Manual:Preventing access/zh

有关自定义用户权限的帮助，请参阅. 此页面包含用于限制访问的示例.

Most of the examples need changes to MediaWiki configuration file. Snippets of code with no accompanying instructions must be added to  to take effect. To add one or more lines to the file, follow these steps:


 * 1) If there is a   at the end of the file, remove it. It's unnecessary and may cause problems in certain situations.
 * 2) Add the line to the end of the file, using a text editor. It doesn't matter if there are some blank lines above or below the addition. Do not use Windows Notepad, which may add a "Byte Order Mark" (BOM) and prevent the file from being read correctly. Typical symptoms of BOMs include white pages and errors about headers already being sent. To remove a BOM, you'll have to edit the file in a hex editor. Windows WordPad seems to work fine, as does Notepad++. Removal of BOMs can also be accomplished using the Vim text editor by opening the file in Vim, typing :set nobomb, and resaving the file. 如果您使用的是Mac，TextEdit也可以完成这项工作.

For more detailed information on editing, read.

Simple private wiki
For the common use case of "a private wiki, for oneself and approved others", you need to:


 * Restrict viewing
 * Restrict editing
 * Restrict account creation

Depending on what extensions you have installed, you may want to whitelist more pages. For example if you are using the extension, you probably want Special:RequestAccount whitelisted. If the content language of your wiki is not English, you may have to use the translated name of the special pages in question.

Restrict account creation
To restrict account creation, you need to edit LocalSettings.php in the root path of your MediaWiki installation.


 * 1) Go to, when logged in as a sysop.
 * 2) Click on "Create an account" link to get to the account creation form.
 * 3) Enter a username and an email address, and click the "by email" button. Note you need or else the sysop must pick a password and send it to the user.
 * 4) The account will be created with a random password which is then emailed to the given address (as with the "forgot password" feature). The user will be requested to change password at first login; when he does this, his e-mail address will also be marked as confirmed.
 * When you click the "create account" button instead, you have to manually send the user his password. If you've set (default configuration up to version 1.15) and you've left the password field blank, the user will be emailed an e-mail address confirmation request but will be unable to access  to perform the confirmation. Instead, the user will get an error (unless you've added it to ); the user will be able to login with a blank password and then confirm email, but their password will not have been reset (it will have to be reset manually).

It may be appropriate to edit the text displayed when a non-user attempts to log in. This can be done at MediaWiki:Nosuchuser, when logged in as a sysop. Use plain text without any special formatting, as the formatting is ignored and the text is literally rendered. (Might have changed, see bug 12952).

You may also modify the contents of the e-mail sent to new users by editing the page MediaWiki:Createaccount-text.

To prevent even sysops from creating accounts:

To add a message on top of the login form, modify MediaWiki:Loginprompt. Alternatively, use this code in your LocalSettings.php:

Restrict editing of all pages
Users will still be able to read pages with these modifications, and they can view the source by using Special:Export/Article name or other methods. See also bug 1859.

See and. If you use, any wiki admin can also put various restrictions in place.

Some examples of how to protect all pages from editing (not reading) by certain classes of users:

Restrict anonymous editing
Requires that a user be registered before they can edit.

Restrict editing by all non-sysop users
Requires that a user be a member of the administrators (sysop) usergroup.

Restrict editing of an entire namespace
Starting from MediaWiki version 1.10, it is possible to protect entire namespaces using the variable. Examples:

Note that in the last case it's assumed that a custom namespace exists and that  is a defined constant equal to the namespace number. See Manual:Using custom namespaces and Manual:Namespace_constants for a list of MediaWiki's core namespaces.

Restrict editing of certain specific pages
Use the feature. By default, any sysop can protect pages so only other sysops can edit them. In 1.9 and higher, by default they can also protect pages so only "autoconfirmed" users (with accounts older than a configured period) can edit them. This does not require editing configuration files.

If you want to restrict editing to groups with specific permissions, edit. To prevent actions other than edit and move, use.

限制所有页面的编辑
要对所有页面的编辑施加全面限制，但允许一些（例如沙箱，加入请求页面等）可编辑，您可以使用扩展. This may not fit too often, but you could also use the Restrict editing of certain specific pages method mentioned above, with all name spaces protected, and only a special one editable by everyone which has all the pages you want editable.

限制某些IP地址范围的编辑
学校和其他机构可能希望阻止指定的IP地址范围以外的编辑. 为此，请参阅. The only way to do this at present without modifying the code is to go to Special:Blockip and systematically  every one of the address ranges that you don't want to be able to edit. 这适用于所有未来版本的MediaWiki. 它不会在每个名字空间的基础上工作.

限制特定用户的编辑
使用用户功能剥夺用户的所有编辑权限. MediaWiki并不能直接向单独用户授予权利；相反，权限始终给予用户组. 除了更改用户组之外，核心软件无法更改特定用户的权限以限制或允许编辑特定页面.

限制在某些名字空间中创建页面
There are separate rights for creating talk pages (createtalk) and creating non-talk pages (createpage). If you need per-namespace control finer than that, it is not possible in core MediaWiki, and requires an extension such as.

限制对上传文件的访问权限

 * &rarr;, , 

如果您已启用上传文件的功能，则这些文件将由底层Web服务器直接提供. 因此，.

Example for access restriction to uploaded files in the server configuration
If sensitive files are uploaded to an internet-accessible wiki, you may wish to add restrictions on where these can be accessed from. On Apache, if your local network were 10.1.2.*, you could restrict serving files to local addresses with:

 Order deny,allow Allow from 10.1.2.3 Deny from all 

Restrict viewing of all pages
Add this line to your LocalSettings.php file:

The  setting allows users to view the main page. If page names have more than one word, use a space " " between them, not an underscore "_".

In addition to the main page of such a private site, you could give access to the Recentchanges page (if you think that its content isn't private) for feed readers by adding "Special:Recentchanges" to.

If you need to protect even the sidebar, main page, or login screen for any reason, it's recommended that you use higher-level authentication such as .htpasswd or equivalent.

Restrict viewing of certain specific pages
To prevent anyone but sysops from viewing a page, it can simply be. To prevent even sysops from viewing it, it can be removed more permanently with extension. To completely destroy the text of the page, it can be manually removed from the database. In any case, the page cannot be edited while in this state, and for most purposes no longer exists.

To have a page act normally for some users but be invisible to others, as is possible for instance in most forum software, is a very different matter. MediaWiki is designed for two basic access modes:


 * 1) Everyone can view every single page on the wiki (with the possible exception of a few special pages). This is the mode used by Wikipedia and its sister projects.
 * 2) Anonymous users can only view the Main Page and login page, and cannot edit any page. This is basically the same as the above, in terms of technical implementation (just an extra check for every page view), which is why it exists. This is the mode of operation used by certain private wikis such as those used by various Wikimedia committees.

If you intend to have different view permissions than that, MediaWiki is not designed for your usage. (See bug 1924.) Data is not necessarily clearly delineated by namespace, page name, or other criteria, and there are a lot of leaks you'll have to plug if you want to make it so (see  for a sample). Other wiki software may be more suitable for your purpose. You have been warned. If you must use MediaWiki, there are three basic possibilities:


 * 1) Set your wiki up private and whitelist specific pages that will be public with   in the LocalSetting.php file. See the section above.
 * 2) Set up separate wikis with a, configure one as viewable and one as unviewable (see above), and  between them.
 * 3) Install a third-party hack or extension. You will have to reapply it every time you upgrade the software, and it may not be updated immediately when new security fixes or upgrades of MediaWiki are released. Third-party hacks are, of course, not supported by MediaWiki developers, and if you're having problems you shouldn't ask on MediaWiki-l, #mediawiki, or other official support channels. A number of hacks are listed in . Read about  if you plan to use one of those.

Restricting exporting
See also: 

It is not possible to export the contents of a page that cannot be read since rev:19935.

Removing the Login link from all pages
One can remove the login/create account link from the upper right corner of all pages, as users can still go to Special:SpecialPages>Special:UserLogin to login. In LocalSettings.php use (tested with MediaWiki 1.16)

Removing accounts
If you want to completely remove access to a user, e.g. on a simple private wiki, it's not possible to simply delete the account ; you can it, but the user will still  to read pages. However, using extension you can merge the account in another one and delete the former; the original account will then "disappear". If you want to preserve history readability (i.e., to have edits from the user to be still shown under his name), you can create a new account e.g. with username "OriginalUserName (deactivated)" and then merge "OriginalUserName" into the former, or even use extension to rename "OriginalUserName" into "AnotherUserName", then create an account under "OriginalUserName" and merge "AnotherUserName" into it: in this manner, "OriginalUserName" will be completely "usurped" (if you've set a non-null password).

Since MediaWiki 1.16.0, it is possible to set to true to prevent access and reading to blocked users.

Other restrictions
You may want to have pages editable only by their creator, or ban viewing of history, or any of a number of other things. MediaWiki的未经修改版本中这些功能不可用. If you need more fine-grained permissions, see the #See also section for links to other wiki packages that are designed for this, as well as hacks that attempt to contort MediaWiki into something it's not designed to be but may work anyway.

参见
有一些您可能感兴趣的相关手册/帮助页面：



其他维基软件可能比MediaWiki更好地支持细粒度的访问控制：


 * MoinMoin
 * - 基于MediaWiki（有限文档，小项目）
 * TWiki
 * TikiWiki - 具有完全可配置的功能和权限级别的访问控制.

如果您想要更好的访问控制但想要使用MediaWiki，这是一个扩展列表，并且允许在软件中实现不可能的限制. 其中的修改可能已经过时（请查看他们的版本）. 如果经过第三方修改的文件出现问题，请不要在官方MediaWiki支持渠道中询问.


 * (不在维护)
 * - restricts anonymous users from editing most pages
 * (不在维护)
 * (不在维护)
 * - restricts anonymous users from editing most pages
 * (不在维护)
 * - restricts anonymous users from editing most pages
 * (不在维护)
 * (不在维护)
 * (不在维护)


 * Archived extensions