Extension:Prefix Security

From MediaWiki.org

Jump to: navigation, search
If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked, leading to loss of funds or one's job.
For further details, see Security issues with authorization extensions


             

Manual on MediaWiki Extensions
List of MediaWiki Extensions
Crystal Clear action run.png
Prefix Security

Release status: stable
Implementation  Special page, User rights, Tag
Description Extension for controlling page-specific user rights based on titles and their prefixes
Author(s)  Borut Tomažin
Last Version  1.3.0 (05.11.2008)
MediaWiki  1.6.5 up to 1.13.1
License GNU
Download Official WebSite

check usage (experimental)


Contents

[edit] Introduction

Warning: Although this extension enhances the security of handling MediaWiki articles, it probably still has security breaches.

Please read about security issues with authorization extensions.

This extension allows the sysops to define a set of page title prefixes and set prefix-specific access rights to individual user or user groups. The administration privilege can also be granted to other users by adding something like the following line to LocalSettings.php:

$wgGroupPermissions['logged']['prefixAdministration'] = array( "username1", "username2" );

The extension consists of three main parts:


Let's take a quick tour....


[edit] GroupsAdministration

GroupsAdministration is a generic extension for managing user groups. A user can be added or removed from specified group.

Groups Administration SpecialPage main screen


[edit] PrefixAdministration

PrefixAdministration is an extension for defining page prefixes.

Prefix Administration SpecialPage main screen


[edit] PageRestrictionHooks

PageRestrictionHooks is the core of the extension with special hooks that actually do the job of allowing and denying reading and/or editing. It uses the following hooks:

* $wgHooks[ 'userCan' ][] = 'RestrictHookRead';
* $wgHooks[ 'AlternateEdit' ][] = 'RestrictHookEdit';
* $wgHooks[ 'ArticleSaveComplete' ][] = 'CheckAllowAndForbidTags';
* $wgHooks[ 'ParserAfterTidy' ][] = 'DescribeRestrictionsHook';


I have also used my own defined tags for managing with three types of tags.

* $wgParser->setHook( RESTRICT_TAG, "TagRestrictHookRead" );
* $wgParser->setHook( ALLOW_TAG, "TagRestrictHookAllow" );
* $wgParser->setHook( FORBID_TAG, "TagRestrictHookForbid" );


You can insert them into an article like this:

* <RESTRICT groups="..." users="...">Restricted text</RESTRICT>
* <ALLOW groups="..." users="...">Allowed text</ALLOW>
* <FORBID groups="..." users="...">Forbidden text</FORBID>


[edit] Usage example

  • Go to your Special Pages page and find pages GroupsAdministration and PrefixAdministration
  • If you want to define new prefix for page name "Newpage", type something like "New". It will affect ony every page that starts with word "New".


[edit] Explanation

This extension should be useful for a large and diverse group of people which wants use Wiki as a documentation repository, but without making every document available to everyone. For easier use, the pages that should be accessible to the same subgroup should have a common prefix, for instance the name of the project that these people are working on. We can then use the prefix administration page to set the read and write privileges for anonymous guests, registered user and to individual users. User can also be grouped (groups can, of course, overlap), so that an entire group can be granted or denied read or write access to the page.


[edit] Features

  • Handling/defining permission groups
  • Controlling groups permission
  • Creation of page prefixes
  • Manipulation of users and groups for prefixes

[edit] Installation instructions

[edit] Installation requirements

  • This extension requires hooks in MediaWiki 1.6.5 or later.
  • This extension requires PHP 5 or later.

[edit] Installing the extension

To install the extensions follow this steps (detailed):

  • Download the LATEST VERSION and put all files into /extensions directory
  • Edit your LocalSettings.php file and add the following lines:
require_once( 'extensions/GroupsAdministration.php' );
require_once( 'extensions/PrefixAdministration.php' );
require_once( 'extensions/PageRestrictionHooks.php' );


  • After all go to your MediaWiki website and login as Sysop. On the "toolbox" menu click on "Special pages" link and GroupsAdministration where you will get further installation instructions.

Menu toolbox.png

[edit] Possible problems

[edit] User cannot login to the system

This occurs when the installation script do not add two default prefixes into database table "page_prefixes". They look's like this:

Default blank prefixes.png

Other (technical) way to solve the problem is to embed this line into LocalSettings.php file:

$wgGroupPermissions['logged']['prefixAdministration'] = array( "username1", "username2" );


[edit] Installation process failed

-first table

CREATE TABLE `page_prefixes` (
    `id` int(8) NOT NULL auto_increment,
    `page_prefix` varchar(255) NOT NULL,
    `user_id` text NOT NULL,
    `group_name` text NOT NULL,
    `read_permission` varchar(1) NOT NULL,
    `edit_permission` varchar(1) NOT NULL,
    PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=1;

INSERT INTO `page_prefixes` VALUES (-1, '', '-1', '', 'y', 'y');
INSERT INTO `page_prefixes` VALUES (-2, '', '-2', '', 'y', 'n');

-second table

CREATE TABLE `page_prefixes_auto` (
    `id` int(8) NOT NULL auto_increment,
    `page_title` varchar(255) NOT NULL,
    `user_id` varchar(255) NOT NULL,
    `group_name` varchar(255) NOT NULL,
    `tag_type` varchar(20) NOT NULL,
    PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=1;


[edit] Previous versions

  • v1.0.0
    • GroupsAdministration.php
    • PrefixAdministration.php
    • PageRestrictionHooks.php
  • v1.1.0
    • GroupsAdministration.php
    • PrefixAdministration.php
    • PageRestrictionHooks.php
  • v1.2.0
    • GroupsAdministration.php
    • PrefixAdministration.php
    • PageRestrictionHooks.php
  • v1.3.0
    • GroupsAdministration.php
    • PrefixAdministration.php
    • PageRestrictionHooks.php


[edit] Notes

  • Extensions were tested on MediaWiki versions 1.6.3, 1.6.5, 1.9.3, 1.13.1. I do not guarantee I will works on other versions.


[edit] Change Log

  • Version 1.0.0 {21.08.2006} (Initial release)
  • Version 1.1.0 {19.02.2007} (Initial release)
  • Version 1.1.0 {19.08.2007} (Update)
  • Version 1.2.0 {16.09.2008} (Initial release)
    • Version 1.13.1 now supported
    • In some cases attempts to remove a user from a group resulted in a "the special page doesn't exist" error. FIXED
    • Fixed installation proces
  • Version 1.3.0 {05.11.2008} (Update)
    • Function CheckAllowAndForbidTags() did not return default value - (thanks to Stefan Endrullis)
      Error message: 
      "Detected bug in an extension! Hook CheckAllowAndForbidTags failed to return a value; should return true to continue hook processing or false to abort."
    • Function RestrictHookEdit did not return default value true & false - (thanks to Stefan Endrullis)
      Error message: 
      "Detected bug in an extension! Hook RestrictHookEdit failed to return a value; should return true to continue hook processing or false to abort."
  • TODO: support for db name prefix (soon)


[edit] Author contact

  • You can contact me at any time for help with installation or configuration of 'Prefix Security extensions'.


[edit] Project Home Page

Retrieved from "http://www.mediawiki.org/wiki/Extension:Prefix_Security"