Extension talk:Prefix Security

Where is the download link ? I am very much interested in this work. Jean-Lou Dupont 14:07, 9 February 2007 (UTC)Reply

Try now. I was editing site till now.

For some reason, attempting to remove a user from a group results in a "the special page doesn't exist" error.

Hi, i have the same pb of "Special page doesn't exist". i use MW 1.9.3 and PHP 5 --Ouaibsky 12:02, 13 April 2007 (UTC)Reply

In addition, removal of a Prefix leaves pages with that prefix labeled as being protected by it.

--Dataweaver 01:08, 13 April 2007 (UTC)Reply

It would be useful, if there would not only be read/write-rights, but als create. E.g. on several pages which i would like to protect with Prefix, I want every people to write. But new articles with a defined prefix should only be created by a smaller list of users. --Xwolf 09:32, 16 May 2007 (UTC)Reply

When opening special page Groups Administration for the first time (to make installation) I get an error »1146: Table 'wikidb.user_groups' doesn't exist (localhost)«.

My settings:

$wgDBserver = "localhost";

$wgDBname = "wikidb";

Its trou I don't have the table user_groups. How to make one?

I think installation of extension didn't work at all.

Solution: Those 4 files you have to put directly in map /extensions. My mistake was, that I put them in map /extensions/Prefix Security.

We're using:

MediaWiki: 1.7.1
PHP: 5.0.5-3 (apache2handler)
MySQL: 4.0.24_Debian-10sarge2-log

The installation instructions (readme) say:

Then edit your LocalSettings.php file and add the following lines:

       require_once( 'extensions/GroupsAdministration.php' );
       require_once( 'extensions/PrefixAdministration.php' );
       $wgWhitelistRead = array ( "username1", "username2" );

However, that didn't work--I (a sysop) couldn't access the Group or Prefix special pages. Our system admin says:

After reviewing the php code, I end up adding this:

$wgGroupPermissions['logged']['prefixAdministration'] = array ( 'user1' );

in the LocalSettings.php file instead of

$wgWhitelistRead = array ( 'user1' );

to give us access to these special pages.

Elf 04:08, 9 June 2007 (UTC)Reply

(See above for what versions we're using.)

I added a group and a prefix ("Xyz" or "xyz", doesn't matter). The group has only me in it. I gave one user (myself) and the new group read/edit access to the prefix and everyone else read-only access. But still anyone can edit the pages ("Xyz test", "Xyz: test"). I don't know what we're doing wrong. Can someone help?

Elf 00:20, 9 June 2007 (UTC)Reply

The GroupAdministration, although it's supposed to be for sysops, displays Bureaucrats as a valid group, and, as a sysop, I successfully added myself to the Bureaucrat group. Should it do this? Is there a way to prevent this? Thanks again. (Just my day for asking questions.) Elf 01:19, 9 June 2007 (UTC)Reply

(See above for versions we're using.) When displaying Special:Version, we get these links for these extensions:

• Groups Administration
• PrefixAdministration

Which no longer exist; they shd be pointing here to Mediawiki. Elf 21:41, 12 June 2007 (UTC)Reply

Whenever I add require_once( 'extensions/PageRestrictionHooks.php' ); to LocalSettings.php, my wiki becomes unreachable. Is there something wrong with the code online for that file that is causing the issue? Sean Et Cetera 16:52, 12 July 2007 (UTC)Reply

• I think I found the problem. function TagRestrictHookRead( $input, $argv, &$parser ) does not have a closing }, and I think that's what kept killing it for me. That, and function returnGroups( $groups_s ) appeared to have the same problem. Sean Et Cetera 19:26, 12 July 2007 (UTC)Reply

After enabling this extension a nessus scan of the server showed it as vunrable to SQL injection. Has anyone else seem this?

The following URLs seem to be vulnerable to various SQL injection techniques :

/index.php?-=&title='UNION'&section=1&printable=yes&action=edit /index.php?-=&title='&section=1&printable=yes&action=edit /index.php?-=&title='%22&section=1&printable=yes&action=edit /index.php?-=&title='bad_bad_value&section=1&printable=yes&action=edit /index.php?-=&title=bad_bad_value'&section=1&printable=yes&action=edit /index.php?-=&title='WHERE&section=1&printable=yes&action=edit /index.php?-=&title='OR&section=1&printable=yes&action=edit /index.php?-=&title=' or 1=1-- &section=1&printable=yes&action=edit /index.php?-=&title=' or 'a'='a&section=1&printable=yes&action=edit /index.php?-=&title=') or ('a'='a&section=1&printable=yes&action=edit /index.php?-=&title=%27&section=1&printable=yes&action=edit /index.php?-=&title='+OR+1=1)&section=1&printable=yes&action=edit /index.php?-=&title='+OR+1=1))&section=1&printable=yes&action=edit /index.php?-=&title='+OR+1=1#&section=1&printable=yes&action=edit /index.php?-=&title='+OR+1=1)#&section=1&printable=yes&action=edit /index.php?-=&title='+OR+1=1))#&section=1&printable=yes&action=edit /index.php?-=&title='+or+1=1/*&section=1&printable=yes&action=edit /index.php?-=&title='+or+1=1)/*&section=1&printable=yes&action=edit /index.php?-=&title='+or+1=1))/*&section=1&printable=yes&action=edit /index.php?-=&title='+convert(int,convert(varchar,0x7b5d))+'&section=1&printable=yes&action=edit /index.php?-=&title='+convert(varchar,0x7b5d)+'&section=1&printable=yes&action=edit /index.php?-=&title='%2Bconvert(int,convert(varchar%2C0x7b5d))%2B'&section=1&printable=yes&action=edit /index.php?-=&title='%2Bconvert(varchar%2C0x7b5d)%2B'&section=1&printable=yes&action=edit

An attacker may exploit this flaws to bypass authentication or to take the control of the remote database.

Detected bug in an extension! Hook DescribeRestrictionsHook failed to return a value; should return true to continue hook processing or false to abort.

Backtrace:

1. 0 /wiki/includes/Parser.php(386): wfRunHooks('ParserAfterTidy', Array)
2. 1 /wiki/includes/Article.php(3017): Parser->parse('The iTunes Stor...', Object(Title), Object(ParserOptions), true, true, 6212)
3. 2 /wiki/includes/Article.php(831): Article->outputWikiText('The iTunes Stor...')
4. 3 /wiki/includes/Wiki.php(383): Article->view()
5. 4 /wiki/includes/Wiki.php(48): MediaWiki->performAction(Object(OutputPage), Object(Article), Object(Title), Object(User), Object(WebRequest))
6. 5 /wiki/index.php(89): MediaWiki->initialize(Object(Title), Object(OutputPage), Object(User), Object(WebRequest))
7. 6 {main}

help ?

--Airplanenoise 21:13, 16 November 2007 (UTC)Reply

---

-- Update : Ok - i fixed most of the bugs in this extension. None of the <form> tags or <fieldset> tags were closed in the files associated with this extension. It was throwing off the entire page. Had to fix it all up. Now that it's fixed, it "works", except if the page title has a single quote, obviously an escaping problem on the MySQL Query. Will work on that. But, in short, if you are having problems with this extension, it's because NONE of the tags are closed - form tags mostly. Once you go in and fix that, you can at least get somewhat of a start.

--Airplanenoise 17:57, 10 December 2007 (UTC)Reply

-- Luchhh 27 Agosto 2008

-- Update: I manage to solve the problem. It seems like the function wfRunHooks included in ../includes/Hook.php expects a return value from the function DescribeRestrictionsHook included in ../extensions/PageRestrictionHooks.php, so just by adding "return true;" at the end of the function (line 340) should fix the problem.

Long Description:

Apparently, the wfRunHooks function does a lot of validations, one of them is to validate that the function it's being called returns a value (true or false), so wfRunHooks knows if it should continue executing the rest of the code(true) or stop (false). The function DescribeRestrictionsHook is not meant to stop the execution of anything so I think it's pretty safe if it returns true always.

I have Problem during the Installation after i have coppied the Scribts in the wiki extensions Folder

Installation.php GroupsAdministration.php PrefixAdministration.php PageRestrictionHooks.php

At next ich locked in as Sysop user and open the Groups administration direktory and getting this Message

To install the extensions Succesfully please follow the next few steps: Put Groups Administration extension ./into extensions Directory (Done) Put Prefix Administration extension ./into extensions Directory (Done) Put PageRestrictionsHooks extension ./into extensions Directory (Done) Add repuire_once 'Extensions/GroupsAdministration.php' to the end of the file localsettings.php (Done) Add repuire_once 'Extensions/Prefixdministration.php' to the end of the file localsettings.php (Done)

And when I klick on the installation Button down I getting back these

Search Results

It seems like the link in the script ist wron but I am not sure. Do somebody know what i have done wrong ? If you have an Idea it would be nice if you write me a mail

BjZucknik@aol.com

• I have same problem. If you have any Idea it would be nice if you write me a mail psc@elkor.lv

• i have the same issue. It seems there are 2 probs:

- first, the install script puts the text "Install extensions" in the form (which itselfs cant handle) and
- second, the wiki adds a "&search=" behind the postlink

Workaround: manuelly adding the tables and Localsetings.php rows and delete the Installation.php *g*
--GBT248 23:16, 9 January 2008 (UTC)Reply

How to? I have the same problem. --219.77.5.230 09:28, 2 July 2008 (UTC)Reply

I have implemented the Prefix Security Extension on MediaWiki MediaWiki: 1.9.3. I am having a small display issue when editing pages.

When the user is allowed to edit a page, the Cancel link at the bottom stops being a link. The link actually ends up on the "Access to this page is regulated with a prefix" shown above it.

There also appears to be a number of extra "Access to this page is regulated with a prefix" warnings displayed. They show up between the checkbox and the "This is a minor edit" and again between the checkbox and the "watch this page" as well as between the "Show Changes" button and the "Cancel" link.

Is there a fix for this?

Thanks Todd

My config:

• MediaWiki: 1.11.0
• PHP: 5.2.5 (apache2handler)
• MySQL: 5.0.51

Problem[edit]

If I want to delete a Prefix in Spezial:PrefixAdministration I will asked with yes or no to confirm this. But if I click on the yes button I get the special Search Site about all Namespaces and no action on the page_prefix table ist done.

Solution[edit]

In "PrefixAdministration.php":

if( $wgRequest->getText( 'action' ) == "delete_prefixed_page" ) {...

Before:

$wgOut->addHTML( "
                 <form name='form_delete_prefix' method='post' action=\"$action\">
                 <input type='hidden' name='page_prefix' value=\"$page_prefix\">
                 <input type='submit' name='delete_prefixed_page_yes' value='Yes'>
                 <input type='submit' name='delete_prefixed_page_no' value='No'>
             " );

After:

$wgOut->addHTML( "
                 <form name='form_delete_prefix' method='post' action=\"$action\">
                 <input type='hidden' name='page_prefix' value=\"$page_prefix\">
                 <input type='submit' name='delete_prefixed_page_yes' value='Yes'>
                 <input type='submit' name='delete_prefixed_page_no' value='No'>
                 </form>
             " );

you only have to add the </form> tag.
Timotheus.elias 09:23, 31 January 2008 (UTC)Reply

My config:

   * MediaWiki: 1.11.0
   * PHP: 5.2.5 (apache2handler)
   * MySQL: 5.0.51

Problem[edit]

I've the problem of displaying the Specialpage "Special:Version". There's nothing displayed on it, since I've included your PrefixSecurity Extension.
Please, can anyone help me?
Timotheus.elias 11:27, 4 February 2008 (UTC)Reply

Same thing here[edit]

My config

• MediaWiki: 1.11.1
• PHP: 5.2.5 (cgi-fcgi)
• MySQL: 5.0.24-community-nt

more info If i uncomment any one of these 3 lines below I get the same error.

• // require_once( 'extensions/GroupsAdministration.php' );
• // require_once( 'extensions/PrefixAdministration.php' );
• // require_once('extensions/PageRestrictionHooks.php');

--Abrillon 23:33, 18 February 2008 (UTC)Reply

Solution[edit]

Replace a symbol similar on "z", with the letter "z" in a surname of the author. It should turn out "Borut Tomazin".

Kabanoff 07:56, 28 October 2009 (UTC)Reply

Hi, when I open the Special:Groups Administration and choose the Install Extensions button, IE closes and displayes some error code. --217.91.74.27 15:26, 27 August 2008 (UTC)Reply

I did it manually but the same happens now when I try to delete group members. Aditionally the extension doesn't seem to work. When I add a prefix the access restrictions doesn't work. --217.91.74.27 15:59, 27 August 2008 (UTC)Reply

Hi, it seems like the extension does not take the databse prefix into account. If for example you use wiki_ as a prefix to your database table, the installation will fall as it searches for a non existent database table databasename.user_groups (while in fact it should look for databasename.wiki_user_groups). The maintainer has been informed and it should be taken care of pretty fast, as it it just inserting a preestablished variable into the code. So, if you use prefixes, the extension's installation might fail. Wait for a fix. :)

---

Hi I created a new prefix called, "Prefix" and set permissions to admin and another user but now I don't know how can I create the new spacename with new prefix to retrict actions.

Thank you.

I love this extension. Great job. . . however I get a PHP error every time I go to Special:PrefixAdministration.

I am running Win2K3 Server with the newest MySQL and PHP. I am using fast-cgi to well make the site faster.

The error is: "PHP Notice: Trying to get property of non-object in C:\Inetpub\wwwroot\mediawiki\extensions\PrefixAdministration.php on line 383"

Could you assist? Thanks --Loupetron 18:49, 13 November 2008 (UTC)Reply

After I installed the extension I got a database error, that the database doesn't exist:

Fehler „1146: Table 'wikidb.user_groups' doesn't exist (localhost)“.

Although I put this into the localsettings;

$wgGroupPermissions['logged']['prefixAdministration'] = array( "WikiSysop" );
$wgGroupPermissions['logged']['databasePrefix'] = "myprefix";

thanks for any help.

--Fightgnome 20:27, 8 December 2008 (UTC)Reply

I could not find a link to download this extension, could you please point me? --Mgbf 14:32, 29 December 2009 (UTC)Reply