Thanks for the comment River,
I did use the suggested method by Greg and it works to lock down my
default theme. Unfortunately as you have pointed out the other themes
are still available to anonymous users through specifying it as a URL
parameter. I am using the $wgSkipSkins setting , but that only limits
the skins available on the Special:Preferences page. The
useskin=standard in URL still works.
Any suggestions to disable the use of alternate (non-default or
skipped) skins? I was looking on Meta and saw the following section:
http://meta.wikimedia.org/wiki/Skins#Ensure_users_using_skipped_skins_use_t…
I would prefer not to modify code because it will break when I upgrade
but so far I have not seen another option. I have applied the above
linked hack to my mediawiki and it works great. I added the following
to the function normalizeKey in includes/Skin.php (add at the location
recommended by Meta):
global $wgSkipSkins;
if( in_array( $key, $wgSkipSkins ) ) {
$key = $wgDefaultSkin;
}
Maybe this should be added to a future release of mediawiki? I'm
running 1.10.2 and this code is what I needed to completely enforce
$wgSkipSkins .
Many thanks to Greg and River for the helpful info.
-Tom
> Date: Sat, 15 Dec 2007 12:56:32 +0000
> From: River Tarnell <river(a)wikimedia.org>
> Subject: Re: [Mediawiki-enterprise] deny anonymous access to sidebar
> To: mediawiki-enterprise(a)lists.wikimedia.org
> Message-ID: <4763CF00.2030505(a)wikimedia.org>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Greg Sabino Mullane wrote:
> > A simple solution would be to simply take the sidebar out of the default
> > skin (whatever $wgDefaultSkin is set to).
>
> but remember that anonymous users can change the skin by adding e.g.
> ?useskin=standard to the URL.
>
> - river.
Hello,
According to the page
http://www.mediawiki.org/wiki/Manual:Preventing_access "If you need to
protect even the sidebar ... it's recommended that you use
higher-level authentication such as .htpasswd or equivalent."
Without using .htpasswd, are there options for restricting access to
the MediaWiki:Sidebar content before a user logs in? A wiki-wide
navigation menu is an important element for providing our users easy
access to important content. If the world will have access to see the
contents of the Sidebar, I will be reluctant to put more than a few
generic menu items.
Here is an analogy for my motivation: You have purchased several very
expensive gifts and they are in your car. The car is locked, but you
still want to put them in the trunk or otherwise hide the fact that
they are there. If you leave them in plain view, your car is instantly
a very attractive target for theft. In the same way, if the
interesting contents of a locked site are clearly visible it becomes a
more likely target for attack (to access whatever sensitive
information may be contained therein).
Any ideas for how to best secure the mediawiki sidebar are much
appreciated. I have included some info on my configuration below to
provide some context for those who may be interested.
--
Thomas (Tom) Hogarty
I'm using the http://www.mediawiki.org/wiki/Extension:LDAP_Authentication
plugin to authenticate company users against Windows 2003 Active
Directory. We are also using SSL to encrypt connections to the wiki.
My MediaWiki version is 1.10.2-36
I am requiring all users to be logged in via LDAP using the following
restrictions in LocalSettings.php:
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgWhitelistRead = array( "Special:Userlogin" );
$wgEmailConfirmToEdit = true;
$wgLDAPUseLocal = false;
# 28800 seconds is 8 hours
$wgCookieExpiration = 28800;
I have personalized some of the Special:Allmessages (system messages)
to reflect our login policy:
MediaWiki:Loginprompt
MediaWiki:Loginreqpagetext
MediaWiki:Tooltip-pt-anonlogin
MediaWiki:Tooltip-pt-login
MediaWiki:Userlogin