At 3/7/2005 01:11 AM, Brion Vibber wrote:
Your private information *will* be compromised, and you will kick yourself.
There is no such thing as "secure" anyway, anything can be compromised. Now just how bad can it be compromised on a Wiki I dunno, but I'm not talking credit card numbers here anyway, I'm not even talking putting that in any official release of course, but at least hooks would help. In any case, I'm not sure I need a 30 lines disclaimer, I can take that responsibility :)
On the other end, here is a simple question then: what are functions like userCanRead() and userCanEdit() for, if, at the end of the day, they don't guarantee what they are supposed to do ? Either those 2 functions work, either they don't. They are used already, after all. If they don't, it does not look to me as a deliberate "lack of feature", or "indent not to do it in MediaWiki", but it looks to me like one or more bug(s). Excuse my french, but don't you want that part to be addressed, or at least made more robust ? Now if you are telling me that you don't want more help or more eyes to check the code, then fair enough.
In any case, I should not have used "ACL" in the subject, it is way beyond what I would like to do. What I'm talking about here is nothing more than a small layer on top of the ::userCan() functionality to allow users to be in group(s). The idea is, when ::userCan($action) is called, the restrictions for a user are checked as usual, but an additional check is done (as a hook) to see if he is part of a group, and the restrictions for that group are checked too. I guess a proof of concept could be as simplistic as having that group be a regular user (so that you can set the restrictions of a group just like you set it for a user), and add an extra file/database to link users to that "special user = group". Now that does not look like rocket science to me as an extension, I just need to leverage ::userCan($action), and again, either it works, either it does not, in the later case I'm willing to take a look at it.
-- Sebastien Barre