It shouldn't be too hard, I'm working on a similar hack myself (mine is slightly more complicated, as I want to give some groups read permission, some read-write, and each page can have more than 0-n groups in each. In other words, Unix style rw permission on pages). All you really need is a page to add people to groups (by adding them to the user_groups table), and you need to mark down the group of the editor in the table when you first create the page- either a new field in the table or in the page_restrictions field. Then change the Title::userCanEdit function to check if $wgUser is in the same group. If not, return false otherwise process as normal. I think that ought to be sufficient to do it.
Gabe
-----Original Message----- From: mediawiki-l-bounces@Wikimedia.org [mailto:mediawiki-l-bounces@Wikimedia.org] On Behalf Of Rob Church Sent: Friday, November 11, 2005 11:35 AM To: Matthias Hirsch-Hoffmann; MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] Page access restiction
The simple answer is no, not with the current software, and to be honest, it's almost guaranteed it will never support what you describe. You can either hack the software yourself, or you can search for an extension to do what you ask.
http://meta.wikimedia.org/wiki/Category:MediaWiki_extensions might be a good starting point; remember also Google is your friend.
Rob Church
On 11/11/05, Matthias Hirsch-Hoffmann mhh@ethz.ch wrote:
Hi all wikianers
My Newbie-Question on a Wiki 1.5 System: I have two groups, G1 and G2 with users. I want to set the permission as follow: All users can read all pages, created by users of G1 and G2. Only users of G1 can edit pages created by users of G1 and only users of G2 can edit pages created by users of G2.
Is there a way?
Thanks for your help. Regards Matthias Hirsch-Hoffmann ETH Zurich (Switzerland) mhh at ethz dot ch
MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
I added an extension <restrict>Group or Users</restrict> and the page redirects if the user isn't in that group or user list.
- Matt H
----- Original Message ----- From: "Sechan, Gabe" sechan@amazon.com To: "MediaWiki announcements and site admin list" mediawiki-l@Wikimedia.org Sent: Friday, November 11, 2005 3:00 PM Subject: RE: [Mediawiki-l] Page access restiction
It shouldn't be too hard, I'm working on a similar hack myself (mine is slightly more complicated, as I want to give some groups read permission, some read-write, and each page can have more than 0-n groups in each. In other words, Unix style rw permission on pages). All you really need is a page to add people to groups (by adding them to the user_groups table), and you need to mark down the group of the editor in the table when you first create the page- either a new field in the table or in the page_restrictions field. Then change the Title::userCanEdit function to check if $wgUser is in the same group. If not, return false otherwise process as normal. I think that ought to be sufficient to do it.
Gabe
-----Original Message----- From: mediawiki-l-bounces@Wikimedia.org [mailto:mediawiki-l-bounces@Wikimedia.org] On Behalf Of Rob Church Sent: Friday, November 11, 2005 11:35 AM To: Matthias Hirsch-Hoffmann; MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] Page access restiction
The simple answer is no, not with the current software, and to be honest, it's almost guaranteed it will never support what you describe. You can either hack the software yourself, or you can search for an extension to do what you ask.
http://meta.wikimedia.org/wiki/Category:MediaWiki_extensions might be a good starting point; remember also Google is your friend.
Rob Church
On 11/11/05, Matthias Hirsch-Hoffmann mhh@ethz.ch wrote:
Hi all wikianers
My Newbie-Question on a Wiki 1.5 System: I have two groups, G1 and G2 with users. I want to set the permission as follow: All users can read all pages, created by users of G1 and G2. Only users of G1 can edit pages created by users of G1 and only users of G2 can edit pages created by users of G2.
Is there a way?
Thanks for your help. Regards Matthias Hirsch-Hoffmann ETH Zurich (Switzerland) mhh at ethz dot ch
MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
MHart wrote:
I added an extension <restrict>Group or Users</restrict> and the page redirects if the user isn't in that group or user list.
This sounds like it will fail in numerous circumstances where text is shown without full parsing: * action=edit * action=raw * Special:Export * diff * text in Special:Newpages RSS feed * diff in Special:Recentchanges RSS feed * Search text extracts
and probably more.
In general, I strongly recommend against trying to hack in 'access restrictions' to MediaWiki. If you *need* them, you will likely end up with a very insecure system which will FAIL you. If you *don't* need them, then why bother?
If you *need* access restrictions, I recommend that you use some software which supports this explicitly. Don't just use MediaWiki because it sounds neat or it's the first wiki you saw; you should only use it if it's actually appropriate for your needs.
-- brion vibber (brion @ pobox.com)
On Tue, 2005-11-15 at 18:53 -0800, Brion Vibber wrote:
In general, I strongly recommend against trying to hack in 'access restrictions' to MediaWiki. If you *need* them, you will likely end up with a very insecure system which will FAIL you. If you *don't* need them, then why bother?
If you *need* access restrictions, I recommend that you use some software which supports this explicitly. Don't just use MediaWiki because it sounds neat or it's the first wiki you saw; you should only use it if it's actually appropriate for your needs.
I'd like to ask a clarifying question regarding this stance.
Let's say that someone got really gung-ho about implementing granular access control in MediaWiki. They choose MediaWiki because they really need markup compatibility and a lot of the other features.
There's a whole continuum of things that this someone/someones could do to accomplish and maintain this:
A. Submit patches for inclusion in mainline MediaWiki B. Submit patches to extend the MediaWiki core to allow for a security layer C. Submit patches to modularize/wrap some MediaWiki components (e.g. the parser) in a way that they can be used as libraries for an otherwise forked/rewritten wiki product D. Fork MediaWiki
I'm asking this only as a theoretical question for now. I've seen it come up on the list enough times, and I know that in my last job, I would have been keenly interested in this.
My hope would be that "B" would be the correct answer. In particular, if the hooks existed to extend/replace the core classes, I think one could plug a lot of holes in the security layer. The temptation would be to literally extend those classes (e.g. "class SecureArticle extends Article"), but I think that the security layer would actually need to reimplement the interface, so that when new calls are introduced, the secure implementation fails rather than "succeed" to deliver a page to an unauthorized source.
Rob
p.s. I coulda swore I asked this and even got an answer before, but didn't find it in my inbox. Sorry if this is a duplicate from a few months ago.
Asking again...
If someone were to get gung-ho about implementing access control measures in MediaWiki that go way beyond the immediate needs of Wikipedia, would you prefer that that person/group:
A. Submit patches for inclusion in mainline MediaWiki B. Submit patches to extend the MediaWiki core to allow for a security layer C. Submit patches to modularize/wrap some MediaWiki components (e.g. the parser) in a way that they can be used as libraries for an otherwise forked/rewritten wiki product D. Fork MediaWiki
Curious Robla
On Thu, 2005-11-17 at 18:20 -0800, Rob Lanphier wrote:
On Tue, 2005-11-15 at 18:53 -0800, Brion Vibber wrote:
In general, I strongly recommend against trying to hack in 'access restrictions' to MediaWiki. If you *need* them, you will likely end up with a very insecure system which will FAIL you. If you *don't* need them, then why bother?
If you *need* access restrictions, I recommend that you use some software which supports this explicitly. Don't just use MediaWiki because it sounds neat or it's the first wiki you saw; you should only use it if it's actually appropriate for your needs.
I'd like to ask a clarifying question regarding this stance.
Let's say that someone got really gung-ho about implementing granular access control in MediaWiki. They choose MediaWiki because they really need markup compatibility and a lot of the other features.
There's a whole continuum of things that this someone/someones could do to accomplish and maintain this:
A. Submit patches for inclusion in mainline MediaWiki B. Submit patches to extend the MediaWiki core to allow for a security layer C. Submit patches to modularize/wrap some MediaWiki components (e.g. the parser) in a way that they can be used as libraries for an otherwise forked/rewritten wiki product D. Fork MediaWiki
I'm asking this only as a theoretical question for now. I've seen it come up on the list enough times, and I know that in my last job, I would have been keenly interested in this.
My hope would be that "B" would be the correct answer. In particular, if the hooks existed to extend/replace the core classes, I think one could plug a lot of holes in the security layer. The temptation would be to literally extend those classes (e.g. "class SecureArticle extends Article"), but I think that the security layer would actually need to reimplement the interface, so that when new calls are introduced, the secure implementation fails rather than "succeed" to deliver a page to an unauthorized source.
Rob
p.s. I coulda swore I asked this and even got an answer before, but didn't find it in my inbox. Sorry if this is a duplicate from a few months ago.
MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
It seems that many people need this feature. Since I published this patch (http://conseil-recherche-innovation.net/index.php/1974/04/11/41-restrict-pag...), we have 25% of visits on this single article. Generaly people need restriction feature to manage small wikis, private intranets. I guess they choose mediawiki for the syntax, templates, and reliabilty/community support, and not for the ability to manage projects as big as wikipedia nor encyclopedies.
From a wikipedia point of view, I think nobody wants more restriction features (protect is enough). We cannot polute the core of MW with features not useful for WP, it's difficult to maintain patches for ages, and it's not necessary to carry WP specific features in a forked project. So my choice would be a fifth... E. To write some specifications from needs, abstract the problem, and start a new project :) Any ideas ?!...
Read you, Jej
Asking again...
If someone were to get gung-ho about implementing access control measures in MediaWiki that go way beyond the immediate needs of Wikipedia, would you prefer that that person/group:
A. Submit patches for inclusion in mainline MediaWiki B. Submit patches to extend the MediaWiki core to allow for a security layer C. Submit patches to modularize/wrap some MediaWiki components (e.g. the parser) in a way that they can be used as libraries for an otherwise forked/rewritten wiki product D. Fork MediaWiki
Curious Robla
On 11/22/05, Jej jejc@free.fr wrote:
It seems that many people need this feature. Since I published this patch (http://conseil-recherche-innovation.net/index.php/1974/04/11/41-restrict-pag...), we have 25% of visits on this single article. Generaly people need restriction feature to manage small wikis, private intranets. I guess they choose mediawiki for the syntax, templates, and reliabilty/community support, and not for the ability to manage projects as big as wikipedia nor encyclopedies.
From a wikipedia point of view, I think nobody wants more restriction features (protect is enough). We cannot polute the core of MW with features not useful for WP, it's difficult to maintain patches for ages, and it's not necessary to carry WP specific features in a forked project. So my choice would be a fifth... E. To write some specifications from needs, abstract the problem, and start a new project :) Any ideas ?!...
I think it would be nice to have everything contributed into the core wikipedia project itself, with a simple switch to disable things, so that the wikimedia projects aren't, for once, themselves forced to have a community feature.. as opposed to them forcing features on the community. ;)
Or rather, the traditional "protect" feature would eventually just mean "protect against writes from those not in the administrators group"..
There *could* be core security and code tidyness benefits from rewriting portions of the way mediawiki handles things.
If a new project was branched off.. it would have to keep up with all the code changes from the mother project, which won't work for very long. Take a look at fluxbox, for example.. blackbox shifted and they're now far behind -- unable to import the styles and such from blackbox, which they still claim to be able to do. That's why I'd be strongly against the notion. .. unless MediaWiki was reimplemented in Ruby/postgres.. *hides* ;)
On Tue, 2005-11-22 at 10:48 +0100, Jej wrote:
It seems that many people need this feature. Since I published this patch (http://conseil-recherche-innovation.net/index.php/1974/04/11/41-restrict-pag...), we have 25% of visits on this single article. Generaly people need restriction feature to manage small wikis, private intranets. I guess they choose mediawiki for the syntax, templates, and reliabilty/community support, and not for the ability to manage projects as big as wikipedia nor encyclopedies.
I've added the link you provided to the following page:
http://meta.wikimedia.org/wiki/Access_control
...and I propose using the meta page as a hub for activities on this subject.
From a wikipedia point of view, I think nobody wants more restriction features (protect is enough). We cannot polute the core of MW with features not useful for WP, it's difficult to maintain patches for ages, and it's not necessary to carry WP specific features in a forked project. So my choice would be a fifth... E. To write some specifications from needs, abstract the problem, and start a new project :) Any ideas ?!...
Actually, that's just proposing a process for determining which of A-D to select from. Not that I think it's a bad idea to do that, but I don't think that agreeing to a process absolves anyone from the responsibility of picking an approach.
Are you volunteering to start the new project? It looks like you've got a really good start with your patch.
Rob
Asking again...
If someone were to get gung-ho about implementing access control measures in MediaWiki that go way beyond the immediate needs of Wikipedia, would you prefer that that person/group:
A. Submit patches for inclusion in mainline MediaWiki B. Submit patches to extend the MediaWiki core to allow for a security layer C. Submit patches to modularize/wrap some MediaWiki components (e.g. the parser) in a way that they can be used as libraries for an otherwise forked/rewritten wiki product D. Fork MediaWiki
Curious Robla
Rob Lanphier wrote:
If someone were to get gung-ho about implementing access control measures in MediaWiki that go way beyond the immediate needs of Wikipedia, would you prefer that that person/group:
A. Submit patches for inclusion in mainline MediaWiki B. Submit patches to extend the MediaWiki core to allow for a security layer C. Submit patches to modularize/wrap some MediaWiki components (e.g. the parser) in a way that they can be used as libraries for an otherwise forked/rewritten wiki product D. Fork MediaWiki
The main thing is that we (at least I ;) don't want to have to maintain code that's totally useless to us, and a security layer adds maintenance obligations to that useless-to-us code (if there's a hole, we have to patch it and issue new releases, and if it exists people are more likely to want to rely on it, increasing the weight of the obligation). Thus my knee-jerk reaction is D; if somebody wants to maintain such a beast, let them.
B. is possibly appropriate though; I hacked in the AuthPlugin so people could work on things like the LDAP and other custom authentication interop things separately from the main code, without adding too much to the core code complexity (and others have helped improve it, and it could probably still use improvement ;)
It _might_ make sense to have a similar access control interface which can then be plugged in, though I'm not sure how much plugging would really need to be done if the infrastructure for all the plug points would actually be there.
Jej wrote:
So my choice would be a fifth... E. To write some specifications from needs, abstract the problem, and start a new project :) Any ideas ?!...
Specs and abstractions are always nice to have before one starts. ;)
-- brion vibber (brion @ pobox.com)
On 11/11/05, Sechan, Gabe sechan@amazon.com wrote:
It shouldn't be too hard, I'm working on a similar hack myself (mine is slightly more complicated, as I want to give some groups read permission, some read-write, and each page can have more than 0-n groups in each. In other words, Unix style rw permission on pages). All you really need is a page to add people to groups (by adding them to the user_groups table), and you need to mark down the group of the editor in the table when you first create the page- either a new field in the table or in the page_restrictions field. Then change the Title::userCanEdit function to check if $wgUser is in the same group. If not, return false otherwise process as normal. I think that ought to be sufficient to do it.
Hey Gabe.. is there a homepage for this hack, where I can keep an eye on it?
mediawiki-l@lists.wikimedia.org