[Mediawiki-l] [quickhack] require a specific user to view a page
Brion Vibber
brion at pobox.com
Thu Jan 27 20:59:11 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Moritz Karbach wrote:
| as my very private Wiki grew larger, a few people liked to use it as
well. So
| I needed to protect the sites, that are really private. Since some
kind of
| user rights is scheduled for version 1.5, here comes a quickhack:
If your sites are really private, you should not use MediaWiki to hold
them. It's really, really not designed to hide information.
| Wiki Version: 1.3.5 (maybe it works on later versions as well)
You should upgrade to 1.3.9 immediately, as there are potentially
exploitable security holes in 1.3.5.
| Insert the following into Title.php, function userCanRead(), right
after the
| globals have been defined (for me it's line 550):
|
| # inserted by m:o
| global $wgRequireUser;
| $siteName = $this->getPrefixedText(); # pagename
| $requiredUser = $wgRequireUser[$name];
Note that the above line doesn't seem to do anything, and produces two
PHP notice warnings if error_level is set to E_ALL. (Undefined variable
$name, and undefined array index.)
[remainder of code snipped]
| Maybe someone can comment on possible disadvantages or security holes?
An insecure page containing a template inclusion can extract the hidden
page's text, like {{:Hauptseite:private}} or {{:Tbd}}.
- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB+VYewRnhpk1wk44RAnSmAKC6ew8LjUv3jZdosg9lZ9+dM7J2VQCdGiXG
GWFQs8X7V5qURhes9/+/BQ0=
=VYB4
-----END PGP SIGNATURE-----
More information about the MediaWiki-l
mailing list