On 08/27/2013 10:27 AM, vitalif@yourcmc.ru wrote:
Actually, the first and the basic step is much simpler - MediaWiki should perform userCanRead() checks everywhere it displays information about any page.
+1. Sometimes, it's not so easy, though, especially when it comes to lists of pages and paging. In the medium term, though, we should go for some deeper security model that performs checks directly when an article is accessed instead of manually checking all over the code.
I'm now trying to improve API protection in IntraACL (before today it was provided only by "Title hack" which returned "Access denied" instead of any real inaccessible Title object) - and it seems userCanRead() must be added in almost every ApiQuery*.php file :-X (ApiPageSet isn't used everywhere)
Just a short note: userCanRead seems to be deprecated since 1.19. It's recommended to use userCan('read') instead.
Best, Markus