[Mediawiki-l] Page ACLs for AuthPlugins
Michael B Allen
mba2000 at ioplex.com
Sat Jun 9 04:30:11 UTC 2007
Hi,
I would like to add page based ACLs to my AuthPlugin and I think I've
devised a relatively simple and elegant way which is illustrated below
(the example uses Windows group and user names but I think this would
work equally well in something like the LdapAuthentication plugin with
DNs). I would appreciate any feedback or guidance as to the security
and sanity of the implementation.
In LocalSettings one initializes the AuthPlugin and loads the ACLs:
$wgAuth = new PlexcelAuth();
$wgAuth->page_acls['EmployeeWorkLog'] = array(
'rbaker at example.com'
);
$wgAuth->page_acls['Trial*'] = array(
'trials.example.com\Managers',
'Executive Compliance'
);
$wgAuth->page_acls['*'] = array(
'lwatts at example.com' => 'DENY',
'Lab Temps' => 'DENY'
'RadWiki Users',
'trials.example.com\Managers'
);
In our AuthPlugin class I have a method that checks access. If
$_GET['title'] matches a pattern the corresponding ACL is chosen and
evaluated:
function checkAccess($acls, $target) {
foreach ($acls as $pattern => $acl) {
$pattern = '/' . $pattern . '/';
if (preg_match($pattern, $target)) {
foreach ($acl as $key => $val) {
if ($val == 'DENY') {
if (plexcel_is_member_of($this->px, $key)) {
return FALSE;
}
} else {
if (plexcel_is_member_of($this->px, $val)) {
return TRUE;
}
}
}
}
}
return FALSE;
}
Now whenever the AutoAuthenticate hook or AuthPlugin::authenticate
function is successful, the checkAccess method is called:
if (isset($_GET['title']) == FALSE ||
$this->checkAccess($this->page_acls, $_GET['title']) == FALSE) {
header('Location: PlexcelAccessDenied');
return FALSE;
}
This seems pretty simple to me. Comments?
Thanks,
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
More information about the MediaWiki-l
mailing list