From: Thomas S. <sch...@on...> - 2009-07-07 11:05:26
|
Dear SMW users and developers, the Halo team will soon release a new access control extension, called HaloACL. Yet another Access Control – What‘s different? * MediaWiki‘s access control is based on actions. Either an action is allowed for a user or it is forbidden. * Drawback: Fine grained control is not possible. * Permission ACL (one of the best access control extensions): * Advantages: Can control access to pages, instances of categories and namespaces. * Drawbacks: * Only administrators can change access rights * There is only one Access Control List which is not suitable for intense use (i.e. thousands of individual rights) * Uses Mediawiki groups which can only be defined by administrators * Access Control with HaloACL is very flexible * HaloACL can protect individual pages, instances of categories and namespaces. (Values of semantic properties will follow). * Users can define their own groups which can contain users and other groups. * Every user can easily protect his own articles. * HaloACL supports the actions: read, edit with form, wysiwyg, annotate, edit, create, move, delete * Access rights can be defined and reused in other access rights. * Every user can define a rights template that is automatically applied to his newly created articles. * Supports a whitelist * A comprehensive GUI is planned. * HaloACL will work with or without SMW. For everybody who is interested, I have set up a testwiki at http://testwiki.ontoprise.com/aclwiki/index.php/Main_Page User: acl Pwd: acl Access control extensions are always very critical. Even small bugs can make them useless. So please play with it and try to get access to the content of the articles: * ProtectedArticle * ProtectedArticleInCategory * User:ProtectedUser If you can read one of these articles then please follow the instructions you find there. Best Thomas -- Thomas Schweitzer Professional Services ontoprise GmbH - know how to use Know-how --- ontoprise ist Generalunternehmer für Vulcans Semantic Wiki im Projekt Halo http://www.ontoprise.de/ --- Amalienbadstraße 36 (Raumfabrik 29); 76227 Karlsruhe Tel.: +49 (0) 721 509 809 39; Fax: +49 (0) 721 509 809 11 eMail: sch...@on...; www: http://www.ontoprise.de Sitz der Gesellschaft: Amtsgericht Mannheim, HRB 9540 Geschäftsführer: Prof. Dr. Jürgen Angele, Dipl.Wi.-Ing. Hans-Peter Schnurr |
From: Markus K. <ma...@se...> - 2009-07-07 15:05:38
|
Nice. Initial observations (while you wiki is getting bombed by other attackers ;-) * #ask with "format=count" and "format=debug" will create an error since they return a string. * Trying to edit or create articles creates an error. Only preview works. But editing still works, it just is not shown. * I have found out that Category:ProtectedCategory contains "ProtectedArticleinCategory". Is this an information that you tried to hide? (at least it is hidden on the category page and in #ask) -- Markus On Dienstag, 7. Juli 2009, Thomas Schweitzer wrote: > Dear SMW users and developers, > > the Halo team will soon release a new access control extension, called > HaloACL. > > Yet another Access Control – What‘s different? > * MediaWiki‘s access control is based on actions. Either an action is > allowed for a user or it is forbidden. > * Drawback: Fine grained control is not possible. > * Permission ACL (one of the best access control extensions): > * Advantages: Can control access to pages, instances of categories and > namespaces. > * Drawbacks: > * Only administrators can change access rights > * There is only one Access Control List which is not suitable for > intense use (i.e. thousands of individual rights) > * Uses Mediawiki groups which can only be defined by administrators > > * Access Control with HaloACL is very flexible > * HaloACL can protect individual pages, instances of categories and > namespaces. (Values of semantic properties will follow). > * Users can define their own groups which can contain users and other > groups. > * Every user can easily protect his own articles. > * HaloACL supports the actions: read, edit with form, wysiwyg, annotate, > edit, create, move, delete > * Access rights can be defined and reused in other access rights. > * Every user can define a rights template that is automatically applied > to his newly created articles. > * Supports a whitelist > * A comprehensive GUI is planned. > * HaloACL will work with or without SMW. > > For everybody who is interested, I have set up a testwiki at > http://testwiki.ontoprise.com/aclwiki/index.php/Main_Page > User: acl > Pwd: acl > > Access control extensions are always very critical. Even small bugs can > make them useless. So please play with it and try to get access to the > content of the articles: > * ProtectedArticle > * ProtectedArticleInCategory > * User:ProtectedUser > > If you can read one of these articles then please follow the > instructions you find there. > > Best > Thomas -- Markus Krötzsch Semantic MediaWiki http://semantic-mediawiki.org http://korrekt.org ma...@se... |
From: Markus K. <ma...@se...> - 2009-07-07 15:25:59
|
On Dienstag, 7. Juli 2009, Thomas Schweitzer wrote: > Hi Markus, > > thanks for your feedback! See my comments inline. > > > Nice. > > > > Initial observations (while you wiki is getting bombed by other attackers > > ;-) > > > > * #ask with "format=count" and "format=debug" will create an error since > > they return a string. > > Ok, I was not aware of this and will take this into account. > > > * Trying to edit or create articles creates an error. Only preview works. > > But editing still works, it just is not shown. > > I've created several articles without problems. When does this occur? I saw this when trying to create or edit new articles without being logged in. > > > * I have found out that Category:ProtectedCategory contains > > "ProtectedArticleinCategory". Is this an information that you tried to > > hide? (at least it is hidden on the category page and in #ask) > > Yes, I try to hide it. How did you find this out then? Special:Export -> Fill in from category. -- Markus > > > And by the way: Congratulations to David MacDonald. He found the first > bug and was able to read "ProtectedArticle". It is already fixed and I > won't tell how he did it :-) > > Best > Thomas -- Markus Krötzsch Semantic MediaWiki http://semantic-mediawiki.org http://korrekt.org ma...@se... |
From: Thomas S. <sch...@on...> - 2009-07-09 15:01:45
|
>>> * I have found out that Category:ProtectedCategory contains >>> "ProtectedArticleinCategory". Is this an information that you tried to >>> hide? (at least it is hidden on the category page and in #ask) >>> >> Yes, I try to hide it. How did you find this out then? >> > > Special:Export -> Fill in from category. > > -- Markus > Hi Markus, this is fixed now. Instances of protected categories are no longer added to the list of exported articles. --Thomas |
From: Thomas S. <sch...@on...> - 2009-07-07 15:32:04
|
Hi Markus, thanks for your feedback! See my comments inline. > Nice. > > Initial observations (while you wiki is getting bombed by other attackers ;-) > > * #ask with "format=count" and "format=debug" will create an error since they > return a string. > Ok, I was not aware of this and will take this into account. > * Trying to edit or create articles creates an error. Only preview works. But > editing still works, it just is not shown. > I've created several articles without problems. When does this occur? > * I have found out that Category:ProtectedCategory contains > "ProtectedArticleinCategory". Is this an information that you tried to hide? > (at least it is hidden on the category page and in #ask) > Yes, I try to hide it. How did you find this out then? And by the way: Congratulations to David MacDonald. He found the first bug and was able to read "ProtectedArticle". It is already fixed and I won't tell how he did it :-) Best Thomas |
From: Markus K. <ma...@se...> - 2009-07-07 16:23:33
|
On Dienstag, 7. Juli 2009, Markus Krötzsch wrote: > On Dienstag, 7. Juli 2009, Thomas Schweitzer wrote: ... > > > And by the way: Congratulations to David MacDonald. He found the first > > bug and was able to read "ProtectedArticle". It is already fixed and I > > won't tell how he did it :-) You should. Without full knowledge, the rest of us cannot attack as effectively. Plus I am curious. Also, it would be nice to have basic ParserFunctions (if, ifeq, ...) and StringFunctions available. They should be harmless, shouldn't they? ;-) -- Markus P.S.: I get the following quite often: Fatal error: Call to a member function getTitle() on a non-object in D: \wikis\aclwiki\extensions\HaloACL\includes\HACL_Evaluator.php on line 594 > > > > Best > > Thomas -- Markus Krötzsch Semantic MediaWiki http://semantic-mediawiki.org http://korrekt.org ma...@se... |
From: Thomas S. <sch...@on...> - 2009-07-09 10:02:27
|
> Also, it would be nice to have basic ParserFunctions (if, ifeq, ...) and > StringFunctions available. They should be harmless, shouldn't they? ;-) > > Ups, forgot to include them in LocalSettings. > > P.S.: I get the following quite often: > > Fatal error: Call to a member function getTitle() on a non-object in D: > \wikis\aclwiki\extensions\HaloACL\includes\HACL_Evaluator.php on line 594 > That's fixed now. I had to take into account that SMWPropertyValue::getWikiPageValue() sometimes returns null. --Thomas |
From: Thomas S. <sch...@on...> - 2009-07-09 09:42:12
|
Hi Tom, thanks for your hint. I've fixed this bug. Of course, redirects are handled :-) So up till now, only one of you was successful. That gives me a little confidence in my code. However, I'm looking forward to further attacks. Best Thomas Thomas Fellows schrieb: > Hey Thomas, > > Was just playing around with it - I assume the first attack was > successful via the redirect hack? > > http://testwiki.ontoprise.com/aclwiki/index.php?title=Attack&redirect=no > <http://testwiki.ontoprise.com/aclwiki/index.php?title=Attack&redirect=no> > > returns > > *Fatal error*: Call to a member function getTitle() on a non-object in > *D:\wikis\aclwiki\extensions\HaloACL\includes\HACL_Evaluator.php* on > line *594 > > > *I'll play around more later! > > -tom |