Extension:ProtectSource
From MediaWiki.org
For further details, see Security issues with authorization extensions
 Release status: beta |
|||
|---|---|---|---|
| Implementation | Hook | ||
| Description | This Extension blocks access to the source of protected pages for non-privileged users. | ||
| Author(s) | Lisa Ridley, Subfader | ||
| Last Version | 0.1 (2009-08-12) | ||
| MediaWiki | 1.12+ (check) | ||
| License | GPL | ||
| Download | See here | ||
| Example | [1] | ||
|
|||
|
check usage (experimental) |
|||
Contents |
[edit] Description
This extension protects protected pages. It blocks access to the source of pages that are protected against editing. It not only hides the source code, it suppresses the load completely. If a non-privileged user tries to access the source code of a protected page, the following error message is returned:
"Sorry, this is a protected page. You do not have the proper permissions to view the source."
Restriction criteria:
- the page must be protected against editing
- the user must be unable to delete (this default user right is customizable, see below)
If the restriction criteria fit, it disables the following (from all manual or system links and by manual URL parameter access):
- source view
- comparing diffs on the history page (still the user can see the history list and view previous page versions in parsed mode)
- raw access
- source view of deleted pages ("view / restore" links are suppressed)
The extension does not
- remove the (diff) link (as it appears on many special pages) or
- remove the [view source] page tab.
Links to error messages are not user friendly, but the site-wide conditional clauses could be expensive and not worth the usability if only a few pages are protected on the wiki.
If wanted nontheless, the [view source] page tab can be hidden if the restriction criteria fit (see here). This trick is not possbile for the (diff) links since they currently have no own id or CSS class.
- The extension makes no sense without
- disabled API ($wgEnableAPI = false;)
- disabled Special:Export (Disabling it only for protected pages would be nice, atm it's safer to disable it completely manually.)
[edit] Warning
This restriction is against the spirit of MediaWiki. On the other hand not every wiki is Wikipedia and you might have good reasons to protect page sources.
This extension may not be safe against all ways to access the source of a protected page. But the most obvious ones have been blocked. Please post on the discussion page if you find other loopholes.
If you have any other extensions installed that use the MediaWiki::performAction hook it is possible that they will not be processed; therefore, a custom hook called AlternatePerformAction is added to replace MediaWiki::performAction. You will need to change any hook references in other extensions from "MediaWikiPerformAction" to "AlternatePerformAction". To find out if one of your extensions may be affected grep "MediaWikiPerformAction" in your extension folder (and its subfolders).
Don't start protecting pages just to block source access. Note that those can not be edited by normal users.
Although the MediaWiki namespace is protected against editing by default, the source of those pages is not blocked (pages like Common.css wouldn't work).
[edit] Download & Installation
Download and extract it into your extensions folder:
Add this to 'LocalSettings.php' in your wiki installation folder.
require_once( "$IP/extensions/ProtectSource/ProtectSource.php" );
[edit] Configuration
You can customize the user right to which the blocked access applies by using $wgProtectSourceUserRight. Example:
require_once( "$IP/extensions/ProtectSource/ProtectSource.php" ); $wgProtectSourceUserRight = 'move';
This would override the default 'delete' and apply to users who are not allowed to move pages.
Please note: When you protect a page you select a user group which is privileged to edit the page. No matter what you set as user right here, this said user group can access the page source code nontheless (since they can edit it).
[edit] Contribution
- Please report bugs on the discussion page.
- Please test it for any ways to access the source code or snippets of it.
- Translations can be posted here.
In theory this extension should work on MW 1.12.0 and above. Nontheless it would be nice if this was tested.
- Tested and working on MW 1.16alpha --Subfader 12:59, 12 August 2009 (UTC)
[edit] Known loopholes
- The search can return tiny parts of the source code of protected pages (but the user needs to know what to search for).
