Testing Namespace-Based Protection

From MontCo MediaWiki

This site has been opened up for testing of namespace protection to other MediaWiki developers and administrators.

This site uses Duesentrieb's lockdown extension - so to duplicate you will have to go and download. If you are also going to extend the lockdown for uploaded files, you need to use the lockdown extension provided with the patches.

For Testers

When you go on, there are two custom namespaces:

• TEST - You will have full access to
• TESTDENIED - For testing a namespace you do not have access to.

A word of caution. If you intend to use namespace protection, you should create those articles in the namespace originally. If the namespaces have not been created, it will put them into categories ([category]:Test Article) and they will be extremely difficult to find and move.

There is an additional set of patches which also secure the files (e.g., Image:TEST:yourfile.doc). This patch is necessary for protecting uploaded files, but not currently available as an extension. We're working with TimStarling to incorporate into the next version of filerepo (see below)

To test this version, you should try to create (or read) and article in the TEST and TESTDENIED namespaces (e.g., TEST:Testing this Article and/or TESTDENIED:Testing this Article).

You should be allowed to create and read articles in the TEST namespace, but not in the TESTDENIED Namespace.

For the more fully adventurous, you can also try to upload and use files from these namespaces (e.g. Image:TEST:mypic.jpg, or Media:TEST:mypic.jpg). This functionality is only available if you patch your system as discussed below.

If you need (or want) these patches, you can download them from:

• Image NS Protection (Windows Zip)
• Image NS Protection (TAR)

Allow namespace and category designation for Images/files

This enhancement was submitted as a bugfix, but given a wontfix status by the MediaWiki powers that be. The alternative is to use the new file classes, which will be available in 1.11 (hopefully)

If namespaces were allowed as sub-categorization of images, a large number of features could be enabled through extensions and other customization, including:

• Namespace protection on images
• Categorization, sorting, search by namespace (and category) of images
• Tree-structuring of images (eg, sub-directory type listings using NS and designated categories)

The proposed mechanism would be two-fold:

1. Allow namespace in image link (eg., Image:[ns]:[Image Name])
2. Include namespace in file hash (eg., [ns]/[category]/[hash]/file.img

This functionality can be implemented by patching 4 files and is completely reverse compatible with previous versions. Additionally, the proposed patches require this functionality to be enabled (disabled by default), and poses almost no overhead when not used.

It provides a platform for much needed image categorization, including enhanced listing and segregation with very little cost.

Modifications:

SpecialUpload.php - modify to allow uploading of image using [ns]:[Image Name] format, assign to ns, and save in [ns]/[category]/[hash]/file.img hashed format

• Image.php - parse ns/category in image reference (if exists)
• ImageFunctions.php - parse ns/category in image reference (if exists)
• Title.php - needs two set property functions

Uploaded File Conformance with FileRepo (Version 1.11+)

The file repository system is being rewritten by Tim Starling for purposes of performance and replication redundancy. This has arisen from the need to handle a growing number of graphical supplements to Wikipedia articles. As a side result, MediaWiki will allow multiple classes of file types (instead of just Media and Image), which can be handled using extensions. The impact will be that we could create classes (looks like namespaces) of file storage which would allow restricted access. For example:

[[TEST_FILES:test.jpg]]

This will not be compatible with the current extension structure:

[[Media:TEST:test.jpg]]

I do not intend to support the latter once FileRepo is released, so the files would have to be reloaded into the new structures.

Optional:

img_auth.php - enhance to use enhanced hashing or (preferable), new img_authNS.php which does same with NS protection checking (old img_auth would still work, just wouldn't have overhead/functionality of NS checking). You should review article Image Authorisation to provide thorough protection, replacing img_auth with img_authNS.php in the configuration and from the uploaded patches.