Manual:Security

From MediaWiki.org

MediaWiki has a highly customizable security architecture. Its main features are:

• Access restrictions based on IP or user ID
• Group-based permissions architecture
• Plugin architecture for customized determination of user identity
• Customizable user rights assignment architecture

This is a collection of links that might be the starting point for an overview article on system security in MediaWiki:

• General
  • Category:User access extensions
  • Configuration Settings: Access
  • meta:Category:MediaWiki authentication
  • meta:Documentation:Security

• Planning/Requirements gathering
  • Manual:Before installing

• User authorization
  • Authentication
  • AuthPlugin - describes plug-in architecture for determining user identity
  • Manual:$wgAuth - configuration variable used by plug-in architecture
  • Category:Authentication and login - authorization extensions available
  • Manual:FAQ#How do I reset a password

• Monitoring user activity
  • Category:User activity extensions

• Assignment of access rights by IP, user identity
  • meta:Access control
  • Manual:FAQ#Initial user was not created by installer
  • Manual:FAQ#Anti-spam
  • Help:User rights - describes configuration of the default MediaWiki rights architecture
  • Manual:Preventing access - various tips and how-tos
  • Manual:Image Authorization - IP/user-based restrictions on access to images
  • Security issues with authorization extensions
  • Category:User rights extensions - extensions that assist in user rights management
  • meta:Hidden pages
  • meta:Page access restriction with MediaWiki
  • Configuration variables: Manual:$wgGroupPermissions, Manual:$wgAddGroups, Manual:$wgRemoveGroups
  • Special:Userrights

• Security-enhanced MediaWiki versions/sample installations
  • meta:GroupWikiBase
  • Extension:BizzWiki

• Security alerts
  • Security - how to report problems, receive notifications
  • Template:Security alert
  • Template:XSS alert
  • Category:Extensions with XSS vulnerabilities

• Technical details
  • database schema: User groups table, User table, Revision table, Recentchanges table
  • hooks: UserLoginForm, UserLoginComplete, UserLogout, UserLogoutComplete, UserEffectiveGroups, UserGetImplicitGroups, UserGetRights
  • code: User.php
  • Manual:Special pages - instructions for designing access rights-aware special pages.