-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Moritz Karbach wrote: | as my very private Wiki grew larger, a few people liked to use it as well. So | I needed to protect the sites, that are really private. Since some kind of | user rights is scheduled for version 1.5, here comes a quickhack:
If your sites are really private, you should not use MediaWiki to hold them. It's really, really not designed to hide information.
| Wiki Version: 1.3.5 (maybe it works on later versions as well)
You should upgrade to 1.3.9 immediately, as there are potentially exploitable security holes in 1.3.5.
| Insert the following into Title.php, function userCanRead(), right after the | globals have been defined (for me it's line 550): | | # inserted by m:o | global $wgRequireUser; | $siteName = $this->getPrefixedText(); # pagename | $requiredUser = $wgRequireUser[$name];
Note that the above line doesn't seem to do anything, and produces two PHP notice warnings if error_level is set to E_ALL. (Undefined variable $name, and undefined array index.)
[remainder of code snipped]
| Maybe someone can comment on possible disadvantages or security holes?
An insecure page containing a template inclusion can extract the hidden page's text, like {{:Hauptseite:private}} or {{:Tbd}}.
- -- brion vibber (brion @ pobox.com)