Hi,
Our PHP extension has a way of checking group membership in Active Directory (gets group SIDs from the Kerberos PAC which is v. fast). I've been asked countless times to incorporate this into our corresponding MediaWiki extension but there are two problems:
1) MW is not designed to protect individual resources as there are multiple ways to access the same content using different resource identifiers (e.g. via export, images are served statically, ... etc).
2) MW does not appear to offer any group related extension "hooks".
So 1 pretty much rules out any kind of page based access control.
However, I was wondering if there was anywhere else our group membership checks could be employed safely?
For example, mapping of $wgGroupPermissions groups to groups of the external authority (e.g. Active Directory in our case) could be performed by having a group map like:
$myGroupMap = array( '*' => 'EXAMPLE\Domain Users', 'user' => 'EXAMPLE\My Wiki Users', 'bureaucrat' => 'EXAMPLE\My Wiki Bureaucrats', );
Then, at authentication time the $wgGroupPermissions array could be populated based on whether or not the user is in these groups like:
foreach ($myGroupMap as $mwGroup => $adGroup) { if (plexcel_is_member_of($adGroup)) { $wgGroupPermissions[$mwGroup] = ??? } }
It seems dynamically adding people to MW groups does not degrade the existing security mechansims of MW.
Of course the '???' part is a blur - are there any hooks for this sort of thing?
Are there any hooks or other ways to engage our extension's snappy group membership checking?
Mike