On Thu, 17 Jan 2008, Markus Krötzsch wrote:
> On Donnerstag, 17. Januar 2008, Asheesh Laroia wrote:
>> On Fri, 26 Oct 2007, [EMAIL PROTECTED] wrote:
>>> Although I also wished there would be an easy solution to let only
>>> specific user groups view certain parts of a page there doesn't seem to
>>> exist an extention or other solution which addresses all the related
>>> problems according to
>>> http://www.mediawiki.org/wiki/Security_issues_with_authorization_extensio
>>> ns
>>> http://www.mediawiki.org/wiki/Category:Page_specific_user_rights_extensio
>>> ns
>>
>> I will give those a more careful read through. In general, I accept that
>> it may not be perfect; at least attacks based on the above problems can be
>> detected in our Apache logs.
>>
>>> Even if there would be a way to hide certain SMW properties in the
>>> factbox (as its easy to hide them on the page itself) I don't see a
>>> straightforward method to hide these data in the page source when the
>>> page is edited. Hidding all factboxes via $smwgShowFactbox and
>>> restricting editing to admins on those pages doesn't seem very
>>> desirable.
>>
>> For my case, I modified the Factbox to not show attributes with "secret_"
>> as a substring of their name, and I'm planning on restricting edits and
>> even view-source for those pages.
>>
>> It's not a whole lot of pages, just people's user pages with their
>> personal information (the idea is that the site admins want to use this to
>> e.g. send things to the users in the mail, and want to use SMW queries to
>> pick out who to send things to, but the users may not be comfortable
>> publishing that publicly) - so restricting edits on those pages is no
>> problem for us.
>>
>> Thanks to all who contributed to this thread; maybe in another three
>> months I'll report back.
>
> Thanks, but I have doubts that there is an easy way for hiding SMW-content
> selectively! Note that property values can also be retrieved by queries
> (inlines in #ask or via Special:Ask), through browsing specials
> (Special:Browse, ...), or via OWL/RDF (Special:ExportRDF).
> Hiding "secret_..." in Factboxes is a very weak measure. The first other
> thing one could do is to include a simliar check in all functions of
> SMW_SQLStore.php that deal with properties!
I do also do that. However, my check is so strict currently that the data
doesn't even get stored in the DB I think. (-;
> Even that might leave holes though, and my official answer would be: do
> to not use MediaWiki/SMW for selectively publishing sensitive data!
A very reasonable position, and I hope (for my sake) that one day I'll
show you that I've hacked it to do this well enough.
-- Asheesh.
--
"Thank heaven for startups; without them we'd never have any advances."
-- Seymour Cray
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Semediawiki-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/semediawiki-devel
