Hi all!
I'm helping set up a Mediawiki for a site. Unfortunately, it's in a fairly drama-filled environment, where plagiarism is so common as to make us feel that we'd like to protect how we did certain things. Our wiki uses a lot of SQL integration and took a while to set up, and other wikis in the hobby don't use SQL a lot. To make a long story short, we want to prevent those competing sites from just copypasting our SQL code and reverse-engineering how we did things from that. If they want to figure it out on their own they certainly can, but we don't want people to just take our code.
Luckily, by virtue of how the site is handled, the wiki doesn't allow anyone but the administrators to make or edit pages. That means we disabled account creation, and to protect certain pages (like history and view source) using the Lockdown extension, we simply restricted their access to the Users group.
Sadly, it's still possible to catch the wiki code of our pages using the Diff parameter, and no doubt few other pages. We disabled Special:Export and Special:Compare, for example. But using any page that lists edits, like Recent Changes, people can just compare two old versions of a page and see the raw wiki code.
How would one go about preventing access to the Diff parameter unless they're a User? Are there other ways to grab the raw wiki source code we should know about?
I know this is against Mediawiki's usual open source policy. I apologize! But if you could still help it'd be greatly appreciated.
Honestly, at that point, you'd probably be better setting up some sort of proxy thing, where non-logged in users view some sort of proxy that only proxies the page view (not allowing any url parameters through or viewing any special pages), and logged in users actually deal with MW.
The biggest thing you missed is probably ?action=raw . Special:Expandtemplates is also another vector (via {{msgnw:page name here}}). I assume you've also disabled the api.
There's probably a lot of others. MediaWiki is not designed to hide the wikitext source of pages.
-- Brian
On Wed, Jan 10, 2018 at 7:01 AM, Drium Yrvak driumyrvak@gmail.com wrote:
Hi all!
I'm helping set up a Mediawiki for a site. Unfortunately, it's in a fairly drama-filled environment, where plagiarism is so common as to make us feel that we'd like to protect how we did certain things. Our wiki uses a lot of SQL integration and took a while to set up, and other wikis in the hobby don't use SQL a lot. To make a long story short, we want to prevent those competing sites from just copypasting our SQL code and reverse-engineering how we did things from that. If they want to figure it out on their own they certainly can, but we don't want people to just take our code.
Luckily, by virtue of how the site is handled, the wiki doesn't allow anyone but the administrators to make or edit pages. That means we disabled account creation, and to protect certain pages (like history and view source) using the Lockdown extension, we simply restricted their access to the Users group.
Sadly, it's still possible to catch the wiki code of our pages using the Diff parameter, and no doubt few other pages. We disabled Special:Export and Special:Compare, for example. But using any page that lists edits, like Recent Changes, people can just compare two old versions of a page and see the raw wiki code.
How would one go about preventing access to the Diff parameter unless they're a User? Are there other ways to grab the raw wiki source code we should know about?
I know this is against Mediawiki's usual open source policy. I apologize! But if you could still help it'd be greatly appreciated. _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
We did indeed disable all non-view actions for people who aren't Users, so that includes raw.
We didn't disable Special:Expandtemplates, so thanks for pointing that out! The API is indeed disabled.
I thought about doing the proxy thing but that was starting to be a lot of trouble. We might have to tear open whatever file the parameters are in and hack apart Diff there, if there's no other way.
On Wed, Jan 10, 2018 at 3:01 AM, Brian Wolff bawolff@gmail.com wrote:
Honestly, at that point, you'd probably be better setting up some sort of proxy thing, where non-logged in users view some sort of proxy that only proxies the page view (not allowing any url parameters through or viewing any special pages), and logged in users actually deal with MW.
The biggest thing you missed is probably ?action=raw . Special:Expandtemplates is also another vector (via {{msgnw:page name here}}). I assume you've also disabled the api.
There's probably a lot of others. MediaWiki is not designed to hide the wikitext source of pages.
-- Brian
On Wed, Jan 10, 2018 at 7:01 AM, Drium Yrvak driumyrvak@gmail.com wrote:
Hi all!
I'm helping set up a Mediawiki for a site. Unfortunately, it's in a
fairly
drama-filled environment, where plagiarism is so common as to make us
feel
that we'd like to protect how we did certain things. Our wiki uses a lot
of
SQL integration and took a while to set up, and other wikis in the hobby don't use SQL a lot. To make a long story short, we want to prevent those competing sites from just copypasting our SQL code and
reverse-engineering
how we did things from that. If they want to figure it out on their own they certainly can, but we don't want people to just take our code.
Luckily, by virtue of how the site is handled, the wiki doesn't allow anyone but the administrators to make or edit pages. That means we
disabled
account creation, and to protect certain pages (like history and view source) using the Lockdown extension, we simply restricted their access
to
the Users group.
Sadly, it's still possible to catch the wiki code of our pages using the Diff parameter, and no doubt few other pages. We disabled Special:Export and Special:Compare, for example. But using any page that lists edits,
like
Recent Changes, people can just compare two old versions of a page and
see
the raw wiki code.
How would one go about preventing access to the Diff parameter unless they're a User? Are there other ways to grab the raw wiki source code we should know about?
I know this is against Mediawiki's usual open source policy. I apologize! But if you could still help it'd be greatly appreciated. _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org