[Mediawiki-l] Per-Page Access Restrictions
Michael B Allen
ioplex at gmail.com
Thu Sep 20 22:41:11 UTC 2007
On 9/20/07, Christensen, Courtney <ChristensenC at battelle.org> wrote:
> Mike Wrote:
> -------------
> I would like to add a similar disclaimer to our documention but I
> would like to better understand the particular failure scenarios. Can
> someone provide an example?
> -------------
>
>
> http://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions
> I found this while searching recently. It explains all the loopholes
> there may be for page viewing through restrictions.
Actually the more I think about this, I'm going to just dump paged
based ACLs. It would be more appropriate to delegate access control to
another module.
But ideally there should be a way to hook the access control
primitives. In particular, our code has a very fast
"plexcel_is_member_of" function that can determine if the currently
logged in user is in the named Windows group. It would be delightful
if an access control layer (either the existing one or one that is to
be created in the future) could allow an extension to provide the
implementation of this 'IsMemberOf' routine. Is there such a hook now?
Obviously there are different groups with associated privileges now
(e.g. Sysops, Bureaucrats, etc) so somewhere someone is doing
something like IsMemberOf('Sysops').
For now, I guess I'll simply change the resource being protected from
pages to the entire wiki. So it will be all-or-nothing. That will be
secure but will allow us to use our fast Windows group checking.
Mike
More information about the MediaWiki-l
mailing list