headers
Sergei Frankoff | 12 May 2008 19:35
Favicon

Hello and onto an ACL question.

Hello all,

I have been charged with looking into access control implementations for 
media wiki and was directed to this list by some folks on IRC. Basically 
our company has a small internal wiki that is fractured by department we 
want to roll it out company wide but in order to do that we will need to 
implement access control (possibly linked to LDAP). Does such an 
extension already exist for media wiki? Is there something similar being 
developed? Any suggestions are most welcome.

Thank you for your time,

Sergei
Permalink | Reply | 5 comments |
headers
Brian A. Seklecki | 12 May 2008 19:47
Favicon

Re: Hello and onto an ACL question.


On Mon, 2008-05-12 at 13:35 -0400, Sergei Frankoff wrote:
> implement access control (possibly linked to LDAP). Does such an 

GroupsAdministration.php + CategoryPermissions.php +
LdapAuthentication.php = "Enterprise Mediawiki"(*)

~BAS

(*) Let the Wank Words Bingo tournament begin

--

-- 
Brian A. Seklecki <bseklecki@...>
Collaborative Fusion, Inc.
Permalink | Reply | 4 comments |
headers
Sergei Frankoff | 12 May 2008 19:59
Favicon

Re: Hello and onto an ACL question.

Brian A. Seklecki wrote:
> On Mon, 2008-05-12 at 13:35 -0400, Sergei Frankoff wrote:
>   
>> implement access control (possibly linked to LDAP). Does such an 
>>     
>
> GroupsAdministration.php + CategoryPermissions.php +
> LdapAuthentication.php = "Enterprise Mediawiki"(*)
>
>
> ~BAS
>
> (*) Let the Wank Words Bingo tournament begin
>
>
>   
Yes the LDAP plug in gets me half way but it seems as though Enterprise 
Mediawiki still has inherent security flaws when it comes to specific 
page access control. Other than the mirroring solution is there 
something more elegant that can be relied on?

Sergei
Permalink | Reply | 3 comments |
headers
Brian A. Seklecki | 12 May 2008 20:06
Favicon

Re: Hello and onto an ACL question.


On Mon, 2008-05-12 at 13:59 -0400, Sergei Frankoff wrote:
> page access control. Other than the mirroring solution is there 

You can setup users into roles, and set "RO" and "Private" categories to
restrict page views or edits to rolemembers ah la Posix.

Those groups can even be populated out of LDAP.

Mediawiki is far from secure, though, by any means.  For example,
media/image/upload objects aren't stored in the database -- anyone with
the path can go get a file.  

Security wasn't a design goal.  You can use GroupPermissions to
discourage wandering eyes.

Let me know if you need example configs.

~BAS

--

-- 
Brian A. Seklecki <bseklecki@...>
Collaborative Fusion, Inc.
Permalink | Reply | 2 comments |
headers
Lane, Ryan | 12 May 2008 21:07
Picon

Re: Hello and onto an ACL question.

> Mediawiki is far from secure, though, by any means.  For example,
> media/image/upload objects aren't stored in the database -- 
> anyone with
> the path can go get a file.  
> 

You can use img_auth.php for this. The files will be served out via
MediaWiki, not Apache. You specifically deny access to the files via
Apache.

Either way, MediaWiki is not designed for denying read access to
individual pages or namespaces, and anyone trying to do so is setting
themselves up for failure.

V/r,

Ryan Lane
Permalink | Reply | 1 comment |
headers
Sergei Frankoff | 12 May 2008 21:11
Favicon

Re: Hello and onto an ACL question.

Lane, Ryan wrote:
>> Mediawiki is far from secure, though, by any means.  For example,
>> media/image/upload objects aren't stored in the database -- 
>> anyone with
>> the path can go get a file.  
>>
>>     
>
> You can use img_auth.php for this. The files will be served out via
> MediaWiki, not Apache. You specifically deny access to the files via
> Apache.
>
> Either way, MediaWiki is not designed for denying read access to
> individual pages or namespaces, and anyone trying to do so is setting
> themselves up for failure.
>
> V/r,
>
> Ryan Lane
>
> _______________________________________________
> Mediawiki-enterprise mailing list
> Mediawiki-enterprise@...
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise
>   
That is becoming apparent. I guess I will be looking into other wiki 
solutions. I appreciate all of your time and effort.

Sergei
(Continue reading)

Permalink | Reply | 0 comments |

Gmane