With wiki sites being owned by individuals there is only a single question that concerns us, "Are you the site owner?"
In the current (July 2015) code base there are a number of issues:-
* A single authentication scheme is built in. Scheme specific code is in both the client and server.
* The protected resources rather than asking if you are authorized to perform the action ask if you are authenticated, and elsewhere we only allow the site owner to be authenticated.
The aim of is to separate out the authentication scheme specific parts of implementation, into a security plug-in. Such that it would be possible both for alternative schemes to be developed, and server owners to pick an appropriate scheme, without needing to create a scheme specific version of the server and client.
We do not provide a mechanism for creation of privatly shared wiki sites, this is might be provided using Layered Authentication.
Modular implementation has now been released, with Mozilla Persona authentication.
As well as the Mozilla Persona authentication, that is the current default, there is a basic 'no' authentication scheme. This will soon be modified, as part of changing support for ephemeral sites, so sites are read-only.
With the closure of the Mozilla Persona service, two alternative security plug-ins have been created: i) a Passport.js based solution, at release adding support for GitHub, Google and Twitter based identity, and ii) a simple 'friends' plug-in that uses a shared secret.