Page MenuHomePhabricator
Create Task
Maniphest T156788

Improve support for read access restriction / access control
Closed, DuplicatePublic
Actions

Description

Problem

There are a lot of extension using the userCan hook for access control. Yet there are still parts of the core where userCan is not considered. This is true in particular for read access. For example, afaik, QueryPages do not consider read access. Quite often, this is as simple as adding a userCan hook call. I'm not proposing to make Mediawiki read access bullet proof, but to fix the most obvious read access holes.

Who would benefit

Extension developers who need to implement access control for their mediawikis

Proposed solution

We can use this list as a basis: https://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions . It needs to be updated to the current state of MediaWiki. Then the open questions / issues can be addressed in the code. Ideally, at the end we have a positive list of which pages / actions consider read access.

Related Objects

Event Timeline

Mglaser created this task.Jan 31 2017, 10:55 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 31 2017, 10:55 AM
RHeigl awarded a token.Jan 31 2017, 4:18 PM
srishakatux moved this task from To Be Triaged to Technical Debt on the Developer-Wishlist (2017) board.Feb 2 2017, 1:57 AM
srishakatux moved this task from Technical Debt to Extensions on the Developer-Wishlist (2017) board.
srishakatux subscribed.Feb 3 2017, 11:32 PM

This proposal is selected for the Developer-Wishlist voting round and will be added to a MediaWiki page very soon. To the subscribers, or proposer of this task: please help modify the task description: add a brief summary (10-12 lines) of the problem that this proposal raises, topics discussed in the comments, and a proposed solution (if there is any yet). Remember to add a header with a title "Description," to your content. Please do so before February 5th, 12:00 pm UTC.

FreedomFighterSparrow subscribed.Feb 8 2017, 10:47 AM
Aklapper added a project: MediaWiki-General.Feb 21 2017, 5:41 PM
Tgr mentioned this in T158148: Promote Developer Wishlist 2017 proposals.Feb 28 2017, 1:31 AM
srishakatux added a project: Wikimedia-Hackathon-2017.Apr 28 2017, 10:38 PM
srishakatux moved this task from Backlog to Featured Projects on the Wikimedia-Hackathon-2017 board.
MGChecker subscribed.May 21 2017, 9:39 PM
MGChecker awarded a token.May 21 2017, 9:42 PM
MGChecker added a subscriber: Luke081515.
Tgr subscribed.Jan 4 2019, 4:18 PM
Tgr added a comment.Jan 4 2019, 7:22 PM

This is primarily of interest to third parties, but there are some Wikimedia use cases. Abuse filters are an example of a special page that makes a lot of effort to simulate page content behavior (edit history, diffs, deletion, etc) and still gets fairly crappy results, so it would make sense to turn filters into wiki pages. Except some filters are not supposed to be visible to all users, and currently wiki pages can't reliably do that. Also requiring a private wiki for every wiki that needs private discussion / documentation (like enwiki arbcom) is not so great.

Tgr edited projects, added MediaWiki-Core-AuthManager; removed MediaWiki-General.Apr 27 2019, 6:59 AM

See also https://meta.wikimedia.org/wiki/Grants:IdeaLab/A_place_to_work_together for Wikimedia use cases.

Tgr mentioned this in T156789: Introduce and document a minimum rights hierarchy.Apr 27 2019, 7:01 AM
Tgr added a comment.Apr 27 2019, 7:05 AM

The IntraACL patch list seems like a good starting point. Maybe the one for Lockdown too, although that seems less maintained.

Besides IntraACL, Lockdown/NSFileRepo and AccessControl look pretty well-maintained, those might be a good basis for reviewing what might or might not be supported today.

cicalese triaged this task as Medium priority.Jul 30 2019, 11:56 PM
cicalese moved this task from Needs Discussion to Needs Discussion on the MediaWiki-Stakeholders-Group board.
DannyS712 subscribed.Aug 9 2019, 4:04 AM
Bugreporter closed this task as a duplicate of T230668: Fully implement read/view restrictions in mediawiki core.Aug 18 2019, 6:25 PM
Izno subscribed.Aug 20 2019, 3:09 AM
DannyS712 mentioned this in T230668: Fully implement read/view restrictions in mediawiki core.Dec 27 2019, 11:47 PM
DannyS712 mentioned this in T249380: RfC: Per namespace view restrictions.Apr 3 2020, 9:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL