Extension:ProtectSource

From MediaWiki.org
Jump to: navigation, search
MediaWiki extensions manual - list
Crystal Clear action run.png
ProtectSource

Release status: beta

Implementation Hook
Description This extension blocks access to the source of protected pages for non-privileged users.
Author(s) Lisa Ridley, Subfader
Latest version 0.1.3 (2012-01-19)
MediaWiki 1.12+ (check)
License GPL
Download See here
Example [1]
Hooks used
MediaWikiPerformAction

Translate the ProtectSource extension if possible

Check usage and version matrix; code metrics

Description[edit | edit source]

This extension protects protected pages. It blocks access to the source of pages that are protected against editing. It not only hides the source code, it suppresses the load completely.

If a non-privileged user tries to access the source code of a protected page, the following error message is returned:
"Sorry, this is a protected page. You do not have the proper permissions to view the source."

Restriction criteria:

  1. the page must be protected against editing
  2. the user must be unable to delete (this default user right is customizable, see below)

If the restriction criteria fit, it disables the following (from all manual or system links and by manual URL parameter access):

  • source view
  • comparing diffs on the history page (still the user can see the history list and view previous page versions in parsed mode)
  • raw access
  • source view of deleted pages ("view / restore" links are suppressed)

The extension does not

  • protect the MediaWiki namespace
You could include protected content nonetheless by using {{Some Template}} and protecting [[Template:Some Template]]
  • remove the (diff) link (as it appears on many special pages)
  • remove the [view source] page tab.
Links to error messages are not user friendly, but the site-wide conditional clauses could be expensive and not worth the usability if only a few pages are protected on the wiki.
If wanted nonetheless, the [view source] page tab can be hidden if the restriction criteria fit (see here). This trick is not possbile for the (diff) links since they currently (as of MW 1.16) have no own id or CSS class.
The extension makes no sense

Warning[edit | edit source]

This restriction is against the spirit of MediaWiki. On the other hand not every wiki is Wikipedia and you might have good reasons to protect page sources.

This extension may not be safe against all ways to access the source of a protected page. But the most obvious ones have been blocked. Please post on the discussion page if you find other loopholes.

If you have any other extensions installed that use the MediaWiki::performAction hook it is possible that they will not be processed; therefore, a custom hook called AlternatePerformAction is added to replace MediaWiki::performAction. You will need to change any hook references in other extensions from "MediaWikiPerformAction" to "AlternatePerformAction". To find out if one of your extensions may be affected grep "MediaWikiPerformAction" in your extension folder (and its subfolders).

Don't start mass protecting pages just to block source access. Note that those can not be edited by normal users.

Although the MediaWiki namespace is protected against editing by default, the source of those pages is not blocked (pages like MediaWiki:Common.css wouldn't work).

Download & Installation[edit | edit source]

Download and extract it into your extensions folder:

Add this to 'LocalSettings.php' in your wiki installation folder.

require_once( "$IP/extensions/ProtectSource/ProtectSource.php" );

Configuration[edit | edit source]

You can customize the user right to which the blocked access applies by using $wgProtectSourceUserRight. Example:

require_once( "$IP/extensions/ProtectSource/ProtectSource.php" );
$wgProtectSourceUserRight = 'move';

This would override the default 'delete' and apply to users who are not allowed to move pages (only users who can move would be able to access the source code of protected pages).

Please note: When you protect a page you select a user group which is privileged to edit the page. No matter what you set as $wgProtectSourceUserRight, that priviliged user group can access the page source code nontheless (since they can edit it).

Contribution[edit | edit source]

  • Please report bugs on the discussion page.
  • Please test it for any ways to access the source code or snippets of it.
  • Translations can be posted here.

In theory this extension should work on MW 1.12.0 and above. Nontheless it would be nice if this was tested.

  • Tested and working on MW 1.18.0 --Subfader 20:57, 3 December 2011 (UTC)
  • Tested and working on MW 1.17.0 --Subfader 17:09, 23 June 2011 (UTC)
  • Tested and working on MW 1.16.5 --Subfader 20:11, 6 September 2011 (UTC)
  • Tested and working on MW 1.16alpha --Subfader 12:59, 12 August 2009 (UTC)

Known loopholes[edit | edit source]

  • Results on Special:Search can return tiny parts of the source code of protected pages (but the user needs to know what to search for).

Versions[edit | edit source]

  • 0.1.3 (2012-01-19) Security update: A certain action name was missing in the list of blocked actions.
  • 0.1.2 (2011-12-03) Small fixes for MW 1.18 ($wiki->getVal fixed to $request->getVal, removed $wiki, added $wgDisabledActions for check)
  • 0.1.1 (2011-09-11) i18n: i18n improved, added protectSource-desc | translations added: nl, fr, se

See also[edit | edit source]