Re: [Mediawiki-enterprise] Gathering money for MediaWiki ACL (was: How do you manage the security in your Mediawiki installation (Enterprise wiki) ?)
Hello, I would like to know if there are some news on point 0 and 1 (see below: proposal of how ACL should work / including ACL into Roadmap). This is just for my info... Thanks ! -- pierre -Original Message- From: mediawiki-enterprise-boun...@lists.wikimedia.org [mailto:mediawiki-enterprise-boun...@lists.wikimedia.org] On Behalf Of Mark A. Hershberger Sent: Saturday, August 24, 2013 1:20 PM To: Yury Katkov; MediaWiki for enterprises Subject: Re: [Mediawiki-enterprise] Gathering money for MediaWiki ACL (was: How do you manage the security in your Mediawiki installation (Enterprise wiki) ?) On 08/24/2013 06:42 AM, Yury Katkov wrote: 0) Writing a good proposal of how ACL should work. Will it be based on namespaces? or maybe categories (although it's hard to imagine)? or maybe per-page access? I can help to describe this vision document. 1) coordination with WMF and including ACL into Roadmap. First we need to be sure that the possible patches to the core: - will not be rejected just because of philosofy of openness - will not be removed after several versions I've got no ideas how that can be done. Probably via RFC with signatures of interested companies. ___ Mediawiki-enterprise mailing list Mediawiki-enterprise@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise ___ Mediawiki-enterprise mailing list Mediawiki-enterprise@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise
Re: [Mediawiki-enterprise] Gathering money for MediaWiki ACL (was: How do you manage the security in your Mediawiki installation (Enterprise wiki) ?)
On 10/15/2013 03:16 PM, Pierre Labrecque wrote: I would like to know if there are some news on point 0 and 1 (see below: proposal of how ACL should work / including ACL into Roadmap). This is something I'd really like to make happen, but right now my MW energy is being spent on getting 1.22.0 out the door. After that, I would like to work on it, though. Better, we could start putting together a proposal now, though. Yury, do you have anything put together for how ACL should work? Mark. ___ Mediawiki-enterprise mailing list Mediawiki-enterprise@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise
Re: [Mediawiki-enterprise] Gathering money for MediaWiki ACL (was: How do you manage the security in your Mediawiki installation (Enterprise wiki) ?)
Hi Pierre, by the way, what was your experience with IntraACL? :) ___ Mediawiki-enterprise mailing list Mediawiki-enterprise@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise
Re: [Mediawiki-enterprise] Gathering money for MediaWiki ACL (was: How do you manage the security in your Mediawiki installation (Enterprise wiki) ?)
On 08/27/2013 10:27 AM, vita...@yourcmc.ru wrote:
Actually, the first and the basic step is much simpler - MediaWiki
should perform userCanRead() checks everywhere it displays information
about any page.
+1. Sometimes, it's not so easy, though, especially when it comes to lists of
pages and paging. In the medium term, though, we should go for some deeper
security model that performs checks directly when an article is accessed
instead of manually checking all over the code.
I'm now trying to improve API protection in IntraACL (before today it
was provided only by Title hack which returned Access denied
instead of any real inaccessible Title object) - and it seems
userCanRead() must be added in almost every ApiQuery*.php file :-X
(ApiPageSet isn't used
everywhere)
Just a short note: userCanRead seems to be deprecated since 1.19. It's
recommended to use userCan('read') instead.
Best,
Markus
smime.p7s
Description: S/MIME cryptographic signature
___
Mediawiki-enterprise mailing list
Mediawiki-enterprise@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise
Re: [Mediawiki-enterprise] Gathering money for MediaWiki ACL (was: How do you manage the security in your Mediawiki installation (Enterprise wiki) ?)
I propose to split the topic and discuss the creation of ACL for MW in this thread. I see three sub-tasks here: 0) Writing a good proposal of how ACL should work. Will it be based on namespaces? or maybe categories (although it's hard to imagine)? or maybe per-page access? I can help to describe this vision document. Yury, why is it hard to imagine per-category access? :-) ___ Mediawiki-enterprise mailing list Mediawiki-enterprise@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise
Re: [Mediawiki-enterprise] Gathering money for MediaWiki ACL (was: How do you manage the security in your Mediawiki installation (Enterprise wiki) ?)
Mostly because it's so easy to add a category. Another thing is that one page typically belongs to several categories that can have different access mode. I think it's possible tom implement per-category access but there will be many interesting nuances. The funniest thing I can think of is when I'm editing the page and add the category to which I don't have the view permissions. I click Save and my article dissapears from the view :) . Of course it's solvable, but I suspect there is a lot more similar cases that will require some additional efforts. - Yury Katkov, WikiVote On Sat, Aug 24, 2013 at 3:33 PM, Виталий Филиппов vita...@yourcmc.ru wrote: I propose to split the topic and discuss the creation of ACL for MW in this thread. I see three sub-tasks here: 0) Writing a good proposal of how ACL should work. Will it be based on namespaces? or maybe categories (although it's hard to imagine)? or maybe per-page access? I can help to describe this vision document. Yury, why is it hard to imagine per-category access? :-) ___ Mediawiki-enterprise mailing list Mediawiki-enterprise@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise ___ Mediawiki-enterprise mailing list Mediawiki-enterprise@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise
Re: [Mediawiki-enterprise] Gathering money for MediaWiki ACL (was: How do you manage the security in your Mediawiki installation (Enterprise wiki) ?)
Mostly because it's so easy to add a category. Another thing is that one page typically belongs to several categories that can have different access mode. I think it's possible tom implement per-category access but there will be many interesting nuances. That's correct... But on the other hand, categories are the main structuring tool in MediaWiki. And people want to apply rights based on their existing page structure. It's the problem of flat structuring - access rights are simpler and more evident in hierarchies. The funniest thing I can think of is when I'm editing the page and add the category to which I don't have the view permissions. I click Save and my article dissapears from the view :) . Of course it's solvable, but I suspect there is a lot more similar cases that will require some additional efforts. In both HaloACL and IntraACL category isn't like a mandate - to the contrary, it's like a grant - rights from different categories are added to each one. The case in which the article disappears from your view after adjusting access rights will always persist (or the extension should check for the loss on each edit), and one needs to call admins in that case, because MediaWiki has no article owner idea (which is definitely good for encyclopedia, just like the flat structuring). Either the extension should implement article owners... ___ Mediawiki-enterprise mailing list Mediawiki-enterprise@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise
Re: [Mediawiki-enterprise] Gathering money for MediaWiki ACL (was: How do you manage the security in your Mediawiki installation (Enterprise wiki) ?)
On 08/24/2013 06:42 AM, Yury Katkov wrote: 0) Writing a good proposal of how ACL should work. Will it be based on namespaces? or maybe categories (although it's hard to imagine)? or maybe per-page access? I can help to describe this vision document. Awesome. I look forward to your input here. 1) coordination with WMF and including ACL into Roadmap. First we need to be sure that the possible patches to the core: - will not be rejected just because of philosofy of openness - will not be removed after several versions I've got no ideas how that can be done. Probably via RFC with signatures of interested companies. There are plenty of people who would like to use MediaWiki (or who are using some ACL hacks like Lockdown) who see the usefulness of this. Since Markus and I have the contract for MediaWiki Release Management and we both recognise the need, I don't think we'll have a problem at least getting a hearing. From what I see, the impediments to acceptance in core are: * A unified approach * Ensuring that the performance isn't affected when Wikipedia (which doesn't need this now) uses any modifications. Since I haven't spent a lot of time looking at this, I can only say that this may limit what can be accepted in core to a set of hooks. Still, that may be enough. 2) Searching for the developers and tester. There are many possible developers that may be interested in this task: HalloWelt, Custis, DIQA-PM, maybe even Wikia. Besides there are a lot of independent developers here Right. I don't think the labor aspect is a problem. 3) Fundraising. For independent developer it's possible to ask for individual engagement grant [1] but mostly it should be a crowdfunding from MediaWiki-related companies. For that task we need a person who has personal contact with many MediaWiki-related companies and is ready to contact each of them asking to take part in funding. I'm not sure who that can be (maybe me, maybe someone from organizing comittee of Wikimania or Wikisym, maybe someone from WMF) but it's going to be a god damn lot of dirty work that needs funding. Agreed. This is, in my opinion, the hardest part. Hallo Welt! and the SMW developers seem to have a lot of corporate connections. Perhaps if we took care of 0 and 1 from your list, we could find someone to help with 3. Mark. -- Mark A. Hershberger NicheWork LLC 717-271-1084 ___ Mediawiki-enterprise mailing list Mediawiki-enterprise@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise
