Should PAWS be accessed by the bot account directly, or by the bot runners main user account and then be configured to use the bot username?
If the latter, we need to test & document how users can use their bot account while logged into PAWS using their main user account.
I think the simplest would be to login directly as the bot account. This means we can enforce a 1:1 mapping between paws user and the wiki user, which is useful for anti-abuse and other features.
Given that MW doesn't have any way to link master account with bot account, I don't think PAWS should try either. Users should just use OAuth to login with the bot account IMO. I did that a few days ago and it worked out fine.
The same problem exists for sysop accounts - i.e. the user-config.py sysopnames can not be used in PAWS.
The current approach allows people to create/modify user-config.py in their $HOME
It would be good to prevent any modification of usernames and sysopnames.
To do this, the /srv/pwb/user-config.py needs to
If you look at the current user-config file (https://github.com/yuvipanda/paws/blob/master/singleuser/user-config.py) it already does this by setting usernames and other things *after* the $HOME/user-config.py file is loaded, thus overwriting any settings that might've had. Not sure if that's granular enough, we might want to add a few dels. I don't fully know what usernames and sysopnames do though.