On 08/27/2013 10:27 AM, vitalif(a)yourcmc.ru wrote:
> Actually, the first and the basic step is much
simpler - MediaWiki
> should perform userCanRead() checks everywhere it displays information
> about any page.
+1. Sometimes, it's not so easy, though, especially when it
comes to lists of
pages and paging. In the medium term, though, we should go for some deeper
security model that performs checks directly when an article is accessed
instead of manually checking all over the code.
I'm now trying to improve API protection in
IntraACL (before today it
was provided only by "Title hack" which returned "Access denied"
instead of any real inaccessible Title object) - and it seems
userCanRead() must be added in almost every ApiQuery*.php file :-X
(ApiPageSet isn't used
everywhere)
Just a short note: userCanRead seems to be deprecated since 1.19.
It's
recommended to use userCan('read') instead.
Best,
Markus