Extension:CategoryPermissions

What can this extension do?
Extends permissions checking by allowing group access to pages that have specific categories. This extension utilizes the usercan hook and may possibly clobber other access controls. Use this extension at your own risk. Any security scheme based on userCan will not prevent page content from being displayed in search results!

Installation

 * Copy the code shown in the Code section below to extensions/CustomPermissions.php
 * I will try to provide a file for download also
 * Make changes to LocalSettings.php as shown below

Changes to LocalSettings.php
require_once("$IP/extensions/CustomPermissions.php"); $wgGroupAlwaysAllow=''; //set a group name to ALWAYS allow access to this group $wgGroupDefaultAllow=true; //set to true to allow everyone access to pages without a category $wgGroupPermissions['group_name']['Category:categoryname_read']=true; $wgGroupPermissions['group_name']['Category:categoryname_edit']=true; $wgGroupPermissions['group_name']['Category:categoryname_move']=true; $wgGroupPermissions['group_name']['Category:categoryname_create']=true;

The permissions are checked as follows:
 * The categories are tested one at a time. If the user is part of the group 'group_name' and the exact lines above are used, they will have full access to any page in the category 'categoryname'.
 * When a user is anonymous, allowing rights to '*' will clobber the normal user permissions checks. This allows you to set the default permissions to false and grant anonymous permissions based on category.
 * If a group is set in $wgGroupAlwaysAllow, that group always has full access (as determined by the normal MediaWiki permissions scheme)
 * If $wgGroupDefaultAllow=true then a page without any categories reverts back to the standard permissions scheme

Code
wfDebug statements are for debugging purposes and can be commented out as desired

<?php /* * Custom Permissions Scheme using Categories * based on Extension:NamespacePermissions by Petr Andreev * * Provides separate permissions for each action (read,edit,create,move) based * on category tags on pages. * * Author: Matthew Vernon * * Usage: * * require_once('extensions/CategoryPermissions.php'); * $wgGroupAlwaysAllow=''; //set a group name to ALWAYS allow access to this group * $wgGroupDefaultAllow=true; //set to true to allow everyone access to pages without a category * * * //add groups to category permissions by: * $wgGroupPermissions['group_name']['Category:categoryname_read']=true; * $wgGroupPermissions['group_name']['Category:categoryname_edit']=true; * $wgGroupPermissions['group_name']['Category:categoryname_move']=true; * $wgGroupPermissions['group_name']['Category:categoryname_create']=true; */

//set up hook $wgExtensionFunctions[] = "wfCategoryPermissions";

function wfCategoryPermissions { global $wgHooks;

// use the userCan hook to check permissions $wgHooks[ 'userCan' ][] = 'checkCategoryPermissions';

}

function checkCategoryPermissions( $title, $user, $action, $result ) { global $wgGroupAlwaysAllow, $wgGroupDefaultAllow, $wgGroupPermissions;

//get categories for this page $parentCategories=$title->getParentCategories;

//always allow wgGroupAlwaysAllow group if(in_array($wgGroupAlwaysAllow,$user->mGroups)) {   wfDebug("checkCategoryPermissions:{$action} allowed on {$title->mPrefixedText} to {$user->mName} : AlwaysAllow\n"); $result = true; return null; }

//scan list of categories, if any if($parentCategories){ foreach( $parentCategories as $category=>$dd){

$temp_result = $user->isAllowed("{$category}_{$action}"); if($temp_result){ wfDebug("checkCategoryPermissions:{$category}_{$action} allowed on {$title->mPrefixedText} to {$user->mName}\n"); if($user->isAnon){ $result=true; return true; }       else{ return null; }     }    }  }  else { wfDebug("checkCategoryPermissions:{$action} DENIED on {$title->mPrefixedText} to {$user->mName} : No Categories\n"); $result=false; return false; }

//default action=deny wfDebug("checkCategoryPermissions:{$action} DENIED on {$title->mPrefixedText} to {$user->mName}\n"); $result=false; return false; }