We would like to be able to control permissions, specifically edit, of a
page per namespace. While the permissions framework provides a
mechanism to control permissions per group, it doesn't allow for
permissions based on a resource.
Specifically I would like to be able to tie a permission triple to a
group, 1) permission, 2) resource, 3) allow/deny. The current model is
a double, 1) permission, 2) allow/deny. I think the change would be
easy, but declaring the permissions in a variable array seems messy, but
I can live with that for now.
The added bonus of this approach would eliminate a bunch of permission
code. For example, in Title.php, this code would go away:
if( NS_MEDIAWIKI == $this->mNamespace &&
!$wgUser->isAllowed('editinterface') ) {
wfProfileOut( $fname );
return false;
}
And simply be replaced with the permission check.
The permission structure would become:
/**
* Permission keys given to users in each group.
* All users are implicitly in the '*' group including anonymous
visitors;
* logged-in users are all implicitly in the 'user' group. These will be
* combined with the permissions of all groups that a given user is
listed
* in in the user_groups table.
*
* The structure of this map is <group or *><permission><resource or *>
* where group is a group, permission is a permission, and resource is
a resource can be on of:
* 1) namespace:<namespace>
* 2) .... would we support categories?...
**/
I think I can hack this into the code in one place, Title.php, in
function userCan. Basically, at the end of the function I would check
to see if a permission is defined for this resource, and if so check the
permission for that resource. I haven't yet written the code so there
may well be a better place.
Does this sound feasible and if so does it sound like something other
want?
Thanks,
Dave