issues like the ones mentioned and maybe SQL injection (I'm no expert on SQLi so I don't know if it'd be a vulnerability here, but maybe).
I just think it sounds like a lot of work to implement if it were to be safe (time Pokemaster could use to correct mistakes on the site himself :P). And even then, it probably won't be 100% safe anyway with this kind of direct-edit access to the site because of filter-evasion techniques and the like.

It may not be impossible to implement some kind of user-submitted change system, like if you did something like GitHub (probably closed-source in that case) or if Pokemaster could review changes in some way, but I don't know what he'd think about that. I can't say, I guess.

I'm not saying the mods shouldn't be trusted though, it's not that, but it's just that this kind of thing is generally dangerous to do.

by
selected by
No no, you're not supposed to say this! I was going to inject redirects to my pokeshipping blog about Ash and his unconditional love fo--
I mean, yeah, this is very risky and dangerous, yes.
Lol Fizz I never knew you had this side to you.
I never thought about the issue of security attacks, but after reading this I can understand why this hasn't been implemented. I think the overall issue of potential security threats kind of overweigh what I said about updates and the like. If PM could make a page editing or a submission system, that'd be better than the current system but I don't see that happening soon. (And yes I appreciate that this is almost a complete 180 from my question, it's just that I didn't think about that too deeply - which is of course something I should've done)
Yes, this is basically correct in terms of giving people direct access to HTML and stuff. It's not really about security per se, as anyone I gave access to I'd trust, it's just that it's easy to mess things up accidentally. BTW several parts of the site like detailed move/ability descriptions *do* use Markdown as it's easier for me to edit.

I've been planning for a long while to open that up to more direct contributions from members but as you say it takes a while to develop.