Hi all!
About ACLs - do you know about our "IntraACL" extension? (based on earlier one "HaloACL" by ontoprise company)
https://github.com/mediawiki4intranet/IntraACL/
It has full protection of pages for reading via core patches, in listings and etc; ACLs can be configured on a page, category or namespace basis.
"Stable" version consists of a totally rewritten UI and a modified HaloACL backend (though not so heavily modified). Now we use it on our corporate wikis.
But just like the UI was, HaloACL backend is also designed very poorly (it's slow and it's written too verbosely), so now I'm doing a total rewrite of it - it's in the "storage-rewrite" git branch. It's almost ready, I should just test it and add some additional maintenance features. Automated tests are also in development now.
Of course the extension isn't perfect - there are some ideological problems, for example some combinations of page/category/namespace rights are not always obvious for users (and there are 3 override modes); page/category/namespace ACLs are a mess if you want to really restrict editing of ACLs themselves; also, now there is a hardcode - "sysop" and "bureaucrat" MW groups are always super-users.
But assuming you have no people that want to _really_ abuse your right system - which is usually a correct assumption in corporate environment - the extension is good enough for everyday use.
So! :)
Everyone is welcome to test it and tell us about good ideas if you have some :) (my main question which I can't really solve by myself is - what right system would be really convenient to use in MediaWiki's flat page structure with categories?)