We would like to be able to control permissions, specifically edit, of a page per namespace. While the permissions framework provides a mechanism to control permissions per group, it doesn't allow for permissions based on a resource.
Specifically I would like to be able to tie a permission triple to a group, 1) permission, 2) resource, 3) allow/deny. The current model is a double, 1) permission, 2) allow/deny. I think the change would be easy, but declaring the permissions in a variable array seems messy, but I can live with that for now.
The added bonus of this approach would eliminate a bunch of permission code. For example, in Title.php, this code would go away:
if( NS_MEDIAWIKI == $this->mNamespace && !$wgUser->isAllowed('editinterface') ) { wfProfileOut( $fname ); return false; }
And simply be replaced with the permission check.
The permission structure would become:
/** * Permission keys given to users in each group. * All users are implicitly in the '*' group including anonymous visitors; * logged-in users are all implicitly in the 'user' group. These will be * combined with the permissions of all groups that a given user is listed * in in the user_groups table. * * The structure of this map is <group or *><permission><resource or *> * where group is a group, permission is a permission, and resource is a resource can be on of: * 1) namespace:<namespace> * 2) .... would we support categories?... **/
I think I can hack this into the code in one place, Title.php, in function userCan. Basically, at the end of the function I would check to see if a permission is defined for this resource, and if so check the permission for that resource. I haven't yet written the code so there may well be a better place.
Does this sound feasible and if so does it sound like something other want?
Thanks,
Dave