-
Please support me in the 2010 Ride to Conquer Cancer - last year we were able to raise $6.9 million for the Alberta Cancer Foundation - hopefully we can raise even more in 2010! -
Blog under the Creative Commons Attribution 3.0 License
Dec
13
(2005)
MediaWiki and Access Control
Filed under: Uncategorized. Tags: mediawiki, security, wiki.
I’ve been asked by a couple of people about ways to restrict access to pages in wiki.ucalgary.ca. My initial response was often something like “wha? that’s just wrong. you don’t lock down wikis…”
Then, they explained more about what they wanted to do, and why they couldn’t just leave the pages out In The Wild and trust that it was private through obscurity. Things like collaborative student experimental writing, where it would be a Bad Thing™ if things like the Wayback Machine kept eternal snapshots of not-fully-baked writing, which could come back to haunt someone later. Shouldn’t have to throw the baby out with the bathwater – restricting access to pages within the wiki would let them play, without exposing them more than they’re comfortable with.
So I did some Googling over the last few months, and still haven’t come up with a solution I’m completely happy with. The closest I came to a workable solution is the Access Control extension – but that needed some tweaking before it would run as expected (my modified file), and I fear it exposes some pretty scary security risks. What happens if Joe Spamass edits Main_Page and adds a fake access control list to the page? I’ve installed it, but will be keeping a close eye on it, and maintaining nightly MySQL dumps of the wiki databases Just In Case™.
I also found this patch to enable a “restrict” feature, but it really just creates a “penalty box” where pages can be sent, and only people who are allowed to see the “penalty box” can see the pages – but there’s no fine granularity, it’s an all-or-nothing thing.
I really don’t know why this isn’t part of the core feature set of Mediawiki. Sure, the Wikipedia wouldn’t use it, but how many gazillion corporate/institutional wikis could benefit (or require) this feature? There are a lot of folks who are interested in this, but no real solutions that I’ve found…
Jeremy – thanks for the idea! I suppose there’s no real need to shoehorn all wiki-like activities into one central place… Not sure how Tiddly would work out, though – don’t users have to manually save/upload the file each time? How would it handle collaboration with multiple authors?
We have had similar requests concerning our wiki (http://wiki.case.edu). My idea is to use another tool for the job — per request installations of TiddlyWikis generated on demand. We stick them behind CAS and let the user define the set of other users which would be allowed to access the wiki.
Per Jeff’s idea, such an idea could be extended to use Shibb instead of CAS to allow collaboration between people from multiple Universities.
Hm… a fork of MediaWiki to support security and access control… That’s definitely an option – it is open source. I’m not familiar enough with the inner workings – would it be possible to implement this as a set of extensions so that forking could be avoided?
An interesting idea Aron. My particular interest is integrating Mediawiki with other protected/restricted/whatever applications. It might be neat to build CAS or Shib support into Mediawiki…
MediaWiki could really benefit from a project fork, I think. It’s true that mediawiki is developed for wikimedia internal use primarily, but it is still open source. I guess nobody has been motivated enough to start a new branch.
We use MediaWiki at the University of Saskatchewan (http://wiki.usask.ca), but we don’t have one big wiki for everyone. Instead, we create separate wikis for each group who wants one. When you ask for a wiki, you can choose to keep it completely private to your group, or make it publicly readable, or completely open so the public can read and write.
We’re still in the early stages of all this, but interestingly, so far no-one has asked for a public wiki.
Earl, thanks for the suggestion.
I’ll check out how easy it is to replicate Mediawiki sites – ideally I could set up a “template” site with some help content and backup admin account, and just clone that as needed. I do that for Drupal sites now, but that pattern in Mediawiki would be handy. It does look like Mediawiki would require a completely separate installation for each site, which would be a bit of a pain – not fatal though.
hey guys,
Just googling around.. has anyone had any luck with getting Mediawiki integrated with Shibb or Mod_shib ?
haven’t tried that. we’re not using shib up here yet.
I was able to get this extension to work on MediaWiki 1.9 when all others failed. So I want to thank you for your hard work.
I have one question. When I use this extension, on the page I want to protect, where the accesscontrol info is located displays a 1 on the page. How can I change that? Maybe it could display the user that have access to the page instead of a 1?
Thanks in advanced.
Anthony