[Mediawiki-l] [quickhack] require a specific user to view a page

[Brion Vibber]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Moritz Karbach wrote:
| as my very private Wiki grew larger, a few people liked to use it as
well. So
| I needed to protect the sites, that are really private. Since some
kind of
| user rights is scheduled for version 1.5, here comes a quickhack:

If your sites are really private, you should not use MediaWiki to hold
them. It's really, really not designed to hide information.

| Wiki Version: 1.3.5 (maybe it works on later versions as well)

You should upgrade to 1.3.9 immediately, as there are potentially
exploitable security holes in 1.3.5.

| Insert the following into Title.php, function  userCanRead(), right
after the
| globals have been defined (for me it's line 550):
|
|                 # inserted by m:o
|                 global $wgRequireUser;
|                 $siteName = $this->getPrefixedText(); # pagename
|                 $requiredUser = $wgRequireUser[$name];

Note that the above line doesn't seem to do anything, and produces two
PHP notice warnings if error_level is set to E_ALL. (Undefined variable
$name, and undefined array index.)

[remainder of code snipped]

| Maybe someone can comment on possible disadvantages or security holes?

An insecure page containing a template inclusion can extract the hidden
page's text, like {{:Hauptseite:private}} or {{:Tbd}}.

- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB+VYewRnhpk1wk44RAnSmAKC6ew8LjUv3jZdosg9lZ9+dM7J2VQCdGiXG
GWFQs8X7V5qURhes9/+/BQ0=
=VYB4
-----END PGP SIGNATURE-----