On 08/27/2013 10:27 AM, vitalif@yourcmc.ru wrote:
Actually, the first and the basic step is much simpler - MediaWiki should perform userCanRead() checks everywhere it displays information about any page.
It would be very good if such changes are accepted into the core - it will work as a base for all possible ACL extensions.
I'm now trying to improve API protection in IntraACL (before today it was provided only by "Title hack" which returned "Access denied" instead of any real inaccessible Title object) - and it seems userCanRead() must be added in almost every ApiQuery*.php file :-X (ApiPageSet isn't used everywhere)
Do you have gerrit access? If you submit userCanRead() additions, I'll help you get them into core.
I agree that this is a good start.