Extension talk:Lockdown

Jump to navigation Jump to search

About this board


Archives
Archive 1


رامي 4554 (talkcontribs)

Hi; How can access to templates be restricted to registered persons?

Charitwo (talkcontribs)

You can protect them using administrator rights to "Allow only autoconfirmed users" - this will only prevent editing but not viewing

Reply to "Restrict access to templates"

Lockdown and VisualEditor - can't edit protected pages

21
Ckoerner (talkcontribs)

I have a wiki running 1.23wmf11 and the latest build of VisualEditor, the WYSIWYG editor from Wikimedia. It uses a node.js-based parser to round-trip wikitext called Parsoid.

I have defined a few custom name spaces and enabled VisualEdtior for those name spaces. Everything is working as intended.

If I use $wgNamespacePermissionLockdown to define read and edit rights for user groups VisualEditor does not work.

Instead I'm prompted with a "Error loading data from server: parsoidserver-http-bad-status: 500."

Editing the page with WikiEditor works as intended.

node spits out the following when the attempt to edit is made.

starting parsing of localhost:DBC:Cache_Shadowing_Stop/Start_Suspend/Resume
 ERROR in localhost:DBC:Cache_Shadowing_Stop/Start_Suspend/Resume with oldid: 123915
 Stack trace: Error: API response is missing query for: DBC:Cache_Shadowing_Stop/Start_Suspend/Resume
  at TemplateRequest._handleJSON (/var/www/Parsoid/lib/mediawiki.ApiRequest.js:270:11)
  at TemplateRequest.ApiRequest._handleBody (/var/www/Parsoid/lib/mediawiki.ApiRequest.js:192:7)
  at TemplateRequest.ApiRequest._requestCB (/var/www/Parsoid/lib/mediawiki.ApiRequest.js:149:8)
  at Request.self.callback (/var/www/Parsoid/node_modules/request/request.js:129:22)
  at Request.EventEmitter.emit (events.js:98:17)
  at Request.<anonymous> (/var/www/Parsoid/node_modules/request/request.js:873:14)
  at Request.EventEmitter.emit (events.js:117:20)
  at IncomingMessage.<anonymous> (/var/www/Parsoid/node_modules/request/request.js:824:12)
  at IncomingMessage.EventEmitter.emit (events.js:117:20)
  at _stream_readable.js:920:16

It sounds like the Lockdown extension is somehow getting in the way of Parsoid and the MediaWiki api to make it's calls.

While VisualEditor is not the default editor for MediaWiki, its active development and future roadmap seem to indicate that it will be a preferred way to edit wiki pages for many editors. Any inputs and thoughts would be appreciated.

47.19.118.253 (talkcontribs)

Hi, did you ever find a solution for this?

I'm running the Lockdown extension on MediaWiki 1.24.1 with the latest build of VisualEditor and I'm running into the same behavior where I'm unable to edit protected namespaces using VisualEditor.

Any help would be greatly appreciated!

89.216.28.24 (talkcontribs)

I am having the same issue. Pages that are under a namespace which is locked by Lockdown can't be edited with VisualEditor. WikiEditor works just fine.

Monic abc (talkcontribs)

I have the same problem, but I use HaloACL extension. Is there any chance to fix this?

Andrew Garrett (WMF) (talkcontribs)
89.216.28.24 (talkcontribs)

Enabled cookies, still can't get VisualEditor to work on protected pages with Lockdown.

I created a new group called testgroup with a tool AccessControlPanel (frontend to Lockdown) and visited the page testgroup:Main_page in a browser where I was logged in (Firefox) and in another browser (Chrome). In first browser, I saw the edit button to edit the page in VisualEditor and then I got error (js alert dialog) "novenamespace: VisualEditor is not enabled in namespace 138" and after a reload, the VisualEditor Tab button disappeared.

In Chrome the page was restricted and I needed to log in to be able to see it, as expected.

If I manually create a namespace and if I restrict the namespace (read) to a user group in LocalSettings.php, every page created in that namespace can't be edited with VisualEditor. Only with WikiEditor.

Editing any other page that isn't restriced with Lockdown can be edited with VisualEditor.

163.244.62.183 (talkcontribs)

BUMP

I have this identical issue using MW 1.25, parsoid 0.3.0 and the latest drops of Visual Editor and Lockdown.

Did anyone reach a solution for this?

Gino3008 (talkcontribs)

Hello everyone.

We just have the SAME issue with Visual Editor and Lockdown.

Did anyone find a solution ??

Is this an inevitable problem with lockdown ?

We've been looking for a solution since all the day and nothing's working.

We've trying every solutions posted on the internet and .. no.

Please is there a god on this earth able to help us ??

Thank you

HermannSchwärzler (talkcontribs)

Hi everybody,

I think the problem is solved in newer Versions of MW and VE, as in my Installation of

MediaWiki 1.27.0-wmf.11 and

VisualEditor 0.1.0 (a6e24f4) 00:37, 1 February 2016

with VisualEditor enabled for the "Project" Namespace, which is write protected by Extension:Lockdown I am able to successfully edit those protected pages with VE. I have a Parsoid-server running on an a private backend-network and I am doing cookie-forwarding.

The Parsoid-server is a git clone from the beginning of February 2016.

Greetings

Hermann

Dieudo (talkcontribs)

Hi,

Encouraged by Hermann's example, I tried with latest night (2016.02.24) builts of every bit of software involved but I still get this message :

Erreur lors du chargement des données du serveur : 500: parsoidserver-http: HTTP 500. Voulez-vous réessayer ?

Thanks for any help.

HermannSchwärzler (talkcontribs)

Hi @Dieudo,

this looks like a configuration-error or something. Your parsoid-server had some kind of problem and answered with HTTP code 500 ("Internal Server Error").

How do you start parsoid?

And what do you see it output when you run it with

parsoidConfig.debug = true;

in you localsettings.js?

Greetings

Hermann

Dieudo (talkcontribs)

Actually it looks like there's a problem with my lockdown configuration alone. I'll have to check that first. Thx for your help Hermann : )

Dieudo (talkcontribs)

The error I get now is :

 Fatal error: Call to a member function getId() on a non-object in .../extensions/Lockdown/Lockdown.php on line 163
HermannSchwärzler (talkcontribs)

Sorry, I forgot to mention that. There seems to be a bug in Lockdown in combination with MW 1.27 - see https://phabricator.wikimedia.org/T127456

Just add this code before line 162:

 if ( !$wgUser ) {
        return true;
 }
Dieudo (talkcontribs)

Thank you Hermann !

This does the trick : )

However, it does it only if when including this line in LocalSettings.php :

$wgGroupPermissions['*']['read'] = false;

I wonder what to do to be able to use both Lockdown and VisualEditor on a wiki not private.

Any idea ?

Textform (talkcontribs)

My solution was, not to load Lockdown, if the request comes from the localhost. In an other configuration I had to take the non-local IP-adress of the server

if ( $_SERVER['REMOTE_ADDR'] != '127.0.0.1' ) {
require_once( "extensions/Lockdown/Lockdown.php" );
}

Additionaly the namespaces had to be activated for VE with $wgVisualEditorAvailableNamespaces

$wgVisualEditorAvailableNamespaces = array( 
NS_MAIN     => true,
NS_USER     => true,
NS_HELP     => true,
NS_PROJECT  => true,
NS_MYCUSTOMNAMESPACE  => true,
);

And read and edit permissions had to be given globally if request came from localhost

if ( $_SERVER['REMOTE_ADDR'] == '127.0.0.1' ) {
$wgGroupPermissions['*']['read'] = true;
$wgGroupPermissions['*']['edit'] = true;
}
217.6.132.212 (talkcontribs)

Hi i have the same Problem here.

Where do you put the if Arguments? In the LocalSettings.php?

Kghbln (talkcontribs)

Yes, "LocalSetting.php"

109.199.10.165 (talkcontribs)

Hi guys,

I'm dealing with the same issue. If Lockdown is enabled, then VE refuses to save *any* page dispalying message "Permission denied". If I disable Lockdown by commenting out this section:

if ( $_SERVER['REMOTE_ADDR'] != '127.0.0.1' AND $_SERVER['REMOTE_ADDR'] != '::1' ) {

require_once "extensions/Lockdown/Lockdown.php";

}

Then VE works as hell.

I'm using the latest stable mediawiki, parsoid, Lockdown and VE.

My LocalSettings includes also:

$wgVisualEditorAvailableNamespaces = array(

NS_MAIN     => true,

NS_USER     => true,

NS_HELP     => true,

NS_PROJECT  => true,

NS_RESTRICTED => true

);

if ( $_SERVER['REMOTE_ADDR'] == '127.0.0.1' OR $_SERVER['REMOTE_ADDR'] == '::1' ) {

$wgGroupPermissions['*']['read'] = true;

$wgGroupPermissions['*']['edit'] = true;

} else {

# The following permissions were set based on your choice in the installer

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['edit'] = false;

}

Do you have any idea how this issue can be fixed?

Thanks in advance.

Maciej

Marco.malavolti (talkcontribs)

Mediawiki: v1.32.1

NodeJS: v10.15.3

Distribution: Debian GNU/Linux 9.8 (stretch)


Parsoid + VisualEditor + Lockdown (with SSL):

1) sudo apt install xs-utils

2) sudo wget https://nodejs.org/dist/v10.15.3/node-v10.15.3-linux-x64.tar.xz -O /usr/local/src/nodejs-10.15.3.tar.xz

3) sudo tar xf /usr/local/src/nodejs-10.15.3.tar.xz -C /usr/local/ --stript-components 1

4) sudo npm install -g parsoid

5) sudo vim /usr/local/lib/node_modules/parsoid/config.yaml

------ START config.yaml -------

services:

  - module: lib/index.js

    entrypoint: apiServiceWorker

    conf:

        mwApis:

        - uri: 'http://{{ fqdn }}/{{ mw_wiki_dir_name }}/api.php'

        # - uri: 'https://{{ fqdn }}/{{ mw_wiki_dir_name }}/api.php' # If you redirect all HTTP traffic to HTTPS

        # - uri: 'http://{{ other_fqdn }}/{{ mw_wiki_dir_name }}/api.php'

------ END config.yaml -------


6) sudo vim /etc/systemd/system/parsoid.service


----- START parsoid.service -----

[Unit]

Description=Mediawiki Parsoid web service on node.js

Documentation=http://www.mediawiki.org/wiki/Parsoid

Wants=local-fs.target network.target

After=local-fs.target network.target


[Install]

WantedBy=multi-user.target

[Service]

Type=simple

User=root

Group=root

WorkingDirectory=/usr/local/lib/node_modules/parsoid

ExecStart=/usr/local/bin/node /usr/local/lib/node_modules/parsoid/bin/server.js

KillMode=process

Restart=on-success

PrivateTmp=true

StandardOutput=syslog

----- END parsoid.service -----


7) sudo service parsoid start (this load parsoid on port 8000)

8) sudo systemctl enable parsoid

9) sudo apt install stunnel

10) sudo vim /etc/stunnel/parsoid.conf


----- START parsoid.conf -----

cert = /etc/ssl/certs/{{ fqdn }}.crt

key = /etc/ssl/private/{{ fqdn }}.key

CAfile = /etc/ssl/certs/ca-certificates.crt


[parsoid]

accept  = 8143

connect = 8000

----- END parsoid.conf -----


11) sudo vim /etc/default/stunnel4

----- START stunnel4 -----

...

# Change to one to enable stunnel automatic startup

ENABLED=1

...

----- END stunnel4 -----


12) sudo service stunnel4 restart (now you can reach parsoid on 8143)

13) sudo vim .../w/LocalSettings.php

----- START LocalSettings.php -----

...

// NEW Namespaces

define("NS_NEW_1", 3000);

define("NS_NEW_1_TALK", 3001);


$wgExtraNamespaces[NS_NEW_1]                  = "NEW1";

$wgExtraNamespaces[NS_NEW_1_TALK]       = "NEW1_talk";          # Note underscores in the namespace name.

$wgNamespaceProtection[NS_NEW_1]            = array( 'edit-new1' );      # "edit-new1" required to edit NEW1:pages

$wgNamespaceProtection[NS_NEW_1_TALK] = array( 'edit-new1-talk' ); # "edit-new1-talk" required to edit NEW1_talk:pages

$wgNamespacesWithSubpages[NS_NEW_1]  = true;        # subpages enabled for the NEW1 namespace

$wgGroupPermissions['new1']['edit-new1']           = true;     # permission "edit-new1" granted to users in the "new1" group

$wgGroupPermissions['new1']['edit-new1-talk']    = true;     # permission "edit-new1-talk" granted to users in the "new1" group

$wgContentNamespaces[]                            = NS_NEW_1; #prevent inclusion of pages from that namespace

$wgNonincludableNamespaces[]                 = NS_NEW_1;

$wgNonincludableNamespaces[]                 = NS_NEW_1_TALK;


wfLoadExtension( 'Lockdown' );

#restrict all permissions on pages with namespace "NEW" to users belonging to 'new1' group

$wgNamespacePermissionLockdown[NS_NEW_1]['*'] = array('new1');

$wgNamespacePermissionLockdown[NS_NEW_1_TALK]['*'] = array('new1');


wfLoadExtension( 'VisualEditor' );


// Enable by default for everybody

$wgDefaultUserOptions['visualeditor-enable'] = 1;


// Don't allow users to disable it

$wgHiddenPrefs[] = 'visualeditor-enable';


$wgVirtualRestConfig['modules']['parsoid'] = array(

    // URL to the Parsoid instance

    // Use port 8142 if you use the Debian package

    'url' => 'https://{{ fqdn }}:8143',

    'forwardCookies' => true,

);


$wgVisualEditorAvailableNamespaces = [

    NS_MAIN => true,

    NS_USER => true,

    NS_HELP => true,

    NS_NEW_1 => true,

];

...

----- END LocalSettings.php -----


Parsoid + VisualEditor (without SSL):

1) sudo apt install xs-utils

2) sudo wget https://nodejs.org/dist/v10.15.3/node-v10.15.3-linux-x64.tar.xz -O /usr/local/src/nodejs-10.15.3.tar.xz

3) sudo tar xf /usr/local/src/nodejs-10.15.3.tar.xz -C /usr/local/ --stript-components 1

4) sudo npm install -g parsoid

5) sudo vim /usr/local/lib/node_modules/parsoid/config.yaml

------ START config.yaml -------

services:

  - module: lib/index.js

    entrypoint: apiServiceWorker

    conf:

        mwApis:

        - uri: 'http://{{ fqdn }}/{{ mw_wiki_dir_name }}/api.php'

        # - uri: 'https://{{ fqdn }}/{{ mw_wiki_dir_name }}/api.php' # If you redirect all HTTP traffic to HTTPS

        # - uri: 'http://{{ other_fqdn }}/{{ mw_wiki_dir_name }}/api.php'

------ END config.yaml -------


6) sudo vim /etc/systemd/system/parsoid.service


----- START parsoid.service -----

[Unit]

Description=Mediawiki Parsoid web service on node.js

Documentation=http://www.mediawiki.org/wiki/Parsoid

Wants=local-fs.target network.target

After=local-fs.target network.target


[Install]

WantedBy=multi-user.target

[Service]

Type=simple

User=root

Group=root

WorkingDirectory=/usr/local/lib/node_modules/parsoid

ExecStart=/usr/local/bin/node /usr/local/lib/node_modules/parsoid/bin/server.js

KillMode=process

Restart=on-success

PrivateTmp=true

StandardOutput=syslog

----- END parsoid.service -----


7) sudo service parsoid start (this load parsoid on port 8000)

8) sudo systemctl enable parsoid

9) sudo apt install stunnel

10) sudo vim .../w/LocalSettings.php


----- START LocalSettings.php -----

...

// NEW Namespaces

define("NS_NEW_1", 3000);

define("NS_NEW_1_TALK", 3001);


$wgExtraNamespaces[NS_NEW_1]                  = "NEW1";

$wgExtraNamespaces[NS_NEW_1_TALK]       = "NEW1_talk";          # Note underscores in the namespace name.

$wgNamespaceProtection[NS_NEW_1]            = array( 'edit-new1' );      # "edit-new1" required to edit NEW1:pages

$wgNamespaceProtection[NS_NEW_1_TALK] = array( 'edit-new1-talk' ); # "edit-new1-talk" required to edit NEW1_talk:pages

$wgNamespacesWithSubpages[NS_NEW_1]  = true;        # subpages enabled for the NEW1 namespace

$wgGroupPermissions['new1']['edit-new1']           = true;      # permission "edit-new1" granted to users in the "new1" group

$wgGroupPermissions['new1']['edit-new1-talk']    = true;      # permission "edit-new1-talk" granted to users in the "new1" group

$wgContentNamespaces[]                            = NS_NEW_1; #prevent inclusion of pages from that namespace

$wgNonincludableNamespaces[]                 = NS_NEW_1;

$wgNonincludableNamespaces[]                 = NS_NEW_1_TALK;


wfLoadExtension( 'Lockdown' );

#restrict all permissions on pages with namespace "NEW" to users belonging to 'new1' group

$wgNamespacePermissionLockdown[NS_NEW_1]['*'] = array('new1');

$wgNamespacePermissionLockdown[NS_NEW_1_TALK]['*'] = array('new1');


wfLoadExtension( 'VisualEditor' );


// Enable by default for everybody

$wgDefaultUserOptions['visualeditor-enable'] = 1;


// Don't allow users to disable it

$wgHiddenPrefs[] = 'visualeditor-enable';


$wgVirtualRestConfig['modules']['parsoid'] = array(

    // URL to the Parsoid instance

    // Use port 8142 if you use the Debian package

    'url' => 'http://127.0.0.1:8000',

    'forwardCookies' => true,

);


$wgVisualEditorAvailableNamespaces = [

    NS_MAIN => true,

    NS_USER => true,

    NS_HELP => true,

    NS_NEW_1 => true,

];

Valerio Bozzolan (talkcontribs)
Reply to "Lockdown and VisualEditor - can't edit protected pages"

PSA: Lockdown + SemanticACL + SimpleBatchUpload = Private Content in MW

2
Revansx (talkcontribs)

This is just a PSA for those wanting a way of providing a protected namespace for private content that is also able to automatically protect files uploaded from a page in that namespace. The goal on my site was to give management a place to upload sensitive management files that are not available to non-management users. Here's how I did it:

  1. Create a custom namespace called "Management"
  2. Create a custom rights group called "management"
  3. Use "Extension:Lockdown" to protect the "Management" namespace for user in the "management" right group
  4. Use "Extension:SimpleBatchUpload" in a page in the Management namespace to provide the methods of uploading files with a template of {{Upload|viewedonlyby=management}}
  5. Modify Template:Upload to test (#ifeq) for property {{{viewonlyby|}}} in {{Uploads}},
    • if so, then add [[Visible to group::management]] to all files uploaded with that template where |viewonlyby=management.
  6. Use Extension:Semantic_ACL to limit access to the file by group management per the presence of [[Visible to group::management]].
In summary: Custom Namespace + Lockdown + SimpleBatchUpload + SemanticACL produces the overall effect.

Within the security limitations noted by MW, this method provides a very nice way of allowing management to add content that is not visible to non-management users.. a very handy thing for an enterprise site!

Revansx (talkcontribs)

The wikitext {{#batchupload:Upload|viewonlyby=management}} will create an upload button in a page that will automatically protect any files uploaded by it as long as Template:Upload contains

{{#ifeq:{{{viewonlyby|}}}|management
| [[Visible to group::management]]
|
}}
Reply to "PSA: Lockdown + SemanticACL + SimpleBatchUpload = Private Content in MW"

Restrict createpage-right in Project-Namespace

5
Finswimmer (talkcontribs)

Hello, what's the right way to restrict the right to create a page in the Project-namespace (NS_PROJECT) to a certain group, but allow all other to edit them.

I tried this:

$wgGroupPermissions['*']['edit'] = true;
$wgNamespacePermissionLockdown[NS_PROJECT]['createpage'] = array('sysop');

But it wont work. Still every logged in user can create pages in the project namespace.

76.68.137.45 (talkcontribs)

Did you ever get this to work?

Kghbln (talkcontribs)

Hmm... , I do not think this can be done since action "edit" includes action "createpage" (some sort of "rights inheritance"). However, I may still be proven wrong.

Halungg (talkcontribs)

I found a way using the Extension AbuseFilter with the following Filter and the "disallow" action:


(page_namespace = 0) &

(old_wikitext == "") &

!( 'sysop' in user_rights ) & !contains_any(added_lines, "redirect")


It is certainly not perfect and notifies the user only after hitting "save", but it works.

Rbirmann (talkcontribs)

I am trying to do something similar and indeed it does not seem to work. I want only members of a certain group to be able to create pages on the main namespace, but allow everyone else to edit those pages once they exist.

Here is what I tried:

$wgGroupPermissions['user']['createpage'] = true;
$wgGroupPermissions['creator']['createpage'] = true;
$wgNamespacePermissionLockdown['*']['createpage'] = array('user');
$wgNamespacePermissionLockdown[NS_MAIN]['createpage'] = array('creator');

But it does not work. All users can still create pages on the Main Namespace, even if they are not members of the 'creator' group.

Too bad....

Reply to "Restrict createpage-right in Project-Namespace"

Looking for a working example of lockdown working with parsoid cookie forwarding?

2
Calebgcooper (talkcontribs)

Hi All,

We have been running mediawiki for about 10 years and at some point started to notice issues with lockdown and visual editor for which there are many discussion pages and bugs for example: https://phabricator.wikimedia.org/T148582#4412138 https://phabricator.wikimedia.org/T148582


As our wiki is readable by all users but only editable by logged in users we hit the known issues. For several years now we have been applying a work around not to load lockdown for localhost, 127.0.0.1 and local server IP. With out this workaround protected namespaces cannot be edited. Workaround is similar to:

if ( !isset( $_SERVER['REMOTE_ADDR'] ) OR $_SERVER['REMOTE_ADDR'] == '127.0.0.1'        ) {
        $wgGroupPermissions['*']['read'] = true;
        $wgGroupPermissions['*']['edit'] = true;
} else {
wfLoadExtension("Lockdown");

        $wgGroupPermissions['*']['read'] = true;
        $wgGroupPermissions['*']['edit'] = false;
        $wgGroupPermissions['user']['read'] = true;
        $wgGroupPermissions['user']['edit'] = true;

        $wgNamespacePermissionLockdown[NS_L2]['*'] = [ 'tech-L2', 'tech-L3' ];
        $wgNamespacePermissionLockdown[NS_L3]['*'] = [ 'tech-L3' ];
}

However we have recently noticed that this intermittently breaks switching between visualeditor and source editor.


I started reading through all the aforementioned bugs, plus not a few more, and realised that this work around should no longer be necessary, however I can't get cookie forwarding to work for Parsoid JS, Restbase and VisualEditor in 1.34. Is there any chance anyone has as sample working config they are willing to share (restbase, parsoid and localsettings).


In particular I am interested to know if there are any flags that need to be added to restbase or parsoid config for cookie forwarding?


I have enabled (as well as the standard config) the following in LocalSettings:


$wgVirtualRestConfig['modules']['parsoid']['forwardCookies'] = true;
$wgVirtualRestConfig['modules']['global']['forwardCookies'] = true;
$wgVirtualRestConfig['modules']['restbase']['forwardCookies'] = true;
$wgVisualEditorParsoidForwardCookies = true;


Are there any other flags I need to set in restbase, parsoid or LocalSettings, currently the only configuration I have relevant to cookie forwarding is in LocalSettings.php?

In our examples we can't edit the L2 and L3 namespaces. Minimum configs i could reproduce on below if anyone is feeling helpful.

Thanks in advance,

Caleb

Error in parsoid logs  
{"name":"parsoid","hostname":"testwiki.wiki.internal","pid":1173,"level":60,"logType":"fatal/request","wiki":"wiki$0","title":"L2:Test","oldId":null,"reqId":"8b724680-f202-11ea-ae20-13b87b0d14d7","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36","msg":"API response Error for TemplateRequest: request=; error={\"code\":\"accessdenied\",\"info\":\"You are not allowed to view L2:Test.\",\"*\":\"See http://testwiki.wiki.internal/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes.\"}","stack":"Error: API response Error for TemplateRequest: request=; error={\"code\":\"accessdenied\",\"info\":\"You are not allowed to view L2:Test.\",\"*\":\"See http://testwiki.wiki.internal/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes.\"}\n    at TemplateRequest.ApiRequest._errorObj (/var/lib/parsoid/lib/mw/ApiRequest.js:342:9)\n    at TemplateRequest._handleJSON (/var/lib/parsoid/lib/mw/ApiRequest.js:554:16)\n    at TemplateRequest.ApiRequest._logWarningsAndHandleJSON (/var/lib/parsoid/lib/mw/ApiRequest.js:447:7)\n    at TemplateRequest.ApiRequest._handleBody (/var/lib/parsoid/lib/mw/ApiRequest.js:483:7)\n    at TemplateRequest.ApiRequest._requestCB (/var/lib/parsoid/lib/mw/ApiRequest.js:420:8)\n    at Request._callback (/var/lib/parsoid/lib/mw/ApiRequest.js:332:35)\n    at Request.self.callback (/var/lib/parsoid/node_modules/request/request.js:185:22)\n    at Request.emit (events.js:315:20)\n    at Request.<anonymous> (/var/lib/parsoid/node_modules/request/request.js:1154:10)\n    at Request.emit (events.js:315:20)\n    at IncomingMessage.<anonymous> (/var/lib/parsoid/node_modules/request/request.js:1076:12)\n    at Object.onceWrapper (events.js:421:28)\n    at IncomingMessage.emit (events.js:327:22)\n    at endReadableNT (_stream_readable.js:1220:12)\n    at processTicksAndRejections (internal/process/task_queues.js:84:21)","longMsg":"API response Error for TemplateRequest: request=; error={\"code\":\"accessdenied\",\"info\":\"You are not allowed to view L2:Test.\",\"*\":\"See http://testwiki.wiki.internal/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes.\"}","levelPath":"fatal/request","time":"2020-09-08T18:38:53.628Z","v":0}


Chrome console log showing 500 error  
load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:141 JQMIGRATE: Migrate is installed with logging active, version 3.0.1
VM1016:150 This page is using the deprecated ResourceLoader module "jquery.tabIndex".
(anonymous) @ VM1016:150
runScript @ load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector:13
execute @ load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector:15
doPropagation @ load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector:7
requestIdleCallback (async)
requestPropagation @ load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector:8
setAndPropagate @ load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector:8
implement @ load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector:20
(anonymous) @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:1
load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:130 GET http://testwiki.wiki.internal/testwiki.wiki.internal/v1/page/html/L2%3ATest?redirect=false&stash=true 500
send @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:130
ajax @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:125
jQuery.ajax @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:144
requestParsoidData @ VM1016:148
requestPageData @ VM1016:145
(anonymous) @ VM1016:125
mightThrow @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:48
process @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:49
setTimeout (async)
(anonymous) @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:49
fire @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:45
add @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:46
(anonymous) @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:50
jQuery.Deferred @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:152
then @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:49
activateTarget @ VM1016:125
activatePageTarget @ VM1016:127
activateVe @ VM1016:135
onEditTabClick @ VM1016:134
dispatch @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:69
elemData.handle @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:65
VM1016:148 RESTBase load failed: error
(anonymous) @ VM1016:148
mightThrow @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:48
process @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:49
setTimeout (async)
(anonymous) @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:49
fire @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:45
fireWith @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:47
fire @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:47
fire @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:45
fireWith @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:47
done @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:126
(anonymous) @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:130
load (async)
send @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:130
ajax @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:125
jQuery.ajax @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:144
requestParsoidData @ VM1016:148
requestPageData @ VM1016:145
(anonymous) @ VM1016:125
mightThrow @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:48
process @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:49
setTimeout (async)
(anonymous) @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:49
fire @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:45
add @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:46
(anonymous) @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:50
jQuery.Deferred @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:152
then @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:49
activateTarget @ VM1016:125
activatePageTarget @ VM1016:127
activateVe @ VM1016:135
onEditTabClick @ VM1016:134
dispatch @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:69
elemData.handle @ load.php?lang=en&modules=jquery&skin=vector&version=1xgm5:65


LocalSettings.php  
<?php

######################################################################################################################################
#CORE
######################################################################################################################################


$wgSitename = "testwiki";
$wgSecretKey = "c5ded9cb55cc68669f706ad0fffbb9e7aba3e7b7f5664b2c7448259e274d9dd6";
$wgUpgradeKey = "11640ab816b1bb22";

#Short URLs and Search Config
$wgScriptPath = "";
$wgArticlePath = "/$1";
$wgUsePathInfo = true;
$wgScriptExtension = ".php";


$wgServer = "http://testwiki.wiki.internal";


$wgResourceBasePath = $wgScriptPath;


######################################################################################################################################
#DATABASE
######################################################################################################################################


$wgDBtype = "mysql";
$wgDBserver = "mariadb";
$wgDBname = "wikis";
$wgDBuser = "wikisql";
$wgDBpassword = "c493905d0e184ffd23e4c53420dc9cb6d557892d";
$wgDBprefix = "";
$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";
$wgDBmysql5 = false;


######################################################################################################################################
#GENERAL
######################################################################################################################################

// Skin
wfLoadSkin( 'Vector' );
$wgDefaultSkin='vector';


######################################################################################################################################
#Additional Mediawiki User Groups: tech-*
######################################################################################################################################


###Tech/Engineering Groups (CREATE)
$wgGroupPermissions['tech-L2'] = $wgGroupPermissions['user'];
$wgGroupPermissions['tech-L3'] = $wgGroupPermissions['user'];


######################################################################################################################################
#Custom Namespaces
######################################################################################################################################


define('NS_L2' , 3002);
define('NS_L2_TALK' , 3003);
define('NS_L3' , 3004);
define('NS_L3_TALK' , 3005);


$wgExtraNamespaces[NS_L2] = 'L2';
$wgExtraNamespaces[NS_L2_TALK] = 'L2 Talk';
$wgExtraNamespaces[NS_L3] = 'L3';
$wgExtraNamespaces[NS_L3_TALK] = 'L3 Talk';

######################################################################################################################################
#Lockdown
######################################################################################################################################

wfLoadExtension("Lockdown");

$wgGroupPermissions['*']['read'] = true;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['read'] = true;
$wgGroupPermissions['user']['edit'] = true;

$wgNamespacePermissionLockdown[NS_L2]['*'] = [ 'tech-L2', 'tech-L3' ];
$wgNamespacePermissionLockdown[NS_L3]['*'] = [ 'tech-L3' ];


#####################################################################################################################################
#VisualEditor, Restbase and Parsoid
######################################################################################################################################


##Global Rest Config
  $wgVirtualRestConfig = [
    'modules' => [],
    'global' => [
      'domain' => 'testwiki.wiki.internal',
      'timeout' => 360,
      'forwardCookies' => true,
      'HTTPProxy' => null,
      ]
    ];


 # Rest config for Parsoid
 $wgVirtualRestConfig['modules']['parsoid'] = array(
  'url' => 'http://localhost:8142',
  'domain' => 'testwiki.wiki.internal',
  'forwardCookies' => true,
  'restbaseCompat' => false
  );


 ## Rest Config for Restbase
 $wgVirtualRestConfig['modules']['restbase'] = array(
  'url' => 'http://localhost:7231',
  'domain' => 'testwiki.wiki.internal',
  'forwardCookies' => true,
  'parsoidCompat' => false
 );


#VisualEditor
 wfLoadExtension('VisualEditor');
 $wgVisualEditorParsoidAutoConfig = false;
 $wgVisualEditorAllowLossySwitching = false;
 $wgVisualEditorFullRestbaseURL = 'http://testwiki.wiki.internal/testwiki.wiki.internal/';
 $wgVisualEditorRestbaseURL = 'http://localhost:7231/testwiki.wiki.internal/v1/page/html/';
 $wgVisualEditorParsoidForwardCookies = true;


 $wgDefaultUserOptions['visualeditor-editor'] = "visualeditor";
 $wgDefaultUserOptions['visualeditor-enable'] = 1;
 $wgDefaultUserOptions['visualeditor-newwikitext'] = 1;

 $wgVisualEditorAutoAccountEnable = true;
 $wgVisualEditorShowBetaWelcome = false;
 $wgVisualEditorEnableDiffPage = true;
 $wgVisualEditorEnableWikitext = true;

 $wgVisualEditorNamespaces = array_merge($wgContentNamespaces, array( NS_TALK, NS_USER, NS_USER_TALK, NS_L2, NS_L2_TALK, NS_L3, NS_L3_TALK) );
 $wgVisualEditorAvailableNamespaces = array_fill_keys($wgVisualEditorNamespaces, true);


config.yaml for restbase  
#
# Simple RESTBase config for Mediawiki Container
# https://www.mediawiki.org/wiki/RESTBase/Installation
#
# - cassandra DB
# - parsoid at http://localhost:8142
# - wiki at http://testwiki.wiki.internal/api.php
#
# - proxied via nginx, available via
# - http://hostname/api/rest_v1/
#
services:
  - name: restbase
    module: hyperswitch
    conf:
      port: 7231
      salt: 988881adc9fc3655077dc2d4d757d480b5ea0e11
      default_page_size: 125
      user_agent: RESTBase
      ui_name: RESTBase
      ui_url: https://www.mediawiki.org/wiki/RESTBase
      ui_title: RESTBase docs
      spec:
        x-request-filters:
          - path: lib/security_response_header_filter.js
          - path: lib/normalize_headers_filter.js
        x-sub-request-filters:
          - type: default
            name: http
            options:
              allow:
                - pattern: http://localhost/api.php
                  forward_headers: true
                - pattern: http://localhost:8142
                  forward_headers: true
                - pattern: http://testwiki.wiki.internal/api.php
                  forward_headers: true
                - pattern: http://testwiki.wiki.internal:8142
                  forward_headers: true

                - pattern: /^https?:\/\//
        paths:
          /{domain:testwiki.wiki.internal}/{api:v1}:
            x-modules:
              - spec:
                  info:
                    version: 1.0.0
                    title: Wikimedia REST API
                    description: Welcome to your RESTBase API.
                  x-route-filters:
                    - path: ./lib/normalize_title_filter.js
                      options:
                        redirect_cache_control: 's-maxage=0, max-age=86400'
                  paths:
                    /page:
                      x-modules:
                        - path: v1/content.yaml
                          options:
                            response_cache_control: 's-maxage=0, max-age=86400'
                        - path: v1/common_schemas.yaml # Doesn't really matter where to mount it.
                    /transform:
                      x-modules:
                        - path: v1/transform.yaml
                    /media:
                      x-modules:
                        #- path: v1/mathoid.yaml
                        #  options:
                        #    host: http://localhost:10042

          /{domain:testwiki.wiki.internal}/{api:sys}:
            x-modules:
              - path: projects/proxy.yaml
                options:
                  backend_host_template: '{{"/{domain}/sys/legacy"}}'
              - spec:
                  paths:
                    /table:
                      x-modules:
                        - path: sys/table.js
                          options:
                            conf:
                              version: 1
                              backend: cassandra
                              hosts:
                                - cassandradb
                              pool_idle_timeout: 20000
                              retry_delay: 250
                              retry_limit: 10
                              show_sql: false
                              keyspace: system
                              defaultConsistency: localOne
                              localDc: datacenter1
                              datacenters:
                                - datacenter1
                              storage_groups:
                                - name: local
                                  domains: /./
                    /legacy/key_value:
                      x-modules:
                        - path: sys/key_value.js
                    /legacy/page_revisions:
                      x-modules:
                        - path: sys/page_revisions.js
                    /post_data:
                      x-modules:
                        - path: sys/post_data.js
                    /action:
                      x-modules:
                        - path: sys/action.js
                          options:
                            apiUriTemplate: "{{'http://localhost/api.php'}}"
                            baseUriTemplate: "{{'http://localhost:7231/{domain}/v1'}}"
                    /page_save:
                      x-modules:
                        - path: sys/page_save.js
                    /events:
                      x-modules:
                        - path: sys/events.js
                    /parsoid:
                      x-modules:
                        - path: sys/parsoid.js
                          options:
                            parsoidHost: http://localhost:8142
                            grace_ttl: 1000000
                    #/mathoid:
                    #  x-modules:
                    #    - path: sys/mathoid.js
                    #      options:
                    #        host: http://localhost:10042

# Finally, a standard service-runner config.
info:
  name: restbase

logging:
  name: restbase
  level: warn
  streams:
    - type: stdout


num_workers: 0


config.yaml for parsoid  
worker_heartbeat_timeout: 300000
num_workers: 2

logging:
    name: parsoid
    level: warn

services:
  - module: lib/index.js
    entrypoint: apiServiceWorker
    conf:
        mwApis:
        - uri: 'http://localhost/api.php'
          domain: 'testwiki.wiki.internal'
        serverPort: 8142


nginx config  
# nginx http config for Mediawiki server
#
# this config-file is updated during container-startup
# 'testwiki.wiki.internal' is replaced globally with the FQDN of the Wiki
#


##############################
### UPSTREAMS
##############################

# restbase
upstream restbase {
  server 127.0.0.1:7231;
  keepalive 32;
}
map $request_uri $restbasequeryapi {
  default "xx";
  "~/api/rest_v1/(?<xrestbasequery>.*)$" "$xrestbasequery";
}
map $request_uri $restbasequerylegacy {
  default "xx";
  "~/testwiki.wiki.internal/v1/(?<xrestbasequery>.*)$" "$xrestbasequery";
}
map $request_uri $imageDownloadAttachment {
  default "";
  "~/images/.*(\?|&)download(=|&).*$" "attachment";
}


##############################
### MAIN HTTP SERVER
##############################

server {

  ##############################
  ### HTTP Globals
  ##############################

  server_name _;
  listen 80;
  root /var/lib/mediawiki;
  client_max_body_size 100m;
  fastcgi_connect_timeout 10s;

  set $no_cache "0";

  ##############################
  ### Proxy Restbase, Mathoid
  ##############################

  location /api/rest_v1/ {
    proxy_max_temp_file_size 0;
    proxy_buffer_size 64k;
    proxy_buffers 4 64k;
    proxy_http_version 1.1;
    proxy_pass http://restbase/testwiki.wiki.internal/v1/$restbasequeryapi;
    set $no_cache "1";
  }

  location /testwiki.wiki.internal/v1/ {
    proxy_max_temp_file_size 0;
    proxy_buffer_size 64k;
    proxy_buffers 4 64k;
    proxy_http_version 1.1;
    proxy_pass http://restbase/testwiki.wiki.internal/v1/$restbasequerylegacy;
    set $no_cache "1";
  }

  location /api/mathoid/ {
    proxy_max_temp_file_size 0;
    proxy_buffer_size 64k;
    proxy_buffers 4 64k;
    proxy_http_version 1.1;
    proxy_pass http://127.0.0.1:10042/;
    set $no_cache "1";
  }

 location /rest.php/ {
    proxy_max_temp_file_size 0;
    proxy_buffer_size 64k;
    proxy_buffers 4 64k;
    proxy_http_version 1.1;
    try_files $uri $uri/ /rest.php?$query_string;
    set $no_cache "1";
 }

 # Bypass cache if flag is set
 fastcgi_no_cache $no_cache;
 fastcgi_cache_bypass $no_cache;
 proxy_cache_bypass $no_cache;
 proxy_no_cache $no_cache;

  ##############################
  ### General Requests
  ##############################

  location ~ \.htaccess { deny all; }
  location ^~ /install-mw.sh { return 403; }
  location ^~ /update-mw.sh { return 403; }
  location ^~ /runjobs-mw.sh { return 403; }
  location ^~ /bootstrap/1_env.php { return 403; }

  location ^~ /bootstrap.php {
    # extended php-timeout ( e.g. for update.php )
    fastcgi_read_timeout 200s;
    fastcgi_send_timeout 200s;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_pass unix:/run/php-fpm.sock;
    include fastcgi_params;
  }

  location /images {
    # enable CORS access to this dir from other origins
    add_header Access-Control-Allow-Origin "*";
    add_header Access-Control-Expose-Headers "Age,Date,X-Cache,X-Varnish";

    # allow downloads via Media Viewer
    add_header Content-Disposition $imageDownloadAttachment;

    # the hosting root-dir is updated/set during container startup
    root /wiki-shared/testwiki/storage;

    # set the 'Expires' header for 90days of image-caching to reverse-proxies
    # proxies often have their own expiry-lifetime for hot/cold cache items
    expires 90d;
  }

  location / {
    try_files $uri @rewrite;
  }

  location ^~ /mw-config/ {
    internal;
  }

  location @rewrite {
    rewrite ^/(.*)$ /index.php;
  }

  location ^~ /maintenance/ {
    internal;
  }

  location = /_.gif {
    expires max;
    empty_gif;
  }

  location ^~ /cache/ {
    internal;
  }

  ##############################
  ### PHP Config
  ##############################

  location ~ ^/system/nginxping$ {
    access_log off;
    return 200 'pong :-)';
  }

  location ~ ^/system/phpstatus {
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_pass unix:/run/php-fpm.sock;
    include fastcgi_params;
    fastcgi_index index.php;
  }

  location ~ \.php$ {
    fastcgi_pass unix:/run/php-fpm.sock;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;
    fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
    fastcgi_param HTTPS off;
    fastcgi_index index.php;
  }

}

Calebgcooper (talkcontribs)

Since writing I've tested in versions 1.31, 1.32, 1.33, 1.34 and 1.35 of mediawiki, all versions have the same issue, except when using parsoid php implementation in 1.35, in the later case there is no longer a need to use the workaround not to load lockdown when the request comes from localhost.


But unless I am doing something wrong it is hard to believe this was fixed in T148582 but maybe this is a regression..

Reply to "Looking for a working example of lockdown working with parsoid cookie forwarding?"

option to block &oldid=* &diff=* links

1
Gunnar.offel (talkcontribs)

is there a way to prevend the

  • &oldid=
  • &diff=

etc. links. That would allow to hide the changes.

Reply to "option to block &oldid=* &diff=* links"
Manbu (talkcontribs)

I have problems with hackers sending me virus-mails - thats why a want to hide

http://spiritwiki.de/w/Spezial:Benutzer for all not logged in users - but

wfLoadExtension( 'Lockdown' );

$wgSpecialPageLockdown['Benutzer'] = [ 'user' ];

$wgActionLockdown['Benutzer'] = [ 'user' ];

has no effect - what is wrong ?

Evilninja (talkcontribs)

Shouldn't this read 'User' instead of 'Benutzer'? Also, on the extension page there is a small note about "Hiding pages", which appears to be possible, but it's a bit more difficult to do.

Manbu (talkcontribs)

No - i have of course already tried that before i post here ( special:user is redirected to Spezial:user - and http://spiritwiki.de/w/Spezial:User ... error : does not exist...). It has evtl to do with german language or with namespace /w/ ?

Reply to "No function in MW1.31"
TheRebel~mediawikiwiki (talkcontribs)

I was having problem with locking down certain special pages based on user groups with Lockdown on MW 1.17 and 1.16. Here is a solution that doesn't need Lockdown at all, just enter this in your LocalSettings.php:

function SpecialPageBlock(&$list){
global $wgUser;
if (in_array('sysop', $wgUser->getGroups()) == 0){
foreach(array('Uncategorizedimages','Unusedimages','Withoutinterwiki', 
'Newimages','Listfiles','MIMEsearch','FileDuplicateSearch','Filepath', 
'Booksources','Mostimages','Tags','Disambiguations','BrokenRedirects','Deadendpages',
'DoubleRedirects','Longpages','Ancientpages','Lonelypages','Fewestrevisions','Protectedpages',
'Protectedtitles','Shortpages','Uncategorizedcategories','Uncategorizedpages','Uncategorizedtemplates',
'Unusedcategories','Unusedtemplates','Wantedcategories','Wantedfiles','Wantedpages','Wantedtemplates',
'Allpages','Prefixindex','Categories','Listredirects','Activeusers','Contributions',
'Log','Newpages','Recentchanges','Recentchangeslinked','Listgrouprights','Listusers',
'Popularpages','Statistics','Allmessages','Version','LinkSearch','Random','Randomredirect',
'Mostlinkedcategories','Mostlinkedpages','Mostlinkedtemplates','Mostcategories','Mostrevisions',
'Export','Whatlinkshere'
)as $i){unset($list[$i]);}}
return true;}
$wgHooks['SpecialPage_initList'][]='SpecialPageBlock';

The example above limits access to the pages listed in the array to the 'sysop' group, by removing the pages from the rest of the groups. The best thing in this solution is that the pages in the array won't even show up on the SpecialPages.

For some reason Random and MostLinkedPages couldn't be disabled this way, any ideas why?

This post was posted by TheRebel~mediawikiwiki, but signed as TheRebel.

203.118.164.219 (talkcontribs)

Thanks! A much better solution. People don't even know what they're missing.

50.137.193.149 (talkcontribs)

This works perfectly. This should be linked to from restricting access pages. Thanks a bunch.

Frantik (talkcontribs)

Here is a function which allows you to specify various user groups and also whitelist pages, as opposed to having to list every single page to block.

function SpecialPageBlock(&$list)
{
	global $wgUser;
	   
	$allowedGroups = array(
		'sysop',
	);
	
	$whiteList = array(
		'Userlogin',
		'Userlogout',
		'Search',
		'Preferences',
		'ChangePassword',
	);

	$allowed = false;
	$userGroups = $wgUser->getGroups();	
	foreach($allowedGroups as $group)
	{		
		if (in_array($group, $userGroups))
		{	
			$allowed = true;
			break;
		}		
	}
		
	if (!$allowed)			
	{
		foreach($list as $key => $specialPage)
		{	
			if (!in_array($key, $whiteList))
			{
				unset($list[$key]);
			}
		}
	}
	
	return true;
}

$wgHooks['SpecialPage_initList'][]='SpecialPageBlock';
Kghbln (talkcontribs)

Thanks a lot for sharing! Much apprechiated!

AssetDenmark (talkcontribs)

Thanks - i had to add 'ConfirmEmail', 'CreateAccount', to the $whitelist otherwise it is working for me!

Also i got this to work.. so LockDown is not totally useless for me... ;-)

# Lockdown start

wfLoadExtension( 'Lockdown' );

$wgNamespacePermissionLockdown['*']['edit'] = [ 'sysop' ];

      

You can then add special groups and permissions to flesh groups that can 'read' and/or 'edit' namespaces... appears to be working!


Reply to "Locking down special pages"

Letting anons create a page with Page Forms (MW 1.28.1, PF 4.1)

1
Cavila (talkcontribs)

I'm experimenting with a wiki that is mostly "locked down" except for one namespace, where anonymous users should be allowed to create new pages using a form. These users can edit and create pages with action=edit, they can edit an existing page using Page Forms - so far so good, but what they cannot do is create a new page using Page Forms. This is despite the fact that editing the namespace is enabled for anonymous users (*) as is the FormEdit special page.

You do not have permission to edit this page, for the following reason:

The action you have requested is limited to users in the group: Users.

What settings should be used to achieve this?

Reply to "Letting anons create a page with Page Forms (MW 1.28.1, PF 4.1)"

Hide specific page except to owner?

1
MavropaliasG (talkcontribs)

Hi @Duesentrieb thank you for the great extension.

I wanted to ask you if Lockdown or another method would allow me to do the following.

  1. Someone creates a page. That page is automatically ONLY visible to the owner (hidden from anyone else) but the owner can also invite others to see the page.
  2. Only the owner (original creator) can edit the page, but they can allow others to edit it if they want.
  3. The owner can choose to publish the page (make it publicly visible)
  4. If they make they publish the page, the revision history of when it was private does not show, instead the revision history is reset and starts anew for the public version.

Please let me know, thank you.

Reply to "Hide specific page except to owner?"