00404: Security -- AllRecentChanges etc. list changes to pages that should not be visible
Description: I have a series of pages in a wiki that are protected with read and edit passwords. It seems that the content of changes made to the pages do not show up in the RSS view of the AllRecentChanges page unless I've already provided a password to my RSS reader. However, the pages that were modified are still listed in the AllRecentChanges page (and its ilk).
From a security standpoint, I'd rather if these pages were not visible at all (not even the names of the pages) in any of the recent changes lists to people who were not supposed to know about them.
I would be happy with a way to suppress certain groups from being in the AllRecentChanges listing, as there are just certain areas of my wiki that are password-protected.
This is an issue for the site-wide search pages as well -- hidden pages show up in search results even if the passwords to those pages haven't been entered.
To prevent hidden pages from appearing in a search, use:
$EnablePageListProtect = 1;
If you don't want read-protected pages from appearing in the recent changes listings, you can do:
if (!RetrieveAuthPage($pagename, 'read', false))
$RecentChangesFmt = array();
--Pm