Extension:SemanticAccessControl

The SemanticAccessControl extension defines an access control framework. It provides these features
 * provides GUI to define User Groups via "Edit with form" action.
 * Access control statement can be embedded into template, so there is not any messy text editing to insert ACL text.
 * Page specific access control can be defined through a GUI interface.

Usage
All Users is an implicit group. You can use it in your template. User specific permission can be added like this ACL_Page_Fixed semantic property can be added to template so that the page can not be edited any more once it is created.
 * Configure default site access control rule. Edit UserGroup:SiteACL using "Edit with form" toolbar link.
 * Configure the default policy for user in one group. Edit UserGroup:GroupACL using "Edit with form".
 * Add any user who design the site. Edit UserGroup:Developers using "Edit with form".
 * Add Groups and define Access control properly. Go to AdminLink->Create Custom Group.
 * In your template, use the Property ACL Page Parent to establish the inheritance of permissions if needed. E.g.
 * In your template, Define content-specific ACL by adding ACL statement to Template. Group specific permission can be added like this
 * User can edit/view page permission by following Permissions action tab.

Concept
This extensions classifies pages into three categories: content pages, schema pages and access control-related pages. Access control for content page follows these flow.
 * Content page are the regular pages, most in the MAIN namespace.
 * Schema pages are pages which define the overall site structure such as pages in template, property, category, form, concept namespace. These pages are not regular pages for end user. Schema Pages can only be edited by users in Developers group.
 * Access control-related pages are pages in a namespace. These pages can be edited only when a user has proper Grant permission.

At any stage, if a right is explicitly granted or denied, the checking stops. Otherwise, it goes to next stage.


 * 1) page owner and users in bot, sysop, and bureaucrat have all permissions all the time. Page owner is the user who creates the page in the first place and any one defined with ACL Page Owner semantic property.
 * 2) Check any permission in the page itself. The permission could be introduced implicitly from template.
 * 3) Check any permission which is created by end user following the Permissions action tab.
 * 4) Check any inherited permission if the page has one.
 * 5) Find all groups the page owner belongs to and any group as is defined with ACL Page Group semantic properties. If current user is in one of the group, Check the group policy as is defined in UserGroup page. Then check GroupACL.
 * 6) Check policy in SiteACL.
 * 7) Fall back to MediaWiki itself.

Requirement
First, untar the extension to extensions folder.
 * Semantic MediaWiki
 * Semantic Forms
 * Semantic Internal Object
 * Admin Links
 * Semantic Forms Select
 * Header Tabs

Second, add the following to LocalSettings.php:

make sure in your LocalSettings.php, you have $wgMetaNamespace = "Project"; The Project namespace is needed for everything to work smoothly.

Import the pages in file sac_def.xml under the extensions/SemanticAccessControl folder. Importing can be accessed using url Special:Import.

This extension defines two namespaces. You need to install the extension first, then import the pages. Otherwise, some of the pages are left to Main namespace although it has UserGroup: in the page title.

Parser Function Provided
For convenience, this extensions provided four parser functions:
 * allgroups: list all defined user groups. It accepts one parameter with value 0|1. If the value is 1, predefined groups are included.
 * allusers:list all users. It accepts one parameter with value 0|1. If the value is 1, users in bot, sysop, and bureaucrat are included, too.
 * groupusers: list all users in one group. It accepts one parameter: the group name.
 * usergroups: list all groups the user is in. It accepts two parameters: username, and one parameter with value 0|1. If the username is 'current user', the current username is used. If the value for second parameter is 1, predefined groups are included, too.

Demonstration
Install Demo in your site:

Make Sure Semantic Internal Object works before you do any testing. This extension uses semantic internal objects. If it does not work, this extension will not work. (you can check in "Special:Version" if your mediawiki has the Semantic Internal Object extension. If you use mediawiki SemanticBundle you need to uncomment the SemanticInternalObjects.php line in SemanticBundleSettings.php)
 * 1) create 6 regular users: test11, test12, test21, test22, test31, test32.
 * 2) Import the pages in file sac_demo.xml under the extensions/SemanticAccessControl folder. Importing can be accessed by the URL Special:Import.
 * 3) Go to page AccessControlDemo page. Follow the instruction.

Configuration parameters
Usually, you do not need changing configuration. If you have custom namespace, you can adjust this parameter

$ACL_CONTENT_Namespaces=array(NS_MAIN, NS_FILE, NS_USER): what namespace is content namespace.

Bugs

 * If a page has a ":" in its pagename, the accesscontrol function doesn´t work!!
 * If it exist a redirect on a page, you have to protect both, that the function works!

Acknowledge And Support
This project was sponsored by BioTeam.

This project is sponsored by Flexdms. Check out Flexdms professional software for data management.

For support, please send email to user mail list in SemanticMediawiki.