|This extension requires patches to core MediaWiki code. Extensions implemented using patches may be disabled by or interfere with upgrades and security patches. If a suitable alternative without a patch is available, we recommend you use that extension instead.|
Release status: beta
|Description||Fix for removing protected content from lists and transclusion|
|Last version||v1.01 (29th October 2010)|
|License||GPL v2 (As mediawiki)|
|Check usage and version matrix|
What can this extension do? 
This extension eliminates the issues listed on Security issues with authorization extensions for "userCan" hook based access control extensions.
Specifically, it removes protected articles from lists (e.g. recentchanges, search results, new articles), and prevents unauthorised users from gaining access to protected content by transcluding it.
This extension should be used in conjunction with a separate access control extension (e.g. Extension:PermissionACL)
Install and configure a userCan (e.g. Extension:PermissionACL). You'll notice that the access control system doesn't prevent protected content from being listed and linked to, or transcluded in other articles.
Carry out the instructions below to fix this.
Download instructions 
Download using the link in the (top right) infobox above
Extract the ZIP file contents into your MediaWiki directory.
patch -p0 < patch_CategoryPage.diff patch -p0 < patch_ChangesList.diff patch -p0 < patch_Parser.diff patch -p0 < patch_SpecialAllpages.diff patch -p0 < patch_SpecialNewpages.diff patch -p0 < patch_SpecialRecentchanges.diff patch -p0 < patch_SpecialSearch.diff patch -p0 < patch_SpecialWhatlinkshere.diff
(Note: Most Unix/Linux systems should come with patch, for MS Windows, you can use a copy from the GNU utilities for Win32)
This should patch the following files:
Configuration parameters 
To configure this extension, $wgShowNonPermittedAs must be set in LocalSettings.php.
To simply remove protected articles from all lists (e.g. recent changes, search results) and transclusion, set to an empty string (Note: This can paginated lists - you may find nothing on the first page, and entries on the second, etc):
$wgShowNonPermittedAs = '';
To display "<Access denied>" or some other fixed text whereever protected content (or an article link in a list) would otherwise be displayed, set to the string to be displayed:
$wgShowNonPermittedAs = htmlspecialchars('<Access denied>');
To display one of the standard MediaWiki messages whereever protected content (or an article link in a list) would otherwise be displayed, set to the string to be displayed:
$wgShowNonPermittedAs = wfMsgExt('badaccess', array('parse'));