In SpecialPages.php, take a look at the lines below "static public
$mList = array(".
Some of them specify a user right to access a special page:
'Unlockdb' => array( 'SpecialPage', 'Unlockdb',
'siteadmin' ),
So MediaWiki already has a protection mechanism in place. You could
either patch SpecialPages.php or change the static array in-memory.
Maybe this can be done in LocalSettings.php. If not, in a hook.
There is some (confusing) information about this here:
http://meta.wikimedia.org/wiki/Preventing_Access#Preventing_access_to_some_…
This is the extent of my knowledge on this subject. If this is not
enough please ask again for someone that knows more about this.
The reason I'm not putting this protection on the PageSecurity
extension is that MediaWiki already has a way to protect it, and there
is no call to the userCan hook for special pages.
Maybe there should be, but there is not.
Regards.