On Oct 22, 2004, at 12:24 AM, Victor Fariña wrote:
I am currently working on a simple extension to add
security features
on "per page" schema.
Its functional but has very flaws of security, it works in all pages
and an editor must/can create a tag like :
<security>
user=coff,admin
groups=sysadmin
</security>
and the users listed are the only ones that can read the page .
The extension info and download are on
http://www.wickle.com/wikis/index.php/Security_extension
Well, the first problem I see is that it doesn't work -- anyone can
simply click "edit" and remove the tags again. If it did work, then
anyone with general edit permissions could lock any page to be
inaccessible to other users just by putting in a random username/group,
creating a denial of service attack vector.
I would like why mediawiki developers are closed to
new ideas based on
security, i think this kind of extensions are great for the wiki
community (although its not useful for wikipedia sites) I dont want a
CMS, i dont want to change the wiki, I like mediawiki, but some
answers at the IRC about this implementation are very frustrating, and
other answers are greats .
A parser extension is really the wrong place to be adding security
hooks. It won't even get called in the places where it matters, and
it's too easy to stuff in fake data or get around it.
You should probably be looking at Title::userCanEdit() and
Title::userCanRead(), and the protect/unprotect functions. Currently
these have a few hard-coded hacks instead of the general-purpose user
group system that could be done but that there's been no sufficient
interest in to write.
-- brion vibber (brion @
pobox.com)