Extension:SemanticAccessControl

What can this extension do?
This extension defines an access control framework. It provides these features
 * provides GUI to define User Group.
 * Access control statement can be embedded into template. So there is not any messy text editing to insert ACL text.
 * Page specific access control can be defined through a GUI interface.

Usage
All Users is an implicit group. You can use it in your template. User specific permission can be added like this ACL_Page_Fixed semantic property can be added to template so that the page can not be edited any more once it is created.
 * Configure default site access control rule. Edit UserGroup:SiteACL
 * Configure the default policy for user in one group. Edit UserGroup:GroupACL
 * Add any user who design the site. Edit UserGroup:Developers
 * Add Groups and define Access control properly. Go to AdminLink->Create Custom Group.
 * In your template, use the Property ACL Page Parent to establish the inheritance of permissions if needed. E.g.
 * In your template, Define content-specific ACL by adding ACL statement to Template. Group specific permission can be added like this
 * User can edit/view page permission by following Permissions action tab.

Concept
This extensions classifies pages into three categories: content pages, schema pages and access control-related pages. Access control for content page follows these flow.
 * Content page are the regular pages, most in the MAIN namespace.
 * Schema pages are pages which define the overall site structure such as pages in template, property, category, form, concept namespace. These pages are not regular pages for end user. Schema Pages can only be edited by users in Developers group.
 * Access control-related pages are pages in a namespace. These pages can be edited only when a user has proper Grant permission.

At any stage, if a right is explicitly granted or denied, the checking stops. Otherwise, it goes to next stage.


 * 1) page owner and users in bot, sysop, and bureaucrat have all permissions all the time. Page owner is the user who creates the page in the first place and any one defined with ACL Page Owner semantic property.
 * 2) Check any permission in the page itself. The permission could be introduced implicitly from template.
 * 3) Check any permission which is created by end user following the Permissions action tab.
 * 4) Check any inherited permission if the page has one.
 * 5) Find all groups the page owner belongs to and any group as is defined with ACL Page Group semantic properties. If current user is in one of the group, Check the group policy as is defined in UserGroup page. Then check GroupACL.
 * 6) Check policy in SiteACL.
 * 7) Fall back to MediaWiki itself.

Download
Binary distribution Source can be found at source hosting

Requirement
First, untar the extension to extensions folder.
 * Semantic MediaWiki
 * Semantic Forms
 * Semantic Internal Object
 * Admin Links
 * Semantic Forms Select
 * Header Tabs

Second, add the following to LocalSettings.php: make sure in your LocalSettings.php, you have $wgMetaNamespace = "Project"; The Project namespace is needed for everything to work smoothly. Finally, add pages under pages folder and groups folder to your MediaWiki installation. This extension defines two namespaces. You need to install the extension first, then add these pages. Otherwise, some of the pages are left to Main namespace although it has UserGroup: in the page title. You can add these pages manually one by one, or you can use a bot to add them in batch. A wikibot tool is provided to facilitate the pages' addition. Run wikibot.pl --help for more information about the tool.

Parser Function Provided
For convenience, this extensions provided four parser functions:
 * allgroups: list all defined user groups. It accepts one parameter with value 0|1. If the value is 1, predefined groups are included.
 * allusers:list all users. It accepts one parameter with value 0|1. If the value is 1, users in bot, sysop, and bureaucrat are included, too.
 * groupusers: list all users in one group. It accepts one parameter: the group name.
 * usergroups: list all groups the user is in. It accepts two parameters: username, and one parameter with value 0|1. If the username is 'current user', the current username is used. If the value for second parameter is 1, predefined groups are included, too.

Demonstration
Make Sure Semantic Internal Object work before you do any testing. This extension uses semantic internal objects. If it does not work, this extension will not work. (you can check in "Special:Version" if your mediawiki has the Semantic Internal Object extension. If you use mediawiki SemanticBundle you need to uncomment the SemanticInternalObjects.php line in SemanticBundleSettings.php) A wikibot tool is provided to facilitate the pages uploading. Run wikibot.pl --help for more information about the tool.
 * create 6 regular users: test11, test12, test21, test22, test31, test32.
 * upload pages under testpages to your site. These pages define three user groups: TestGroup1(test11. test12), TestGroup2(Test21, test22) and TestGroup3(test31, test32). Go to page Department1. Users in TestGroup1 have all rights. Users in TestGroup2 have read right. Users in TestGroup3 have no right. You can edit this page. User right will adjust according to rule defined in template.

Configuration parameters
Usually, you do not need changing configuration. If you have custom namespace, you can adjust this parameter

$ACL_CONTENT_Namespaces=array(NS_MAIN, NS_FILE, NS_USER): what namespace is content namespace.

Acknowledge
This project is sponsored by BioTeam