Extension:Lockdown

The Lockdown extension implements a way to restrict access to specific namespaces and special pages to a given set of user groups. This provides a more fine grained security model than the one provided by the default $wgGroupPermissions and $wgNamespaceProtection settings.

The following pages about the security model used by MediaWiki per default may be helpful to understand the instructions below:


 * Manual:User rights
 * Manual:$wgGroupPermissions

Installing
Copy the Lockdown directory into the extensions folder of your MediaWiki installation. Then add the following lines to your LocalSettings.php file (near the end): The settings for $wgSpecialPageLockdown and $wgNamespacePermissionLockdown are just examples - see below for details.

Configuration
Note that the Lockdown extension can only be used to *restrict* access, not to *grant* it. If access is denied by some built-in setting of MediaWiki, it cannot be allowed using the Lockdown extension.

$wgSpecialPageLockdown
$wgSpecialPageLockdown allows you to specify for each special page which user groups have access to it. For example, to limit the use of Special:Export to logged in users, use this in LocalSettings.php:

Note that some special pages "natively" require a specific permission. For example, Special:Userrights, which can be used to assign user groups, required the "userrights" permission (granted only to the "bureaucrat" group per default). This restriction can not be overridden using the Lockdown extension.

$wgNamespacePermissionLockdown
$wgNamespacePermissionLockdown lets you restrict which user groups have which permissions on which namespace. For example, to grant only members of the sysop group write access to the project namespace, use this:

Wildcards for either the namespace or the permission (but not both at once) are supported. More specific definitions take precedence: The first two lines restrict all permissions in the project namespace to members of the sysop group, but still allow reading to anyone. The third line limits page moves in all namespaces to members of the autoconfirmed group.

Note that this way, you cannot *grant* permissions that have not been allowed by the build-in $wgGroupPermissions setting. The following does *not* allow regular users to patrol edits in the main namespace:

Instead, you would have to grant this right in $wgGroupPermissions first, and then restrict it again using $wgNamespacePermissionLockdown: Note that when restricting read-access to a namespace, the restriction can easily be circumvented if the user has write access to any other namespace: by including a read-protected page as a template, it can be made visible. To avoid this, you would have to forbid the use of pages from that namespace as templates, by adding the namespace's ID to $wgNonincludableNamespaces (this feature was introduced in MediaWiki 1.10, revision 19934, and is also available as an extension for earlier versions):

security flaws & bugfixes
Following instructions have to be read like this:

Special:Search
To avoid content of protected pages appearing in search results, change follwowing lines of the function showMatches in SpecialSearch.php:

Special:Allpages, …
To avoid names of protected namespaces appearing in combo boxes, add follwowing functions to your Lockdown.php:

You also have to change follwowing lines of the function getNamespaces in Language\Language.php:

Special:Recentchanges
To avoid changes and edit summary of protected pages appearing in recent changes, change follwowing lines of the function wfSpecialRecentchanges in includes\SpecialRecentchanges.php:

Special:Wantedpages
To avoid entries of protected pages appearing in wanted changes, change follwowing lines of the function formatResult in includes\SpecialWantedpages.php:

Special:Logs
To avoid entries of protected pages appearing in the logs, change follwowing lines of the function logLine in includes\SpecialLog.php:

Categories
To avoid entries of protected pages appearing in categories, change follwowing lines of the function addPage in includes\CategoryPage.php:

Special:Prefixindex
To avoid entries of protected pages appearing in prefixindex, change follwowing lines of the function showChunk in includes\SpecialPrefixindex.php:

Special:Mostlinked
To avoid entries of protected pages appearing in most linked pages, change follwowing lines of the function formatResult in includes\SpecialMostlinked.php:

Special:Listredirects
To avoid entries of protected pages appearing in list of redirects, change follwowing lines of the function formatResult in includes\SpecialListredirects.php:

Special:Linksearch
To avoid entries of protected pages appearing in Special:Linksearch – if you are using Extension:LinkSearch, change follwowing lines of the function formatResult in extensions\LinkSearch\LinkSearch_body.php:

Images and other uploaded files
Images and other uploaded files still can be seen and included on any page.


 * see also
 * Extension:Simple Security
 * Extension:SimpleSecurity4

Redirects
If a redirect  to a page P in a protected namespace PNS has been placed on an unprotected page and the page has been loaded, it will lead the user to the protected page, regardless the user belongs to the required usergroup or not.