The upcoming 1.10 and lockdown extensions have many great security features, but unless I've missed something they don't extend to uploaded files. I'd like to create an environment where access to uploaded files can be restricted by namespace.

In the default MediaWiki, all files uploaded can be accessed if the URL is known by the default Internet User on all platforms. The concept I'm working with is to allow access only through PHP and then use the restrictions available through lockdown and 1.10. Thus the files could be accessed using the [media:] and [image:] (with MW protections), but an attempt to access directly via URL would result in a 401 error.

Before I launch down this path, has anyone tried this or some other approach and is there somewhere I could look for advice? If not, in the esteemed opinion of you, the listserv members, is it advisable to open an article for discussion and if so, where (mediawiki.org?).

BTW, saw this on the PHP site - http://us3.php.net/features.safe-mode, Warning: Safe Mode was removed in PHP 6.0.0. Don't want to go down a path that's going to be obsolete with release 6.0.0

I'm deeply grateful for the authors and of MediaWiki and the participants in this listserv. So please don't let this provoke rants about using a different tool - I'm willing to make the investment (if possible) and contribute the results back for general use.

Jack D. Pond CIO, Montgomery County, PA

"Excellent firms don't believe in excellence, only in constant improvement and constant change." -- Tom Peters (b. 1942)