Extension:NSFileRepo

From MediaWiki.org
Jump to: navigation, search
If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked, leading to loss of funds or one's job.
For further details, see Security issues with authorization extensions
This extension requires patches to core MediaWiki code when used with MediaWiki 1.15.1 and before. Extensions implemented using patches may be disabled by or interfere with upgrades and security patches. If you would like to use this extension, we strongly recommend you upgrade to a version later than 1.15.1. Alternatively, if a suitable alternative without a patch is available, we recommend you use that extension instead.
MediaWiki extensions manual - list
Crystal Clear action run.png
NSFileRepo

Release status: stable
Implementation User rights
Description implements per-namespace group permissions for image and file rights protection
Author(s) Jack D. Pond (JpondTalk)
Last version 1.4 (2010-4-23)
MediaWiki 1.13, 1.14, 1.15, 1.16, 1.17-SVN
License GNU General Public Licence 2.0
Download Download snapshot
Subversion [Help]

Browse source code
View code changes

README
log
Hooks used
userCan

ImgAuthBeforeStream

Check usage (experimental)

The NSFileRepo restricts access to upload and read files and images to a given set of user groups associated with protected namespaces. Using this extension (within the security limitations noted above), you can protect not only pages and areas of your wiki, but also any uploaded images or files within those namespaces.

Namespaces are mechanism for grouping/separating wiki pages.

  • See Help:Namespaces for more user help documentation on what they are and how they are used.
  • See Manual:Namespace for system administration details on Mediawiki's namespace feature
  • See Project:Namespaces for an explanation of how namespaces are used on mediawiki.org

Contents

[edit] Usage

Generically, you use the same syntax as a normal file/image reference link, adding the namespace between the file specifier ("File","Image", or "Media"), and the file name:

[[{FILE_NS}:{Namespace}:{Filename}]]

Example(Where "Project" is the protected namespace and "ProjectFile.pdf" is the file to which you wish to limit access):

[[File:Project:ProjectFile.pdf]]


The standard for accessing files/images is generally:

[[File:Filename.txt]]
[[Image:Filename.jpg]]
[[Media:Filename.pdf]]

This extension allows you to protect access to files/images, by adding the namespace text identifier after the file namespace identifier, for example(Where "Project" is the protected namespace and "ProjectFile.xxx" is the file to which you wish to limit access):

[[File:Project:Filename.txt]]
[[Image:Project:Filename.jpg]]
[[Media:Project:Filename.pdf]]

It may be helpful to understand the default security model used by MediaWiki using the instructions below:

Limitations of security are the same as for Extension Lockdown. To review these limitations, please reference here.

To use the full capabilities of this extension (e.g., specific namespace protections), you will need to install and use the namespace protections provided through Extension:Lockdown.

This extension was made possible by the introduction of Repository Classes by Tim Starling - an elegant and brilliant implementation. It uses a new Local Repository class mechanism. Technical details on how this extension works can be found here.

[edit] Announcements

  • Starting with version 1.16.0, this extension will require no patching. Updates were made to make more efficient and easier to use.
  • The first version of this (Rel 0.0) was released 2009-07-11. The following activities were completed to make this extension easier to install and use, including:
    • 1.16.0 - img_auth.php was rewritten which has the required hook and global messages for image authorization failures and this extension.
    • 1.16.0+ - has global variable $wgIllegalFileChars. By default this extension modifies it to allow ":" for namespaces.


[edit] Release Notes

[edit] NSFileRepo 1.4

  • Bug Fixes - Thumbnails did not display properly in History (and even in uploads of past files). The problem is fixed with 1.16 (and the current trunk version of NSFileRepo), but in versions of MW before 1.16, archived thumbnails still break because LocalFile.php uses hard-coded class of OldLocalFile instead of $repo->oldFileFactory which would instantiate the correct NSLocalFile class.
  • Works with all namespaces > 1000 (used to only work with NS >=11 and <1000)
  • Use NS_IMAGE instead of NS_FILE for backward compatibility
  • Upgrades - Now works completely with >1.16. Changes were made for 100% backward compatibility. Even though it can be used all the way back to 1.13, the thumbnails probably will not display correctly because of issues with FileRepo before 1.16. This is a cosmetic versus a functional issue - if it bothers you, just disable thumbnails. If you're not using automatically generated thumbnails, you wouldn't notice the difference.

[edit] NSFileRepo 1.3

  • Allow files with namespace protection (e.g. File:ns:yourfile.txt) to be whitelisted using standard $wgWhitelistRead in localsettings.

[edit] NSFileRepo 1.2

  • Fixed bug with reuploads and versioning
  • Added protection to archived files and thumbs
  • Known bug - deleted files are removed from protected Namespace and can be accessed - working on fix, but for now, recommend do not delete files.

[edit] NSFileRepo 1.1

  • First fully tested version, works with MW 1.13.1, 1.14.1, 1.15.1 with patches
  • Works with 1.16.0 (trunk) without patches.

[edit] Tagged Releases

There were issues with image thumbnails that require modification to both NSFileRepo and the standard FileRepo. These revisions have been tested for MW Rev 1.15.0 and should also work with 1.14.0. It is doubtful they will work before 1.14.0. If someone could test the 1.14.0 patches, I would be glad to assist in any issues you may have. --jdpond 15:02, 13 May 2010 (UTC)

[edit] Tagged Release 1.14.0 Phase 3

This tagged branch has not been tested. It corrects the Thumbnail issues but requires:

  • Replacement/patching of LocalFile.php
  • Replacement/patching of GlobalFunctions.php
  • Alternate branched versions of the core NSFileRepo code.

If you do not mind messed up thumbnails with problems in the following areas, you can stay with the HEAD version:

  • Visual - displays broken impage link for thumbnails, especially in upload history
  • Security - without this patch, it loads thumbnails into 'public' area which could (theoretically) be viewed regardless of NS protection

SVN available here

[edit] Tagged Release 1.15.0 Phase 3

This tagged branch has been tested. It corrects the thumbnail issues but requires:

  • Replacement/patching of LocalFile.php
  • Replacement/patching of GlobalFunctions.php
  • Alternate branched versions of the core NSFileRepo code.

If you do not mind messed up thumbnails with problems in the following areas, you can stay with the HEAD version:

  • Visual - displays broken impage link for thumbnails, especially in upload history
  • Security - without this patch, it loads thumbnails into 'public' area which could (theoretically) be viewed regardless of NS protection

SVN available here

[edit] Download instructions

Copy all files and directories into directory:

$IP/extensions/NSFileRepo

[edit] Installation

You will need to read and understand two other required enhancements to MediaWiki:

Please read and understand before executing the following instructions

  1. Download and install Extension Lockdown. If you have not installed
  2. Download and copy the NSFileRepo extension into directory $IP/extensions/NSFileRepo
  3. Activate the Image Authorization according to instructions found in Image Authorization


[edit] Installation on versions 1.13.0 through 1.15.1

Up until 1.16.0, MediaWiki required a small patch to includes/GlobalFunctions.php. After that time, no patches are required, so you can skip to Activating NSFileRepo if you are using MW version 1.16.0 and higher. NO PATCHES ARE NEEDED FOR MW Version 1.16.0 and higher.

  1. Copy the img_auth.php the distribution in directory {release}/phase3/ to your wiki code base directory ($IP). This will overwrite the existing img_auth.php file. Alternately you could copy img_auth.php to another name in the same directory, then use that file name instead of img_auth.php (but still must be in the $IP directory).
  2. $IP/include/GlobalFunctions.php Must be patched. This is a very minor patch to remove the disabling of colons (':'). You can do this one of three ways (whichever you're most comfortable with):
    1. Edit the file according to instructions below
    2. If you have not otherwise patched the file, you may want to copy it from the distribution, which will be in a directory corresponding to the release you are using under {release}/phase3/includes/GlobalFunctions.php
    3. Apply the patch which will be in a directory corresponding to the release you are using under {release}/phase3/includes/GlobalFunctions.patch

[edit] Activating NSFileRepo

  1. To activate this extension, add the following to LocalSettings.php:
require_once("$IP/extensions/NSFileRepo/NSFileRepo.php");

[edit] Configuration parameters

The user rights and configuration requiremements are are the same as described in Extension Lockdown.

[edit] Patch GlobalFunctions.php (only MW versions between 1.13.0 and 1.16)

In version 1_13_0, a new function wfStripIllegalFilenameChars was added to includes/GlobalFunctions.php. This prevents the extension from determining the namespace associated with the file/image. For this extension to work in versions 1_13_0 through 1_15_1, you will need to make a minor patch to includes/GlobalFunctions.php as follows:

Index: GlobalFunctions.php
===================================================================
--- GlobalFunctions.php       (revision 52849)
+++ GlobalFunctions.php       (working copy)
@@ -3034,6 +3034,6 @@
  */
 function wfStripIllegalFilenameChars( $name ) {
        $name = wfBaseName( $name );
-     $name = preg_replace ( "/[^".Title::legalChars()."]|:/", '-', $name );
+     $name = preg_replace ( "/[^".Title::legalChars()."]/", '-', $name );
        return $name;
 }


You need to remove the "or :" clause from the REGEX expression by deleting the characters "|:"

[edit] See also

Language: English
Retrieved from "http://www.mediawiki.org/w/index.php?title=Extension:NSFileRepo&oldid=411207"
Personal tools
Namespaces
Variants
Actions
Site
Support
Download
Development
Communication
Print/export
Toolbox