Semi-protect all subpages of Extension:FileImporter/Data?
Done. But I think this should have had some more discussion.
Thanks for that, having these page semi-protect is definitely a must.
Why is the code written that way? That seems like a massive architectural mistake. Anything trusted even within the Wikimedia cluster like that should be in the MediaWiki namespace at least (and probably locked down to be JSON or whatever content model so only technical admins can edit them).
Since the FileImporter replaces/improves tools that the communities used for getting the job done, one very successful tool among those ( the Commonshelper ) was the gauge for the stuff we wanted to achieve with the FileImporter. The config structure and 'files' from that tool were used to have a good starting point for the changes made by the importer.
The relatively simple structure gives an easy way to maintain these by the communities and we see that more as a feature.
A gadget having major security holes is a problem, not an excuse to follow it. :-(
It seems like we should have some documented guidance for this sort of thing.