Extension:Improved Access Control

This extension is based on Group Based Access Control 0.8 by Martin Gondermann, originally based on accesscontrol.php by Josh Greenberg. It is a mostly-feature-compatible rewrite based on the other extension's design and was written to be a drop-in replacement with minimal configuration.

As of MediaWiki 1.13.x, this extension requires minor changes to MediaWiki code for full functionality. Unpatched, the extension will still work but will not provide full protection on Search and Edit Preview.

This extension was written for MediaWiki 1.13.x, but if patches are not used, it should theoretically work on 1.7.0 or later. However, that has not been tested.

THIS EXTENSION HAS BEEN TESTED ONLY ON 1.13.x. USE ON OTHER VERSIONS AT YOUR OWN RISK.

Features
This extension, when fully installed, provides support for the following:
 * Article access control by group using embedded tags
 * Full (edit) access and read-only access supported
 * Protection from adding an access control that would lock editor out
 * Filtering of Recent Changes based on article read access
 * Filtering of Search results based on article read access
 * Image protection using the same access groups as articles
 * Transclusion of restricted pages protected in Edit and Edit Preview
 * Protection from redirection to a restricted page

This extension was written using security issues with authorization extensions as a checklist, but I cannot guarantee full protection beyond what I've seen. However, it has been thoroughly tested in multiple configurations and known issues are outlined below.

Known Issues
Most known access control issues are addressed in this extension, but the following limitations are still known as of version 1.1. These issues will likely be addressed in a future release.


 * Only Usergroup: style groups are supported. MediaWiki groups are not.
 * A patch is required for full functionality as of MediaWiki 1.13.2.
 * Only the latest access controls are queried for history. If you have restricted content that was removed and the page later made public, the history will also be public.
 * Caching might need to be disabled for full protection.
 * Performance is somewhat significantly impacted due to many page lookups.
 * Transclusion protection may prevent from working properly in some cases.
 * There is no way to specify read-only access without the users being in a group (i.e., no page can have edits restricted to some groups and reads available to all.)
 * There is no way to transclude a protected page even if you have access.
 * Titles of restricted pages are visible on pages such as Special:AllPages.
 * If you log out after having access to a restricted page, action=raw may still give you access.

Installation

 * 1) Apply the patch to MediaWiki (optional):
 * 2) Make back up copies of includes/EditPage.php and includes/specials/SpecialSearch.php
 * 3) Put improved-accesscontrol.patch.diff into your wiki directory
 * 4) Run: patch -p0 < improved-accesscontrol.patch.diff
 * 5) Copy this directory (improved-accesscontrol) into your wiki's extensions directory
 * 6) Put the following line into your LocalSettings.php: require_once("extensions/path_here/improved-accesscontrol.php");
 * 7) Put the following line into your LocalSettings.php to hide titles of unauthorized search results (optional, requires patch above): $wgHideProtectedSearchResultTitles = true;
 * 8) For image protection, copy img_auth.php into your wiki directory and read the directions in that file.
 * 9) To change the Permission Denied error, log in as sysop and go to Special:AllMessages (listed as "System messages"). Change 'badaccess' (title) and 'badaccess-group2' (content)
 * 10) Customize options in improved-accesscontrol-options.php
 * 11) Customize any messages in improved-accesscontrol.i18n.php

Usage
To add access controls to an article, including images, insert a tag in the following form:

Name

Where Name is defined, depending on configuration, either as a MediaWiki group (NOT CURRENTLY SUPPORTED) or as an article called Usergroup:Name with a list of users. (This page may itself be protected with, or limited to sysop accounts.)

For example, you could define a page Usergroup:MyGroup with the content:
 * Bill
 * Ted
 * Rufus

And another article with: MyGroup

This would restrict the article to the user accounts Bill, Ted, and Rufus. Note that there should be no space between the asterik and the user name.

To restrict an article to users in any of a list of groups, separate group names with ',,'. For example:

Admins,,Managers

To give one of the groups listed read-only access, add (ro) after the name, without a space:

Admins,,Managers,,Clients(ro)

This would give anyone in the Admins or Managers groups full edit access, and read-only access to users in Clients. Users in multiple groups will get the highest level of access specified.

Note that if adding access controls to an article, you cannot lock yourself out. That is, if you are in Clients, you cannot leave Clients out of the access control list. (This option can be turned off or fine-tuned.)