Extension talk:WhiteList

Please document the effects of checking and not checking the box in the Modify/All/None column. Svanslyck 23:02, 9 February 2008 (UTC)
 * Thanks for the suggestion. I added a much more detailed usage description on the main page. Hopefully this will clarify the usage. --Gri6507 03:28, 10 February 2008 (UTC)

Possible to use wildcard statements for namespace access?
I like the control and thoroughness of this extension, but am afraid that once my wiki has more than a few hundred pages, it will become difficult to manage permissions. Would it be possible to add wildcard statements in the whitelist over-ride, like ...

$wgWhitelistOverride['always']['read'] = array(     "Project:*",       # grants everybody permission to see all pages in the Project namespace

Another feature would be to allow a working group to generate new content without a "manager" being present to grant each member of the workgroup access to each new page (effectively having to create new pages for the workgroup and then manage access to individual pages). A solution might be something like pseudo namespaces with wildcards. A workgroup leader could request that users x, y, and z could have permissions to new pseudo namespace "Foo". Then a manager could grant those users permissions using the whitelist access editor with "Foo:*"

This method would rely on new pages intended to be in a group of pages actually including the prefix. CWinDC 16:18, 23 February 2008 (UTC)


 * Thank you for the feedback. We are actually already working on the wildcard whitelist access. The next release version will have this support in it. I expect the next release to be sometime within a week. --Gri6507 17:56, 23 February 2008 (UTC)

How secure is this?
How well does this extension fare under http://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions ? Are there ways to work around the whitelist?
 * You are correct to be concerned. That is why the top of the extension page has a rather lengthy disclaimer with a link to the same page you are referring to here :-). To see how well this extension fairs compared to other controlled access extensions, you can take a look at this listing (note, not everything that is listed in red is actually a bad thing).


 * The only additional comment I can make is that the developers (I am one of them) have taken every precaution to make this as bullet proof as possible. Based on our own testing, we have not found a way to bypass this extension yet. However, if you start poking into it, you may still find some holes which we will be glad to fix. The only other thing I can say, for whatever it's worth, is that this extension has been deemed secure enough for our internal company use. --Gri6507 00:03, 28 February 2008 (UTC)