On 9/20/07, Christensen, Courtney ChristensenC@battelle.org wrote:
Mike Wrote:
I would like to add a similar disclaimer to our documention but I would like to better understand the particular failure scenarios. Can someone provide an example?
http://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions I found this while searching recently. It explains all the loopholes there may be for page viewing through restrictions.
Actually the more I think about this, I'm going to just dump paged based ACLs. It would be more appropriate to delegate access control to another module.
But ideally there should be a way to hook the access control primitives. In particular, our code has a very fast "plexcel_is_member_of" function that can determine if the currently logged in user is in the named Windows group. It would be delightful if an access control layer (either the existing one or one that is to be created in the future) could allow an extension to provide the implementation of this 'IsMemberOf' routine. Is there such a hook now? Obviously there are different groups with associated privileges now (e.g. Sysops, Bureaucrats, etc) so somewhere someone is doing something like IsMemberOf('Sysops').
For now, I guess I'll simply change the resource being protected from pages to the entire wiki. So it will be all-or-nothing. That will be secure but will allow us to use our fast Windows group checking.
Mike