Extension:Hierarchical Namespace Permissions
From MediaWiki.org
If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked, leading to loss of funds or one's job.
For further details, see Security issues with authorization extensions
For further details, see Security issues with authorization extensions
 Release status: stable |
|
|---|---|
| Implementation | User rights |
| Description | Provides an hierarchical namespace permissions system (aka "prefixes") to Mediawiki without changes to the base installation nor creation of new database tables. |
| Author(s) | user:jldupont |
| Version | 1.2 |
| MediaWiki | tested on 1.8.2, 1.9.3 |
| Download | no link |
| Hooks used | userCan |
Users interested in this extension might also appreciate Extension:BizzWiki.
Please see Extension:HNP as I have no plans of maintaining further this extension. Extension:HNP supercedes this extension.
Contents |
[edit] Features
- Prefix based namespace access with wildcard
- No additional database tables
- No code change
- Additional right support for form processing : SubmitWithoutRead
- Automatic creation of a "Namespace Manager" group per declared namespace
Please read about security issues with authorization extensions
[edit] v1.2
- Ability to add "exclude" rights
[edit] Source Code
Source Code and additional information can be found at <http://bluecortex.com/index.php?title=Bluecortex:Hierarchical_Namespace_Permissions>.
Additionally, v1.2 of the code can be found on this wiki at Extension:Hierarchical Namespace Permissions/Code.
[edit] LocalSettings.php example
// Website specific namespaces.
define('NS_ADMIN', 100);
define('NS_BLOG', 102);
define('NS_BLOG_TALK', 103); # odd number means 'talk' namespace
define('NS_CONTACT', 104);
define('NS_TEST', 106);
define('NS_CODE', 108);
# Add extra Namespaces
# --------------------
$wgExtraNamespaces =
array (NS_ADMIN => "Admin",
NS_BLOG => "Blog",
NS_BLOG_TALK => "Blog_talk",
NS_CONTACT => "Contact",
NS_TEST => "Test",
NS_CODE => "Code"
);
$wgNamespacesToBeSearchedDefault = array(
NS_MEDIA => true,
NS_SPECIAL => true,
NS_MAIN => true,
NS_TALK => true,
NS_USER => true,
NS_USER_TALK => true,
NS_WIKIPEDIA => true,
NS_WIKIPEDIA_TALK => true,
NS_IMAGE => true,
NS_IMAGE_TALK => true,
NS_MEDIAWIKI => true,
NS_MEDIAWIKI_TALK => true,
NS_TEMPLATE => true,
NS_TEMPLATE_TALK => true,
NS_HELP => true,
NS_HELP_TALK => true,
NS_CATEGORY => true,
NS_CATEGORY_TALK => true,
NS_ADMIN => true,
NS_BLOG => true,
NS_BLOG_TALK => true,
NS_CONTACT => true,
NS_TEST => true,
NS_CODE => false
);
# Define new groups.
# ------------------
// Allow subpages on the new namespaces
$wgNamespacesWithSubpages[NS_MAIN] = true;
$wgNamespacesWithSubpages[NS_PROJECT] = true;
$wgNamespacesWithSubpages[NS_ADMIN] = true;
$wgNamespacesWithSubpages[NS_BLOG] = true;
$wgNamespacesWithSubpages[NS_BLOG_TALK] = true;
$wgNamespacesWithSubpages[NS_CONTACT] = true;
$wgNamespacesWithSubpages[NS_TEST] = true;
# Add the "read" restriction type & "author" restriction level
# This extension must be loaded BEFORE any other 'userCan' related extensions e.g. NamespacePermissions
require_once("extensions/AuthorRestriction.php");
// Namespace access control
// ------------------------
require_once("includes/Namespace.php");
# Hierarchical Namespace Permissions based system
#################################################
require_once("extensions/HierarchicalNamespacePermissions.php");
// Have to remove explicitly those rights created automatically by MW.
// Our Namespace Permissions system will take care of policing the requested rights.
$wgGroupPermissions['*' ]['read'] = false;
$wgGroupPermissions['*' ]['edit'] = false;
$wgGroupPermissions['*' ]['create'] = false;
$wgGroupPermissions['*' ]['createpage'] = false;
$wgGroupPermissions['*' ]['createtalk'] = false;
$wgGroupPermissions['*' ]['createaccount'] = false;
$wgGroupPermissions['user' ]['read'] = false;
$wgGroupPermissions['user' ]['move'] = false;
$wgGroupPermissions['user' ]['edit'] = false;
$wgGroupPermissions['user' ]['upload'] = false;
$wgGroupPermissions['user' ]['reupload'] = false;
$wgGroupPermissions['user' ]['reupload-shared'] = false;
$wgGroupPermissions['user' ]['minoredit'] = false;
$wgGroupPermissions['user' ]['createpage'] = false;
$wgGroupPermissions['user' ]['createtalk'] = false;
// Implicit group for all visitors users
$wgGroupPermissions['*' ]['createaccount'] = true;
// SYSOP
$wgGroupPermissions['sysop' ][hnpClass::buildPermissionKey("~","~","~")] = true;
// Remove the 'bot' right or else the 'recent change' page will be completly messed up.
$wgGroupPermissions['sysop' ][hnpClass::buildPermissionKey("~","~","!bot")] = true;
#$wgGroupPermissions['sysop' ]['coding'] = true;
#$wgGroupPermissions['sysop' ]['protect'] = true;
#$wgGroupPermissions['sysop' ]['viewsource'] = true;
#$wgGroupPermissions['sysop' ]['templating'] = true;
#$wgGroupPermissions['sysop' ]['editattributes'] = true;
#$wgGroupPermissions['sysop' ]['readattributes'] = true;
#$wgGroupPermissions['sysop' ]['protectsection'] = true;
$anonAllowedSpaces = array( NS_MEDIA, NS_SPECIAL, NS_MAIN, NS_TALK, NS_USER, NS_USER_TALK, NS_HELP, NS_HELP_TALK,
NS_CATEGORY,NS_CATEGORY_TALK,NS_PROJECT,NS_PROJECT_TALK, NS_BLOG, NS_BLOG_TALK, NS_IMAGE
);
foreach($anonAllowedSpaces as $ns)
{
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","createaccount")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","read")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","browse")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","search")] = true;
#$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","viewsource")] = true;
}
$wgGroupPermissions['*' ][hnpClass::buildPermissionKey("~","~","createaccount")] = true;
foreach($anonAllowedSpaces as $ns)
{
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","viewsource")] = true;
}
// Add a bit more to anonymous users
#$ns = Namespace::getCanonicalName(NS_PROJECT_TALK);
$ns = NS_PROJECT_TALK;
$wgGroupPermissions['*' ][hnpClass::buildPermissionKey($ns,"~","edit")] = true;
$wgGroupPermissions['*' ][hnpClass::buildPermissionKey($ns,"~","createpage")] = true;
$wgGroupPermissions['*' ][hnpClass::buildPermissionKey($ns,"~","createtalk")] = true;
$wgGroupPermissions['*' ][hnpClass::buildPermissionKey($ns,"~","create")] = true;
$ns = NS_TALK;
$wgGroupPermissions['*' ][hnpClass::buildPermissionKey($ns,"~","create")] = true;
$wgGroupPermissions['*' ][hnpClass::buildPermissionKey($ns,"~","createtalk")] = true;
$wgGroupPermissions['*' ][hnpClass::buildPermissionKey($ns,"~","edit")] = true;
// Special Right to access the "show user" page. !!!!!!!!!!DEBUG STUFF!!!!!!!!!!!!!!
$ns = NS_ADMIN;
$wgGroupPermissions['*' ][hnpClass::buildPermissionKey($ns,"Show_Groups","read")] = true;
// Special permission required to access Javascript Code
$ns = NS_CODE;
$wgGroupPermissions['*' ][hnpClass::buildPermissionKey($ns,"js/*","getJs")] = true;
// A registered user gets a bit more rights still
// ----------------------------------------------
$userAllowedSpaces = array( NS_TALK, NS_USER, NS_USER_TALK, NS_HELP_TALK,
NS_CATEGORY_TALK,NS_PROJECT_TALK
);
foreach($userAllowedSpaces as $ns)
{
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","createtalk")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","edit")] = true;
}
// Add the permissions to the "extra namespaces" following the NamespacePermissions extension
$ns = NS_BLOG;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","raw")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","read")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","browse")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","create")] = true; # let unregistered users post comments.
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","createpage")] = true; # let unregistered users post comments.
$ns = NS_BLOG_TALK;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","read")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","browse")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","edit")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","createtalk")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","createpage")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","create")] = true;
// CONTACT related
$ns = NS_CONTACT;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","create")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","createpage")] = true;
$wgGroupPermissions['*'][hnpClass::buildPermissionKey($ns,"~","SubmitWithoutRead")] = true;
$wgGroupPermissions['user'][hnpClass::buildPermissionKey(NS_ADMIN,"Leave_Comment_Form","read")] = true;
$wgGroupPermissions['user'][hnpClass::buildPermissionKey(NS_ADMIN,"Leave_Comment_Form","viewsource")] = true;
#$wgGroupPermissions['*'][hnpClass::buildPermissionKey("~","~","viewsource")] = true;
