Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Wikipedia: Mediawiki

Are there any wgGroupPermisions Related Hooks?

  

 
Wikipedia mediawiki RSS feed   Index | Next | Previous | View Threaded


ioplex at gmail

Sep 5, 2008, 9:38 AM

Post #1 of 3 (219 views)
Permalink
Are there any wgGroupPermisions Related Hooks?
Hi,

Our PHP extension has a way of checking group membership in Active
Directory (gets group SIDs from the Kerberos PAC which is v. fast).
I've been asked countless times to incorporate this into our
corresponding MediaWiki extension but there are two problems:

1) MW is not designed to protect individual resources as there are
multiple ways to access the same content using different resource
identifiers (e.g. via export, images are served statically, ... etc).

2) MW does not appear to offer any group related extension "hooks".

So 1 pretty much rules out any kind of page based access control.

However, I was wondering if there was anywhere else our group
membership checks could be employed safely?

For example, mapping of $wgGroupPermissions groups to groups of the
external authority (e.g. Active Directory in our case) could be
performed by having a group map like:

$myGroupMap = array(
'*' => 'EXAMPLE\\Domain Users',
'user' => 'EXAMPLE\\My Wiki Users',
'bureaucrat' => 'EXAMPLE\\My Wiki Bureaucrats',
);

Then, at authentication time the $wgGroupPermissions array could be
populated based on whether or not the user is in these groups like:

foreach ($myGroupMap as $mwGroup => $adGroup) {
if (plexcel_is_member_of($adGroup)) {
$wgGroupPermissions[$mwGroup] = ???
}
}

It seems dynamically adding people to MW groups does not degrade the
existing security mechansims of MW.

Of course the '???' part is a blur - are there any hooks for this sort of thing?

Are there any hooks or other ways to engage our extension's snappy
group membership checking?

Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


Ryan.Lane at ocean

Sep 8, 2008, 7:28 AM

Post #2 of 3 (193 views)
Permalink
Re: Are there any wgGroupPermisions Related Hooks? [In reply to]
> Then, at authentication time the $wgGroupPermissions array could be
> populated based on whether or not the user is in these groups like:
>
> foreach ($myGroupMap as $mwGroup => $adGroup) {
> if (plexcel_is_member_of($adGroup)) {
> $wgGroupPermissions[$mwGroup] = ???
> }
> }
>
> It seems dynamically adding people to MW groups does not degrade the
> existing security mechansims of MW.
>
> Of course the '???' part is a blur - are there any hooks for
> this sort of thing?
>

Are you trying to add a user to MediaWiki groups, or are you trying to
add permissions to a group?

It looks like you are trying to add permissions. Why not instead
synchronize the user's groups from AD, to MediaWiki? Then admins can
assign permissions to LDAP groups via MediaWiki like they normally do.

See the LDAP Authentication plugin, specifically the "setGroups"
function.

V/r,

Ryan Lane

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


ioplex at gmail

Sep 27, 2008, 8:59 PM

Post #3 of 3 (121 views)
Permalink
Re: Are there any wgGroupPermisions Related Hooks? [In reply to]
On Mon, Sep 8, 2008 at 10:28 AM, Lane, Ryan
<Ryan.Lane[at]ocean.navo.navy.mil> wrote:
>> Then, at authentication time the $wgGroupPermissions array could be
>> populated based on whether or not the user is in these groups like:
>>
>> foreach ($myGroupMap as $mwGroup => $adGroup) {
>> if (plexcel_is_member_of($adGroup)) {
>> $wgGroupPermissions[$mwGroup] = ???
>> }
>> }
>>
>> It seems dynamically adding people to MW groups does not degrade the
>> existing security mechansims of MW.
>>
>> Of course the '???' part is a blur - are there any hooks for
>> this sort of thing?
>>
>
> Are you trying to add a user to MediaWiki groups, or are you trying to
> add permissions to a group?
>
> It looks like you are trying to add permissions. Why not instead
> synchronize the user's groups from AD, to MediaWiki? Then admins can
> assign permissions to LDAP groups via MediaWiki like they normally do.
>
> See the LDAP Authentication plugin, specifically the "setGroups"
> function.

Hi Ryan,

As you always know what to do.

Using addGroup I was able to add "Windows Group Mapping" to our
Plexcel MediaWiki Plugin so that people can push MW group membership
management into AD. The LocalSettings.php directive looks like:

$wgAuth->groupMap = array(
'ACME\\Wiki Bureaucrats' => 'bureaucrat',
'ACME\\Wiki Sysops' => 'sysop',
);

So whoever is in the 'ACME\Wiki Bureaucrats' Windows group will be
automatically added to the bureaucrats group. Brilliant!

Thanks again,
Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Wikipedia mediawiki RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.