Thanks for the tip, Ryan! I actually was already looking at your code (since we were originally going to authenticate via LDAP), but hadn't gotten to your groups processing. In fact, using basically the same approach as yours I simply update and save the group information in my AuthPlugin to mirror what's in TAM, and then created the appropriate access rights in LocalSettings, and it all works like a charm!
Thanks to all who replied! Christopher M. Reigrut Applications Systems Architect Key Technology Services / KeyBank 1000 South McCaslin Boulevard Superior, Colorado 80027 720-304-1049
----- Message from "Lane, Ryan" Ryan.Lane@ocean.navo.navy.mil on Mon, 10 Sep 2007 08:58:34 -0500 -----
To:
"MediaWiki announcements and site admin list" <mediawiki-l@lists. wikimedia.org>
Subject:
Re: [Mediawiki-l] External Authorization
Hi, all! I'm working on integrating Mediawiki with our internal
access
controls (specifically, Tivoli Access Manager). I have authentication working via a custom AuthPlugin, and now I'm starting on external authorization.
Our plan is to have two groups: Users and Administrators. These will
be
administered through Tivoli (and I'm already getting the groups during
my
auto-login process). IDs with neither group will have read-only
access,
IDs in the User group will be able to edit, move, etc, and
Administrators
will have the remaining access (basically, the same as Sysop).
What's the best way to accomplish this? userCan hooks? Modify
User.php?
Something else?
I'd really appreciate any insights you all might have!
See how the LDAP Authentication plugin does this (start tracing from the authenticate method). I actually accepted a patch for it, so I won't vouch for the code per se, but it does get the job done. Notice that there is currently a performance issue associated with it when dealing with large amounts of groups that will be fixed in the next version of the plugin.
V/r,
Ryan Lane
******************************************************************************* This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.
127 Public Square, Cleveland, OH 44114 *******************************************************************************
If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to DNERequests@key.com with 'No Promotional E-mails' in the SUBJECT line.
mediawiki-l@lists.wikimedia.org