Quickie ... how do you limit access to Special Pages?

[peripatetic]

I've set up a wiki which is on a public webserver. Non-registered users can only see the front page. Logged in users can see content with either edit or view privileges. I've managed this by setting the page permissions on all sub-pages below certain key category pages. Good so far.

Now I notice that when I'm not logged in I can see Special Pages eg.
http://deki.domain.com/Special:Recentchanges
http://deki.domain.com/Template:
.... and ALL THE PAGES below this, including dekiscript containing database queries!!!
http://deki.domain.com/User:
... but apparently all the individual User pages are not accessible.

Obviously this is not good as it is leaking important information. How do I set permissions on these pages? It seems that the normal method of More > Restrict Access is not available.
An oversight? A feature?

Do I need to apply the permissions directly into the database in this case? Any hints on how? I'm slightly alarmed by this one.

[nikejam]

Is that possible? (i.e. blocking the "admin" privilege user, who has an access to the control panel, from viewing certain pages on the site.)

hmm..to make myself clear...

1. I would like to grant one of users an access to the control panel.
2. however, I would also like to block the user from viewing certain pages.

[SteveB]

No, that's not possible. The admin user is omnipotent.

[peripatetic]

Hmm OK, my original question was hi-jacked a little here. I'd expect admin users to be able to see anything. My concern was that non-admin, not-even-logged-in-at-all users can see the Special Pages and Templaes. And as this is on a public webserver, that's not very good. In fact, pretty nasty information leakage.

If this is an oversight, where do I mention it?
If there is a fix, I'd appreciate pointers, even if its just to a hack. Should I be looking at attacking the apache config files for eg. Or are there any other mechanisms available to me for limiting access to certain pages?

[Guerric]

There isn't a good solution to limit public access to special pages. Try this and see if it works for you. It requires local mods which we don't recommend so proceed at your own risk.

Edit the special pages you want to limit for logged in users only and add this member variable:

PHP Code:

    // determines if anonymous users can access this feature
    protected $allowAnonymous = false; 


To add this functionality to the user listing edit WEBROOT/deki/plugins/special_page/special_listusers/special_listusers.php

PHP Code:

class SpecialListUsers extends SpecialPagePlugin
{
    protected $allowAnonymous = false; 


This only restricts these pages from the UI. If your API is web accessible, someone could still get this info directly from the API. There are a few API features that require web access however most can be restricted. Try a search to determine which features need to be open to the web.