Extension:CategoryPermissions

What can this extension do?
Extends permissions checking by allowing group access to pages that have specific categories. This extension utilizes the usercan hook, however standard permissions checks are still performed.

Use this extension at your own risk. Any security scheme based on userCan will not prevent page content from being displayed in search results for versions before MW 1.10 - later versions of MediaWiki won't display page excerpts in search results, but will still display page titles, and protected content can be included in unprotected pages, allowing unauthorized users to access it (both of these issues can be resolved by using Extension:RemoveProtectedContent in conjunction with this extension).

Changes

 * 0.4 - Integrated fix for return null bug in version 1.10 and up. Modified debug lines per Richard Hartmann.
 * 0.31 - Changed line 49 per anonymous note
 * 0.3 - No longer bypasses standard permissions except when denying access. Previous version was working around a problem that was outside the extension in my server configuration.

Usage
See Installation

Installation

 * Copy the code shown in the Code section below to extensions/CategoryPermissions.php
 * Make changes to LocalSettings.php as shown below

Changes to LocalSettings.php
require_once("$IP/extensions/CategoryPermissions.php"); $wgGroupDefaultAllow=true; //set to true to allow everyone access to pages without a category $wgCategoryExclusive=array("Category:cat_name","Category:cat2_name");//deny access to these categories for anyone not in the group $wgGroupPermissions['group_name']['Category:categoryname_read']=true; $wgGroupPermissions['group_name']['Category:categoryname_edit']=true; $wgGroupPermissions['group_name']['Category:categoryname_move']=true; $wgGroupPermissions['group_name']['Category:categoryname_create']=true; $wgGroupPermissions['group_name']['*_read']=true; //allow access to all categories

If you are using a language other than English, replace Category in each of the text strings (NOT the variable names) with the language specific word for Category.

The permissions are checked as follows:
 * 1) Each category in the list is checked for permissions
 * 2) If a category is in the array $wgCategoryExclusive and the user does not have permissions, access is immediately rejected. Users must have permissions for all categories on the page specified in $wgCategoryExclusive in order to have access granted.
 * 3) If the user has permissions for any category and has not been rejected by an exclusive category, they are granted access
 * 4) If global access (*_read, etc) is set for this user, then access is granted
 * 5) If the page has no categories, $wgGroupDefaultAllow is is used to grant or deny access
 * 6) Access is denied ... but we should never get to this step