* Aryeh Gregor <Simetrical+wikilist(a)gmail.com> [Thu, 25 Feb 2010
11:48:05 -0500]:
For information on some of the many things that
can go wrong with an extension that claims to do read restrictions,
see
<http://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions>.
The *only* reliable type of read restriction in MediaWiki, with or
without extensions, is when you forbid entire groups (e.g.,
unregistered users) from reading or editing the wiki at all. If you
can edit any page, or view anything beyond a very small and
carefully-selected whitelist, you can probably get some information
about pages that are hidden to you.
Thanks for pointing out to the list. I think I've seen it sometime back
ago - it was expanded since then. I should check my small access
restriction extension against it. Anyway, even the list itself proves
that the most (although not all) of issues are fixed since 1.10 and
later. It seems that MediaWiki needs only a small step to make it
relatively secure for fine-grained views, too.
Dmitriy