Last modified: 2013-04-22 08:25:23 UTC
If $wgGroupPermissions['*']['read'] = false;, or through some other way the user is not allowed to view a page, its existence or non-existence should be concealed as well. Currently, you can tell whether the page you are trying to view exists in different ways; this is a loophole which can reveal very limited, but potentially critical information: For example you can be (almost) sure that a certain user is registered on a private wiki, if the corresponding user/user_talk page exists. The following has to be done: 1. Mark all links to other pages as existent if the user is not allowed to view them. 2. Mark Skin::topLinks to page&talkpage as existent if the user is not allowed to view them. 3. Treat an existing page like it is not existent if the user is not allowed to view it (hide "view source" and "history" toplinks and "recentchanges" toolbox link) A bit of a philosophical question: Should links to pages the user is not allowed to view marked as existent or non-existent? On one side, you could interpret "red" links as: "you can't view this page, because you are not allowed to or it does not exist", on the other hand red links are exclusively used to mark "this page does not exist yet", while blue links may also point to empty logs, etc.
A bit of philosophical comment: why is it wrong to let users know about pages they can't access? It's a bit like the CIA: we don't know what are they doing but we do know they exist.
Yeah, I'm leaning towards WONTFIX here...
I'm setting WONTFIX here for now. If they are good arguments, please reopen. "if the corresponding user/user_talk page exists" has to be fixed in other places already when it comes to access restrictions.