Hi,
Our PHP extension has a way of checking group membership in Active Directory (gets group SIDs from the Kerberos PAC which is v. fast). I've been asked countless times to incorporate this into our corresponding MediaWiki extension but there are two problems:
1) MW is not designed to protect individual resources as there are multiple ways to access the same content using different resource identifiers (e.g. via export, images are served statically, ... etc).
2) MW does not appear to offer any group related extension "hooks".
So 1 pretty much rules out any kind of page based access control.
However, I was wondering if there was anywhere else our group membership checks could be employed safely?
For example, mapping of $wgGroupPermissions groups to groups of the external authority (e.g. Active Directory in our case) could be performed by having a group map like:
$myGroupMap = array( '*' => 'EXAMPLE\Domain Users', 'user' => 'EXAMPLE\My Wiki Users', 'bureaucrat' => 'EXAMPLE\My Wiki Bureaucrats', );
Then, at authentication time the $wgGroupPermissions array could be populated based on whether or not the user is in these groups like:
foreach ($myGroupMap as $mwGroup => $adGroup) { if (plexcel_is_member_of($adGroup)) { $wgGroupPermissions[$mwGroup] = ??? } }
It seems dynamically adding people to MW groups does not degrade the existing security mechansims of MW.
Of course the '???' part is a blur - are there any hooks for this sort of thing?
Are there any hooks or other ways to engage our extension's snappy group membership checking?
Mike
Actually, the mechanics would be pretty simple. Determining when you want to do this (on a local or wiki-wide basis) could be a real issue.
I'll look for a better way, but as a temporary measure, you can get this (globally) by patching includes/Article.php in function replaceSection():
Index: Article.php =================================================================== --- Article.php (revision 40244) +++ Article.php (working copy) @@ -1259,7 +1259,7 @@ # Inserting a new section $subject = $summary ? wfMsgForContent('newsectionheaderdefaultlevel',$summary) . "\n\n" : ''; $text = strlen( trim( $oldtext ) ) > 0 - ? "{$oldtext}\n\n{$subject}{$text}" + ? "{$subject}{$text}\n\n{$oldtext}" : "{$subject}{$text}"; } else { # Replacing an existing section; roll out the big guns
Robert Leverington lcarsdata at googlemail.com Wed Jun 13 19:26:44 UTC 2007
Previous message: [Mediawiki-l] discussion page + tab Next message: [Mediawiki-l] dumpHTML.php Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
---------------------------------------------------------------------------- ----
Well, that would completely muck up any text at the top and also how would you decide where it gets cut off (a new magic word maybe).
On 13/06/07, Frederik Dohr <fdg001 at gmx.net> wrote:
There is currently no option to do this. This would also be pretty difficult to implement as it would require completely changing how the current commenting system works.
Really? I've thought about this too, as it would be very useful. I don't know much about the MW code, so I thought it should be as easy as changing $pageContents = $pageContents + $newComment; to $pageContents = $newComment + $pageContents; (that's pseudo-code, obviously)
Guess I was a bit naive then...
-- F.
Hi,
You may try to accomplish this feature using the ArticleComments and HeaderFooter extension
Best Regards Stephane ancelot
Le Fri, 05 Sep 2008 23:37:17 +0200, Jack D. Pond jack.pond@psitex.com a écrit:
Actually, the mechanics would be pretty simple. Determining when you want to do this (on a local or wiki-wide basis) could be a real issue.
I'll look for a better way, but as a temporary measure, you can get this (globally) by patching includes/Article.php in function replaceSection():
Index: Article.php
--- Article.php (revision 40244) +++ Article.php (working copy) @@ -1259,7 +1259,7 @@ # Inserting a new section $subject = $summary ? wfMsgForContent('newsectionheaderdefaultlevel',$summary) . "\n\n" : ''; $text = strlen( trim( $oldtext ) ) > 0
? "{$oldtext}\n\n{$subject}{$text}"
? "{$subject}{$text}\n\n{$oldtext}" : "{$subject}{$text}";# Replacing an existing section; roll out the big guns
Robert Leverington lcarsdata at googlemail.com Wed Jun 13 19:26:44 UTC 2007
Previous message: [Mediawiki-l] discussion page + tab Next message: [Mediawiki-l] dumpHTML.php Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Well, that would completely muck up any text at the top and also how would you decide where it gets cut off (a new magic word maybe).
On 13/06/07, Frederik Dohr <fdg001 at gmx.net> wrote:
There is currently no option to do this. This would also be pretty difficult to implement as it would require completely changing how the current commenting system works.
Really? I've thought about this too, as it would be very useful. I don't know much about the MW code, so I thought it should be as easy as changing $pageContents = $pageContents + $newComment; to $pageContents = $newComment + $pageContents; (that's pseudo-code, obviously)
Guess I was a bit naive then...
-- F.
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Then, at authentication time the $wgGroupPermissions array could be populated based on whether or not the user is in these groups like:
foreach ($myGroupMap as $mwGroup => $adGroup) { if (plexcel_is_member_of($adGroup)) { $wgGroupPermissions[$mwGroup] = ??? } }
It seems dynamically adding people to MW groups does not degrade the existing security mechansims of MW.
Of course the '???' part is a blur - are there any hooks for this sort of thing?
Are you trying to add a user to MediaWiki groups, or are you trying to add permissions to a group?
It looks like you are trying to add permissions. Why not instead synchronize the user's groups from AD, to MediaWiki? Then admins can assign permissions to LDAP groups via MediaWiki like they normally do.
See the LDAP Authentication plugin, specifically the "setGroups" function.
V/r,
Ryan Lane
On Mon, Sep 8, 2008 at 10:28 AM, Lane, Ryan Ryan.Lane@ocean.navo.navy.mil wrote:
Then, at authentication time the $wgGroupPermissions array could be populated based on whether or not the user is in these groups like:
foreach ($myGroupMap as $mwGroup => $adGroup) { if (plexcel_is_member_of($adGroup)) { $wgGroupPermissions[$mwGroup] = ??? } }
It seems dynamically adding people to MW groups does not degrade the existing security mechansims of MW.
Of course the '???' part is a blur - are there any hooks for this sort of thing?
Are you trying to add a user to MediaWiki groups, or are you trying to add permissions to a group?
It looks like you are trying to add permissions. Why not instead synchronize the user's groups from AD, to MediaWiki? Then admins can assign permissions to LDAP groups via MediaWiki like they normally do.
See the LDAP Authentication plugin, specifically the "setGroups" function.
Hi Ryan,
As you always know what to do.
Using addGroup I was able to add "Windows Group Mapping" to our Plexcel MediaWiki Plugin so that people can push MW group membership management into AD. The LocalSettings.php directive looks like:
$wgAuth->groupMap = array( 'ACME\Wiki Bureaucrats' => 'bureaucrat', 'ACME\Wiki Sysops' => 'sysop', );
So whoever is in the 'ACME\Wiki Bureaucrats' Windows group will be automatically added to the bureaucrats group. Brilliant!
Thanks again, Mike
mediawiki-l@lists.wikimedia.org