Extension:Restrict access by category and group

From mediawiki.org
MediaWiki extensions manual
Restrict access by category and group
Release status: unmaintained
Implementation User rights
Description Restrict access to pages by users groups and documents categories
Author(s) Andrés Orencio Ramírez Pérez - Andy (lodopidolotalk)
Latest version 2.0.1 (Extension talk) (2016-10-16)
MediaWiki Tested on 1.12.0 to 1.16.0
License GNU General Public License 2.0 or later
Download No link
private

This extension can restrict access to users by group and document category.

Even though MediaWiki is a free/public access collaborative document tool, sometimes it can be helpful, especially in business environments, to have a restricted view of wiki documents.

For example, department's financial documents should not be accessed by customer services users.

In this extension you can establish four access restrictions:

  • Public: White pages: those are public pages that can be accessed by everybody. This is helpful when you have a private MediaWiki and anonymous can only authenticate and see Main page. See $wgWhitelistRead .
  • Public categories: those are all categories that aren't in your groups.php file. Those categories are public.
  • No public categories: those are all categories that are in your groups.php file. Those categories are restricted. Documents that belong to these categories may be accessed by users who belong to at least one of these groups.
  • Private categories:those are all categories that are in your groups.php file with [private] = true option. These categories are private, and only users who belong to one or more of this categories closed to which the document will have access. It is the same behavior that if the document did not belong to any of the no public categories basis only membership to the private category (respect to access).

Configuration Example[edit]

If you have same configuration like this:

then:

  • user1 could access to public document 1 only.
  • user 2 could access to public document 1, no public document 3 and no public document 4.
  • user 3 could access to public document 1, no public document 3, no public document 4 and private document 2.

Usage[edit]

All documents you want to restrict access to, you must add to a category. So you have multiple categories.

Files:

  • $IP/extensions/rabcg/rabcg.php: this is the extension.
  • $IP/extensions/rabcg/groups.php: this is the group catalog.

In your groups.php file, you must add the categories you want to make no public or private. This is made by group definition. For Example:

<?php
// This is a no public category: Financial no public data.
$wgGroupPermissions['Financial no public data']['*'] = true;

// This is a private category: Financial private data.
$wgGroupPermissions['Financial private data']['private'] = true;

To apply this category to your document, you only must write:

[[Category:Financial private data]]

This is only one more category of your document.

Previously (after create the groups in your groups.php file), you must make groups assignments to users by Special:UserRights page.

Download instructions[edit]

This extension is not yet in MediaWiki SVN Repository. Therefore, you must copy & paste the following code as is explained in the installation section below.

Installation[edit]

To install this extension, create a file extensions/RestrictAccessByCategoryAndGroup/RestrictAccessByCategoryAndGroup.php with the following code:

<?php

if ( !defined( 'MEDIAWIKI' ) ) {
	die( 'Not a valid entry point.' );
}

$wgExtensionCredits['parserhook'][] = array(
	'name' => 'Restrict access by category and group',
	'author' => 'Andrés Orencio Ramirez Perez',
	'url' => 'https://www.mediawiki.org/wiki/Extension:Restrict_access_by_category_and_group',
	'description' => 'Allows to restrict access to pages by users groups and page categories',
	'version' => '2.0.1'
);

$wgHooks['getUserPermissionsErrors'][] = 'restrictAccessByCategoryAndGroup';

function restrictAccessByCategoryAndGroup( $title, $user, $action, &$result ) {
	global $wgGroupPermissions;
	global $wgWhitelistRead;
	global $wgLang;
	global $wgHooks;
	global $wgContLang;
	global $wgWhitelistRead;
	global $wgVersion;

	//The Main Page, Login and Logout pages should always be accessible
	if ( $wgVersion >= '1.17' ) {
		$wgWhitelistRead[] = wfMessage( 'mainpage' )->plain();
	} else {
		$wgWhitelistRead[] = wfMsgForContent( 'mainpage' );
	}
        $wgWhitelistRead[] = SpecialPage::getTitleFor( 'Userlogin' )->getLocalUrl();
        $wgWhitelistRead[] = SpecialPage::getTitleFor( 'Userlogout' )->getLocalUrl();

	$validCategory = false;
	$groupExists = false;
	$pageHasCategories = false;
	$privateCategory = false;
	$privateCategoryTemp = false;
	$categoryNamespace = $wgLang->getNsText( NS_CATEGORY );
	$whitePage = true;

	//System categories
	$systemCategory = array();
	foreach ( array_change_key_case( $title->getParentCategories(), CASE_LOWER ) as $key => $value ) {
		$formatedKey = substr( $key, ( strpos( $key, ":" ) + 1 ) );
		$systemCategory[ $formatedKey ] = $value;
	}

	//Is this page a white page?
	if ( isset( $wgWhitelistRead[0] ) ) {
		$whitePage = in_array( $title, $wgWhitelistRead );
	}

	//If the page has no categories, it's public.
	if ( count( $title->getParentCategories() ) == 0 ) {
		$validCategory = true;
	} else {
		//For each system categories
		foreach ( $wgGroupPermissions as $key => $value ) {
			//If current system category is defined as private, then tmpCatP is true
			if ( isset( $wgGroupPermissions[ $key ]['private'] ) ) {
				$privateCategoryTemp = $wgGroupPermissions[ $key ]['private'];
			} else {
				$privateCategoryTemp = false;
			}
			//If current system category exist in the document category array ...
			if ( array_key_exists( strtolower( str_replace( " ", "_", $key ) ), $systemCategory ) ) {
				if ( $privateCategoryTemp and !$privateCategory ) {
					$privateCategory = true;
					$validCategory = false;
				}
				//We see that the user belongs to one of the groups (like of category)
				if ( in_array( $key, $user->getGroups() ) and ( !$privateCategory or ( $privateCategoryTemp and $privateCategory ) ) ) {
					$validCategory = true;
				}
				$groupExists = true;
			}
		}
		$pageHasCategories = count( $title->getParentCategories() ) > 0;
	}

	if ( !$pageHasCategories ) {
		return true;
	}
	if ( !$groupExists and !$whitePage ) {
		return true;
	}
	if ( ( $user->isRegistered() and $validCategory ) or $whitePage ) {
		return true;
	}
    $result = false;
	return false;
}

Then add the following to your LocalSettings.php:

require_once "$IP/extensions/RestrictAccessByCategoryAndGroup/RestrictAccessByCategoryAndGroup.php";
$wgGroupPermissions['Financial no public data']['*'] = true;
$wgGroupPermissions['Financial private data']['private'] = true;