* Aryeh Gregor Simetrical+wikilist@gmail.com [Thu, 25 Feb 2010 11:48:05 -0500]:
For information on some of the many things that can go wrong with an extension that claims to do read restrictions, see
http://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions.
The *only* reliable type of read restriction in MediaWiki, with or without extensions, is when you forbid entire groups (e.g., unregistered users) from reading or editing the wiki at all. If you can edit any page, or view anything beyond a very small and carefully-selected whitelist, you can probably get some information about pages that are hidden to you.
Thanks for pointing out to the list. I think I've seen it sometime back ago - it was expanded since then. I should check my small access restriction extension against it. Anyway, even the list itself proves that the most (although not all) of issues are fixed since 1.10 and later. It seems that MediaWiki needs only a small step to make it relatively secure for fine-grained views, too. Dmitriy