Extension:Restrict access by category and group

From MediaWiki.org

Jump to: navigation, search
If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked, leading to loss of funds or one's job.
For further details, see Security issues with authorization extensions


           

Manual on MediaWiki Extensions
List of MediaWiki Extensions
Crystal Clear action run.png
Restrict access by category and group

Release status: stable
Implementation  User rights
Description Restrict access to pages by users groups and documents categories
Author(s)  Andrés Orencio Ramírez Pérez - Andy (lodopidoloTalk)
Last Version  1.01 (Extension talk) (2008-08-21)
MediaWiki  Tested on 1.12.0 to 1.15.0
License GPL
Download no link

check usage (experimental)

Contents

[edit] What can this extension do?

This extension can restrict access to users by group and document category.

Even Mediawiki is a free/public access collaborative document tool, sometimes can be helpful, especially in business environments, have a restricted view of wiki documents.

For example, department's financial documents should not be accessed by customer services users.

In this extension you can establish four access restrictions:

  • Public: White pages: those are public pages that can be accessed by everybody. This is helpful when you have a private mediawiki and anonymous can only authenticate and see Main page. See $wgWhitelistRead.
  • Public categories: those are all categories that aren't in your groups.php file. Those categories are public.
  • No public categories: those are all categories that are in your groups.php file. Those categories are restricted. Documents that belong to these categories may be accessed by users who belong to at least one of these groups.
  • Private categories:those are all categories that are in your groups.php file with [private] = true option. These categories are private, and only users who belong to all categories closed to which the document will have access.

[edit] Usage

All documents you want to restrict access to, you must to add to a category. So you have multiples categories.

Files:

  • $IP/extensions/rabcg/rabcg.php: this is the extension.
  • $IP/extensions/rabcg/groups.php: this is the group catalog.

In your groups.php file, you must add the categories you want to make no public or private. This is made by group definition. For Example:

<?php
// This is a no public category: Financial no public data.
$wgGroupPermissions['Financial no public data']['*'] = true;
 
// This is a private category: Financial private data.
$wgGroupPermissions['Financial private data']['private'] = true;

To apply this category to your document, you only must to write:

[[Category:Financial private data]]

This is only one more category of your document.

Previously (after create the groups in you groups.php file), you must make groups assignments to users by Special:UserRights page.

[edit] Download instructions

This extension is not yet in MediaWiki SVN Repository. Therefore, you must copy & paste the following code as is explained in the installation section below.

[edit] Installation

You must follow this steps:

  • Create a directory named: $IP/extensions/rabcg ($IP is your mediawiki installation directory).
  • Create a file named $IP/extensions/rabcg/rabcg.php with this content (the source code):
<?php
 
$wgExtensionCredits['parserhook'][] = array(
       'name' => 'Restrict access by category and group',
       'author' =>'Andres Orencio Ramirez Perez',
       'url' => 'http://www.mediawiki.org/wiki/Extension:Restrict_access_by_category_and_group',
       'description' => 'Restrict access to pages by users groups and documents categories',
        'version' => 1.01
       );
 
function userCanGrupoCategoria($title, $user, $action, $result) {
	global $wgGroupPermissions;
	global $wgWhitelistRead;
	global $wgLang;
 
	$categoriaValida = false;
	$existeGrupo = false;
	$docPoseeCategorias = false;
	$categoriaPrivada = false;
	$tmpCatP = false;
	$catnom = $wgLang->getNsText ( NS_CATEGORY );
	$pagBlanca = true;
	// Is this page a white page?
	if (isset($wgWhitelistRead[0])) {
		$pagBlanca = in_array($title, $wgWhitelistRead);
	}
 
	// If document has not category, it's public.
        if (count($title->getParentCategories()) == 0) {
                $categoriaValida = true;
        } else {
		// If document has categories, we see each one.
		foreach( $wgGroupPermissions as $key => $value ) {
                        if (isset($wgGroupPermissions[$key]['private'])) {
                                $tmpCatP = $wgGroupPermissions[$key]['private'];
                        } else {
                                $tmpCatP = false;
                        }
			// If there is a group like category, ...
                        if ((array_key_exists(strtolower($catnom.":".
                            str_replace(" ", "_", $key)), array_change_key_case($title->getParentCategories(), CASE_LOWER)))) {
				// We see if category is a private category                                
				if ($tmpCatP && (! $categoriaPrivada)) {
                                        $categoriaPrivada = true;
                                        $categoriaValida = false;
                                }
				// We see that the user belongs to one of the groups (like of category).
                                if ((in_array($key, $user->getGroups())) && ((! $categoriaPrivada) || ($tmpCatP && $categoriaPrivada))) {
                                        $categoriaValida = true;
                                }
                                $existeGrupo = true;
                        }
                }
                $docPoseeCategorias = (count($title->getParentCategories()) > 0);
        }
	// If groups don't exists and it isn't white page and doc has categories, this doc is a plublic doc.
        if ((! $existeGrupo) && (! $pagBlanca) && ($docPoseeCategorias))
                $result = true;
	// If user is logged and user has valid group, or it's white page, this is an accesible doc.
        else if (($user->isLoggedIn() && $categoriaValida) || $pagBlanca)
                $result = true;
	// Else you cannot acces to this doc.
        else
                $result = false;
        return $result;
}
$wgHooks['userCan'][] = 'userCanGrupoCategoria';
require_once $IP."/extensions/rabcg/groups.php";
  • Create a file named $IP/extensions/rabcg/groups.php with all groups do you want:
<?php
 
// This is a no public category: Financial no public data.
$wgGroupPermissions['Financial no public data']['*'] = true;
 
// This is a private category: Financial private data.
$wgGroupPermissions['Financial private data']['private'] = true;
  • Add the following to LocalSettings.php (adjust name of user login page for your language):
require_once("$IP/extensions/rabcg/rabcg.php");
$wgWhitelistRead = array('Special:UserLogin');

[edit] See also

Retrieved from "http://www.mediawiki.org/wiki/Extension:Restrict_access_by_category_and_group"