Hi,
I would like to add page based ACLs to my AuthPlugin and I think I've devised a relatively simple and elegant way which is illustrated below (the example uses Windows group and user names but I think this would work equally well in something like the LdapAuthentication plugin with DNs). I would appreciate any feedback or guidance as to the security and sanity of the implementation.
In LocalSettings one initializes the AuthPlugin and loads the ACLs:
$wgAuth = new PlexcelAuth();
$wgAuth->page_acls['EmployeeWorkLog'] = array( 'rbaker@example.com' ); $wgAuth->page_acls['Trial*'] = array( 'trials.example.com\Managers', 'Executive Compliance' ); $wgAuth->page_acls['*'] = array( 'lwatts@example.com' => 'DENY', 'Lab Temps' => 'DENY' 'RadWiki Users', 'trials.example.com\Managers' );
In our AuthPlugin class I have a method that checks access. If $_GET['title'] matches a pattern the corresponding ACL is chosen and evaluated:
function checkAccess($acls, $target) { foreach ($acls as $pattern => $acl) { $pattern = '/' . $pattern . '/'; if (preg_match($pattern, $target)) { foreach ($acl as $key => $val) { if ($val == 'DENY') { if (plexcel_is_member_of($this->px, $key)) { return FALSE; } } else { if (plexcel_is_member_of($this->px, $val)) { return TRUE; } } } } } return FALSE; }
Now whenever the AutoAuthenticate hook or AuthPlugin::authenticate function is successful, the checkAccess method is called:
if (isset($_GET['title']) == FALSE || $this->checkAccess($this->page_acls, $_GET['title']) == FALSE) { header('Location: PlexcelAccessDenied'); return FALSE; }
This seems pretty simple to me. Comments?
Thanks, Mike
If anyone's interested I have implemented this in the Plexcel AuthPlugin. I also made the license BSD so that it can be freely copied into other extensions.
Mike
On Sat, 9 Jun 2007 00:30:11 -0400 Michael B Allen mba2000@ioplex.com wrote:
Hi,
I would like to add page based ACLs to my AuthPlugin and I think I've devised a relatively simple and elegant way which is illustrated below (the example uses Windows group and user names but I think this would work equally well in something like the LdapAuthentication plugin with DNs). I would appreciate any feedback or guidance as to the security and sanity of the implementation.
In LocalSettings one initializes the AuthPlugin and loads the ACLs:
$wgAuth = new PlexcelAuth();
$wgAuth->page_acls['EmployeeWorkLog'] = array( 'rbaker@example.com' ); $wgAuth->page_acls['Trial*'] = array( 'trials.example.com\Managers', 'Executive Compliance' ); $wgAuth->page_acls['*'] = array( 'lwatts@example.com' => 'DENY', 'Lab Temps' => 'DENY' 'RadWiki Users', 'trials.example.com\Managers' );
In our AuthPlugin class I have a method that checks access. If $_GET['title'] matches a pattern the corresponding ACL is chosen and evaluated:
function checkAccess($acls, $target) { foreach ($acls as $pattern => $acl) { $pattern = '/' . $pattern . '/'; if (preg_match($pattern, $target)) { foreach ($acl as $key => $val) { if ($val == 'DENY') { if (plexcel_is_member_of($this->px, $key)) { return FALSE; } } else { if (plexcel_is_member_of($this->px, $val)) { return TRUE; } } } } } return FALSE; }
Now whenever the AutoAuthenticate hook or AuthPlugin::authenticate function is successful, the checkAccess method is called:
if (isset($_GET['title']) == FALSE || $this->checkAccess($this->page_acls, $_GET['title']) == FALSE) { header('Location: PlexcelAccessDenied'); return FALSE; }
This seems pretty simple to me. Comments?
Thanks, Mike
-- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org