I have to explain a little bit more our situation... We have documents for:
1 - General documents (I will call them DOC_A) 2- More sensitive documents (I will call them DOC_B)
For DOC_A, well, no problem: each user of the wiki can read them.
For DOC_B: we have several "sub-categories", where each sub-category is one of our customers and where each one must be read only by the IT technicians (TECH_x) who are supporting this customer. This means that TECH_A will be able to read DOC_A and only one category under DOC_B, that TECH_B will be able to read DOC_A and another category under DOC_B) So in fact, we have:
1.0 DOC_A (read for all users) 2.0 DOC_B 2.1 DOC_B_CUSTOMER_1 (read by TECH_A) 2.2 DOC_B_CUSTOMER_2 (read by TECH_B) 2.3 DOC_B_CUSTOMER_3 (read by TECH_C) 2.4 DOC_B_CUSTOMER_4 (read by TECH_D) 2.5 DOC_B_CUSTOMER_5 (read by TECH_E) 2.6 DOC_B_CUSTOMER_6 (read by TECH_F) 2.7 DOC_B_CUSTOMER_7 (read by TECH_G) Etc... T ons of customers... : 1- so tons of wikis ??? 2- if multiple wikis, this implies also that one of our tech who work for CUSTOMER_1, 2 and 5, will have to log in several wikis to have a couple of informations on each ones ? Lost time, no ? Even with a shared user database, our tech will have to do multiple login ?
That's why I tested LockDown, after reading these 2 pages (and trying to understand... I'm a newbie in all this...): https://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions https://www.mediawiki.org/wiki/Category:Page_specific_user_rights_extensions
Well... it seems that I'm not too bad in English :-)
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Jeremy Baron Sent: Saturday, August 10, 2013 1:48 PM To: MediaWiki announcements and site admin list Subject: Re: [MediaWiki-l] Mediawiki as an Enterprise wiki
On Sat, Aug 10, 2013 at 4:15 PM, Pierre Labrecque pierre.labrecque@live.ca wrote:
1- create a page "FOO1:Procedure To do this" and give general informations on it, accessible to all users... and on "FOO1:Procedure to do this" we put a link to "FOO2:SecretPasswords" 2- if the user needs the passwords, he clicks on "FOO2:SecretPasswords". If he has access to the FOO2 namespace (as defined in the LockDown parameters, in LocalSettings), all is ok for him and he has access to the page. If he doesn't, then he receives an access denied. Make sens for you ?
bottom line is most (all?) of these security extensions (e.g. LockDown) have either not had WMF security review or have not passed. the known good, very effective and secure way to do this is 2 separate wikis with interwiki links between them. (and different sets of people can log in to each one) The WMF config for private fishbowls is published so you can copy from there. ( https://noc.wikimedia.org/conf/ https://git.wikimedia.org/summary/?r=operations/mediawiki-config.git ; `git grep` is your friend! ) You should make sure that the wikis are on different domains and cookies set by either wiki are not accessible by the other one.
You could have exactly the same setup described above (which I quoted) using 2 separate wikis. FOO1 and FOO2 are different wikis. FOO2 at FOO1 is not a namespace but rather is an interwiki link.
-Jeremy
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l