On Wed, Feb 1, 2017 at 3:19 AM David Gerard dgerard@gmail.com wrote:
This is pretty much the "hard shell, tasty soft centre" security model. Is this a desperately unsafe thing to do? Has anyone else done this or something like it?
We do this every single day at Wikimedia. Think of the private wikis--ones for Arbcom, Office, etc etc etc. They're internet-accessible but locked down to anonymous users.
Just deny read permissions to anons and as long as you trust the login method (in your case, Google) you should be fine. You can also whitelist Main_Page to give people a warning and instructions to login.
-Chad