[Mediawiki-l] Are there any wgGroupPermisions Related Hooks?

[Michael B Allen]

Hi,

Our PHP extension has a way of checking group membership in Active
Directory (gets group SIDs from the Kerberos PAC which is v. fast).
I've been asked countless times to incorporate this into our
corresponding MediaWiki extension but there are two problems:

  1) MW is not designed to protect individual resources as there are
multiple ways to access the same content using different resource
identifiers (e.g. via export, images are served statically, ... etc).

  2) MW does not appear to offer any group related extension "hooks".

So 1 pretty much rules out any kind of page based access control.

However, I was wondering if there was anywhere else our group
membership checks could be employed safely?

For example, mapping of $wgGroupPermissions groups to groups of the
external authority (e.g. Active Directory in our case) could be
performed by having a group map like:

$myGroupMap = array(
    '*' => 'EXAMPLE\\Domain Users',
    'user' => 'EXAMPLE\\My Wiki Users',
    'bureaucrat' => 'EXAMPLE\\My Wiki Bureaucrats',
);

Then, at authentication time the $wgGroupPermissions array could be
populated based on whether or not the user is in these groups like:

foreach ($myGroupMap as $mwGroup => $adGroup) {
    if (plexcel_is_member_of($adGroup)) {
        $wgGroupPermissions[$mwGroup] = ???
    }
}

It seems dynamically adding people to MW groups does not degrade the
existing security mechansims of MW.

Of course the '???' part is a blur - are there any hooks for this sort of thing?

Are there any hooks or other ways to engage our extension's snappy
group membership checking?

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/