User:Subfader/ProtectSource
From MediaWiki.org
For further details, see Security issues with authorization extensions
{{Extension
|name = ProtectSource
|status = beta
|type1 = Hook
|author = [[User:Lhridley|Lisa Ridley]]
|version = 0.1
|update =
|mediawiki = 1.12.0 or above
|download = [[#Download_.26_Installation|See here]]
|description = This Extension blocks access to the source of protected pages for non-privileged users.
|license = GPL
|hook1 = MediaWikiPerformAction
|example = [http://www.mixesdb.com/db/index.php/Main_Page]
}}
Contents |
[edit] Description
This Extension protects protected pages. It blocks access to the source of pages that are protected against editing (it not only hides it, it suppresses the load completely). If a non-privileged user tries to access protected page source, the following error message is returned:
"Sorry, this is a protected page. You do not have the proper permissions to view the source."
Restriction criteria:
- the page must be protected against editing
- the user must be unable to delete (this default user right is customizable, see below)
If the restriction criteria fit, it disables the following (from all manual or system links and by manual URL parameter access):
- source view (admins / sysops who would not be allowed by the set user right still can edit because of the page protection restriction)
- comparing diffs on the history page (still the user can see the history list and view previous page versions in parsed mode)
- raw access
- source view of deleted pages ("view / restore" links are suppressed)
The extension does not
- remove the (diff) link (like on many special pages) or
- remove the [view source] page tab.
Links to error messages are not user friendly, but the site-wide conditional clauses could be expensive and not worth the usability if only a few pages are protected on the wiki.
If wanted nontheless, the [view source] page tab can be hidden if the restriction criteria fit (see here). This trick is not possbile for the (diff) links since they currently have no own CSS id or class.
- The extension makes no sense without
- disabled API ($wgEnableAPI = false;)
- disabled Special:Export (Disabling it only for protected pages would be nice, atm it's safer to disable it completely manually.)
[edit] Warning
This restriction is against the spirit of MediaWiki. On the other hand not every wiki is Wikipedia and you might have good reasons to protect page sources.
This extension may not be safe against all ways to access the source of a protected page. But the most obvious ones have been blocked. Please post on the discussion page if you find other loopholes.
If you have any other extensions installed that use the MediaWiki::performAction hook it is possible that they will not be processed; therefore, a custom hook called AlternatePerformAction is added to replace MediaWiki::performAction. You will need to change any hook references in other extensions from "MediaWikiPerformAction" to "AlternatePerformAction". To find out if one of your extension may be affected grep "MediaWikiPerformAction" in your extension folder (and its subfolders).
[edit] Download & Installation
Download and extract it into your extensions folder:
- ProtectSource0.1.tar
- ProtectSource0.1.zip
Add this to 'LocalSettings.php' in your wiki installation folder.
require_once( "$IP/extensions/ProtectSource/ProtectSource.php" );
[edit] Configuration
You can customize the user right to which the blocked access applies by using $wgProtectSourceUserRight. Example:
require_once( "$IP/extensions/ProtectSource/ProtectSource.php" ); $wgProtectSourceUserRight = 'move';
This would apply to users who are not allowed to move pages.
[edit] Contribution
- Please test it for any ways to access the source code or snippets of it.
- Please report bugs on the discussion page.
- Translations can be posted here. Please sign your posts.
[edit] See also
[[Category:Page specific user rights extensions]] [[Category:User rights extensions]] [[Category:View page extensions]]
