MediaWiki and Access Control

I've been asked by a couple of people about ways to restrict access to pages in wiki.ucalgary.ca. My initial response was often something like "wha? that's just wrong. you don't lock down wikis..."

Then, they explained more about what they wanted to do, and why they couldn't just leave the pages out In The Wild and trust that it was private through obscurity. Things like collaborative student experimental writing, where it would be a Bad Thingâ„¢ if things like the Wayback Machine kept eternal snapshots of not-fully-baked writing, which could come back to haunt someone later. Shouldn't have to throw the baby out with the bathwater - restricting access to pages within the wiki would let them play, without exposing them more than they're comfortable with.

So I did some Googling over the last few months, and still haven't come up with a solution I'm completely happy with. The closest I came to a workable solution is the Access Control extension - but that needed some tweaking before it would run as expected (my modified file), and I fear it exposes some pretty scary security risks. What happens if Joe Spamass edits Main_Page and adds a fake access control list to the page? I've installed it, but will be keeping a close eye on it, and maintaining nightly MySQL dumps of the wiki databases Just In Caseâ„¢.

I also found this patch to enable a "restrict" feature, but it really just creates a "penalty box" where pages can be sent, and only people who are allowed to see the "penalty box" can see the pages - but there's no fine granularity, it's an all-or-nothing thing.

I really don't know why this isn't part of the core feature set of Mediawiki. Sure, the Wikipedia wouldn't use it, but how many gazillion corporate/institutional wikis could benefit (or require) this feature? There are a lot of folks who are interested in this, but no real solutions that I've found...