deny anonymous access to sidebar

Hello,

According to the page
http://www.mediawiki.org/wiki/Manual:Preventing_access "If you need to
protect even the sidebar ... it's recommended that you use
higher-level authentication such as .htpasswd or equivalent."

Without using .htpasswd, are there options for restricting access to
the MediaWiki:Sidebar content before a user logs in? A wiki-wide
navigation menu is an important element for providing our users easy
access to important content. If the world will have access to see the
contents of the Sidebar, I will be reluctant to put more than a few
generic menu items.

Here is an analogy for my motivation: You have purchased several very
expensive gifts and they are in your car. The car is locked, but you
still want to put them in the trunk or otherwise hide the fact that
they are there. If you leave them in plain view, your car is instantly
a very attractive target for theft. In the same way, if the
interesting contents of a locked site are clearly visible it becomes a
more likely target for attack (to access whatever sensitive
information may be contained therein).

Any ideas for how to best secure the mediawiki sidebar are much
appreciated. I have included some info on my configuration below to
provide some context for those who may be interested.

--
Thomas (Tom) Hogarty

Re: deny anonymous access to sidebar

On Thu, 2007-12-13 at 12:38 -0500, Tom Hogarty wrote:

> Any ideas for how to best secure the mediawiki sidebar are much
> appreciated. I have included some info on my configuration below to
> provide some context for those who may be interested.

A simple solution would be to simply take the sidebar out of the default
skin (whatever $wgDefaultSkin is set to). Edit the corresponding php
file and conditionally take out the entire sidebar. For example, in
skins/CologneBlue.php, you would change the function quickBar() like so:

if( $wgUser->isLoggedIn() ) {
  $s .= $this->menuHead( "qbbrowse" );
  $bar = $this->buildSidebar();
  $browseLinks = reset( $bar );
  foreach ( $browseLinks as $link ) {
    if ( $link['text'] != '-' ) {
      $s .= "<a href=\"{$link['href']}\">" .
        htmlspecialchars( $link['text'] ) . '</a>' . $sep;
    }
  }
}

Similar things can be done with the other skins as needed.

--

-- 
Greg Sabino Mullane greg@...
End Point Corporation 610-983-9073

Re: deny anonymous access to sidebar

Greg Sabino Mullane wrote:
> A simple solution would be to simply take the sidebar out of the default
> skin (whatever $wgDefaultSkin is set to).

but remember that anonymous users can change the skin by adding e.g.
?useskin=standard to the URL.

	- river.

_______________________________________________
Mediawiki-enterprise mailing list
Mediawiki-enterprise@...
http://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise

Re: deny anonymous access to sidebar

Thanks for the comment River,

I did use the suggested method by Greg and it works to lock down my
default theme. Unfortunately as you have pointed out the other themes
are still available to anonymous users through specifying it as a URL
parameter. I am using the $wgSkipSkins setting , but that only limits
the skins available on the Special:Preferences page. The
useskin=standard in URL still works.

Any suggestions to disable the use of alternate (non-default or
skipped) skins? I was looking on Meta and saw the following section:
http://meta.wikimedia.org/wiki/Skins#Ensure_users_using_skipped_skins_use_the_default_instead

I would prefer not to modify code because it will break when I upgrade
but so far I have not seen another option. I have applied the above
linked hack to my mediawiki and it works great. I added the following
to the function normalizeKey in includes/Skin.php (add at the location
recommended by Meta):
                global $wgSkipSkins;
                if( in_array( $key, $wgSkipSkins ) ) {
                        $key = $wgDefaultSkin;
                }

Maybe this should be added to a future release of mediawiki? I'm
running 1.10.2 and this code is what I needed to completely enforce
$wgSkipSkins .

Many thanks to Greg and River for the helpful info.

-Tom