Thread:Talk:Requests for comment/Page protection as a component/Access control (ACL)

"We shouldn't distribute MediaWiki without a permission model", well we've done so for about 13 years. :-D Security issues with authorization extensions outlines some of the problems. IMHO two realistic goals for this RFC would be:
 * 1) reduce hardcoded and scattered permission checks in core (e.g. checks for a specific default user group hardcoded in the code for a special page or action);
 * 2) introduce pervasive and low-level hooks to override core's behaviour where needed, making it possible for Lockdown to be simpler to implement and to not need core hacks at all (bug 64787 and friends).