User:Fcarpani/SpecialPageSecurity

An extension that can control the access to SpecialPages based on groups

= Installation = if (array_key_exists('SpecialPageAuthCheck',$wgHooks)){ if(!wfRunHooks('SpecialPageAuthCheck')) return false; };
 * 1) Include the file with this code
 * 2) Modify the method executePath in includes/SpecialPage.php following this instructions:
 * 3) Add $wfHooks in the global declaration in the function.
 * 4) Add the following code in the next line of the profiling instructions (wfProfileIn( ... );):

= Configuration = Now you can add the following declarations in your LocalSettings.php: $wgSpecialPageAuthErrorPage = "Restricted Page"; $wgSpecialPageAuthEnable=true; $wgServerName; $wgSpecialPageAuth['*']='/^(Userlogin|Userlogout)$/'; $wgSpecialPageAuth['user']='/SpecialPage/'; $wgSpecialPageAuth['boys']='/SpecialPages|Resetpass|Confirmemail/';
 * 1) The page to display if the access is denied. This page must be created by que wikiadmin. Can be the same used by PageSecurity.
 * 1) If $wgSpecialPageAuthEnable=true, then only users in allowed group can access to the page
 * 1) $wgSpecialPageAuth is an array indexed by group. Each bucket have a regular expression for the title (without namespace) of the page.
 * 2) The group * Must be access to some pages. At least Userlogin an Userlogout.
 * 1) Then other groups can have more pages...
 * 2) Logged users can list all pages. Also they can execute Userlogin and Userlogout
 * 1) The group boys can list all pages but only can execute Resetpass,Confiremail. Also, because they are in user, they can execute the pages for user. If a user belongs to a group with authorization, then he can execute the page.

= The Php = 'PageSpecialSecurity',     'version'=>$pageSpecialSecurityVersion,     'author'=>'Fernando Carpani',     'url'=>'',     'description' => 'Restricts access to special pages according to security definitions'     ); $wgHooks['SpecialPageAuthCheck'][]="SpecialPageAuthCheck"; /* Must be a boolean function. */

// The array $wgSpecialPageAuth have list of group that can execute this special page. // The variable $wgSpecialPageAuthEnable control de check (if true, then the do the check

// global $wgSpecialPageAuth; is an array indexed by group and has a regular expression of allowed special page names. // global $wgSpecialPageAuthEnable;

function wfSetSpecialPageSecurity { global $wgSpecialPageAuth,$wgSpecialPageAuthEnable; if ($wgSpecialPageAuth==NULL){ $wgSpecialPageAuth=array; }  if ($wgSpecialPageAuthEnable==NULL){ $wgSpecialPageAuthEnable=false; }        wfDebug("=====>SetSpecialPageSecurity\n"); }

// The implementation is based on a new hook SpecialPageAuthCheck

function SpecialPageAuthCheck{ global $wgSpecialPageAuthErrorPage,$wgUser,$wgTitle,$wgOut;

if (!SpecialPageAuthTest($wgTitle,$wgUser)){ if (empty($wgSpecialPageAuthErrorPage)) return false; $title = Title::newFromText($wgSpecialPageAuthErrorPage); $redirectURL = $title->getFullURL; $wgOut->redirect($redirectURL); wfDebug(sprintf("====>SpecialPageAuthCheck: %s user=%d no permitida\n",$wgTitle->mDbkeyform,$wgUser->mId)); return false; } return true; }

function SpecialPageAuthTest(&$title,&$user){ global $wgSpecialPageAuthEnable,$wgSpecialPageAuth; //$user=$wgUser; //$title=$wgTitle; wfDebug(sprintf("===>SpecialPageAuthTest: title=%s, user=%d\n",$title->mDbkeyform,$user->mId));

if($wgSpecialPageAuthEnable){ // get user groups wfDebug(sprintf("===>SpecialPageAuthCheck: AuthEnable title=%s,user=%d\n",$title->mDbkeyform,$user->mId)); $user_groups=$user->getEffectiveGroups; // Sysops can execute with basis in other checks. if (in_array("sysop", $user_groups)) { return true; // sysop access override granted } else { // if the user has a group that is allowed to execute this page, then true, else false. foreach($user_groups as $group){ wfDebug(sprintf("===>SpecialPageAuthCheck: user %d in group=%s\n",$user->mId,$group)); #if(preg_match("$wgSpecialPageAuth[$group]",$title->mDbkeyform)){ if(preg_match($wgSpecialPageAuth[$group], $title->mDbkeyform, $matches, PREG_OFFSET_CAPTURE)){ wfDebug(sprintf("===>SpecialPageAuthCheck: return Allowed by group=%s\n",$group)); return true; }        }         return false; }

} else { return true; }

}

?>