On Wed, 2 Feb 2005 12:35:35 +0100, Moritz Karbach mailinglist@karba.ch wrote:
the template security hole doesn't occur any more (pages aquire the categories of a template).
Unforturnately, I've found 2 major problems with this:
Firstly, it allows any user to lock themselves [and just about everyone else] out of any page: either directly, by adding [[Category:Name of private category]] or indirectly, by adding {{:Name of page which is already in private category}}. This hands a rather large license for mayhem to any vandals you encounter.
Secondly, the content can be viewed by using the "preview" function: edit any page, add {{:Name of supposedly private page}}, and click preview. Because the page hasn't been saved, it doesn't belong to the new category as far as getParentCategories() is concerned (because that function gets its info straight out of the database).
It seems to me that your first approach, based on the *title* of the article, is a more sensible one, because I don't see how you could prevent a user from adding something to a category. But I think to be effective, you'll need to add at least:
* a test in the template/inclusion code - even if only to ban private pages from being included full stop (since working out whether two pages are in the same private set is not necessarily simple).
* a test in the page move code - like with adding a category, you don't want people to be able to rename a perfectly ordinary article such that it is now "private", unless they are among those capable of viewing it in its new location (and therefore moving it back). [I suppose you could simply ban all but a few users from renaming pages, but that seems a little draconian...]
So much for the quick hack I guess :( Perhaps it would be best to look into building this round the new user rights system after all, so you don't have to go back and rewrite it all when 1.5 hits.