Collections with read-permissions restricted And security risks

[Müller]

Hi everyone,
I'm facing a problem that I don't know how to solve.
I manage a wiki in a company with ldap authentication, It'll be easy if I just put the variable at config file
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['createtalk'] = false;

$wgCollectionMWServeCredentials="USERNAME:PASSWORD:DOMAIN"

but it's obviously this is a security risk.
Is there a way to use the already loged in user to be the user of the variable $wgCollectionMWServeCredential
Probably something like this:
$wgCollectionMWServeCredentials="$wgUserName:PASSWORD_ENCRYPTED:DOMAIN"

[Wlysses Pereira]

Hey guys i have the exactly same problem, how do i do?

[Johannes Beigel]

On 03.03.2011, at 15:02, Müller wrote:
> but it's obviously this is a security risk.

Yes, it is if you are using the public render server.

> Is there a way to use the already loged in user to be the user of the variable $wgCollectionMWServeCredential
> Probably something like this:
> $wgCollectionMWServeCredentials="$wgUserName:PASSWORD_ENCRYPTED:DOMAIN"

What do you mean by "already logged in"? As long as mw-serve doesn't share your local browser cookie, there's no already logged in user.

You might want to use your own render server and grant access by some other means (e.g. in your web server config via IPs or network interfaces).

-- Johannes Beigel

[Müller]

Sorry for my poor english.

this are my conditions:

• We already have our own render server, and we are using the extension Collections of mediawiki to render.
• Just authenticated user can read de articles.
• the Company's security policy prohibits passwords of employees at the configurations files.

When I try to render some page a error occur.
The problem is solve if I do this is Collection.php
$wgCollectionMWServeCredentials="my_user:my_password:domain"

But I don't want my password in the variable or at least put it there encrypted.

[Johannes Beigel]

On 03.03.2011, at 16:01, Müller wrote:
> this are my conditions:
> • We already have our own render server, and we are using the extension Collections of mediawiki to render.
> • Just authenticated user can read de articles.
> • the Company's security policy prohibits passwords of employees at the configurations files.

You could create a new account only used by the render server. You'd still have to put the password in cleartext in your MediaWiki config, but that should be readable by some admins anyway. And it's not an employee's password.

Alternatively, you provide (somehow, that's up to you) internal access to your MediaWiki that's not password-restricted.

-- Johannes Beigel

[Wlysses Pereira]

hello all right with you? sorry for my bad English.
I have a suggestion, would not "get"the current user's password, the command to move to?

[Alexandre OLEON]

Hi !

I have a private mediawiki on a Webhosting (OVH). On it I installed the extension Collection because I need to export a few pages as PDF and ODT. 

The problem I'm facing is that I have my whole wiki protected with password and only accessible by sysop. 

The README.txt of the Collection extension says that it is not safe to use "http://tools.pediapress.com/mw-serve/" as a render because of the password being sent.

What can I use to be safe?

And also to get my head around it, the formatting of the output is done by the Collection extension or by Pediapress? I want to keep the same formatting.

Can I use something like Extension:PDF_Export to replace the render? or Extension:PDF Writer? Or do I must have a webserver where I can install a render?

I would like to be able to do everything from the webhost.

Alex