手册:阻止访问

From MediaWiki.org
Jump to navigation Jump to search
This page is a translated version of the page Manual:Preventing access and the translation is 74% complete.

Other languages:
Deutsch • ‎English • ‎dansk • ‎español • ‎français • ‎فارسی • ‎中文 • ‎日本語

有关自定义用户权限的帮助,请参阅手册:用户权限 。 此页面包含用于限制访问的示例。

大多数示例需要更改MediaWiki配置文件LocalSettings.php 。 必须将没有附带说明的代码片段添加到LocalSettings.php才能生效。 要向文件添加一行或多行,请按照下列步骤操作:

  1. 如果文件末尾有?>,请将其移除。 这是不必要的,而且在某些情况下可能会导致问题。
  2. 使用文本编辑器将这行添加到文件的末尾。 如果在添加的内容上方或下方有一些空白行,则无关紧要。 不要使用Windows记事本,它可能会添加“字节顺序标记”(BOM)并阻止正确读取文件。 Typical symptoms of BOMs include white pages and errors about headers already being sent. To remove a BOM, you'll have to edit the file in a hex editor. Windows WordPad seems to work fine, as does Notepad++. Removal of BOMs can also be accomplished using the Vim text editor by opening the file in Vim, typing :set nobomb, and resaving the file. 如果您使用的是Mac,TextEdit也可以完成这项工作。

有关编辑LocalSettings.php的更多详细信息,请参阅手册:LocalSettings.php

简单的私人维基

对于“自己和批准他人的私人维基”的常见用例,您需要:

警告 警告: 请参阅以下部分中的忠告;这是简单的“一般用途”代码,可能符合您的要求,也可能不符合您的要求。
# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;

# Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;

# Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;

根据您安装的扩展程序,您可能希望将更多页面列入白名单。 例如,如果您使用扩展:确认帐户 扩展,则可能需要将Special:RequestAccount列入白名单。 如果您的维基的内容语言不是英语,则可能必须使用相关特殊页面的翻译名称。

限制账户创建

要限制帐户创建,您需要在MediaWiki安装的根路径中编辑LocalSettings.php

# Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;
如果要设置帐户确认队列,可以使用帐户确认扩展。 (如果没有,您仍可按以下步骤操作。)
新用户仍然可以通过以下方式由管理员创建:
  1. 当以管理员身份登录时,前往Special:Userlogin
  2. 点击“创建帐户”链接以转到帐户创建表单。
  3. 输入用户名和电子邮件地址,然后单击“通过电子邮件”按钮。 请注意,您需要$wgEnableEmail=true ,否则系统管理员必须输入一个密码并将其发送给用户。
  4. 该帐户将使用随机密码创建,然后通过电子邮件发送到指定地址(与“忘记密码”功能一样)。 首次登录时,将要求用户更改密码;当他这样做时,他的电子邮件地址也将被标记为已确认。
    当您单击“创建帐户”按钮时,您必须手动向用户发送其密码。 If you've set $wgMinimalPasswordLength=0 (default configuration up to version 1.15) and you've left the password field blank, the user will be emailed an e-mail address confirmation request but will be unable to access Special:Confirmemail to perform the confirmation. Instead, the user will get an error (unless you've added it to $wgWhitelistRead ); the user will be able to login with a blank password and then confirm email, but their password will not have been reset (it will have to be reset manually).

It may be appropriate to edit the text displayed when a non-user attempts to log in. 以管理员身份登录时,可以在MediaWiki:Nosuchuser完成此操作。 Use plain text without any special formatting, as the formatting is ignored and the text is literally rendered. (可能已经改变,见bug 12952)。

您还可以通过编辑页面MediaWiki:Createaccount-text来修改发送给新用户的电子邮件的内容。

防止管理员创建帐户:

# Prevent new user registrations by anyone
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['sysop']['createaccount'] = false;

要在登录表单上添加消息,请修改MediaWiki:Loginprompt。 或者,在LocalSettings.php中使用此代码:

function efLoginFormMessage( &$template ) {
	$template->set( 'header', "(For an account to edit articles with, contact Mrs. Nurdsbaum in room B-303, nelda.nurdsbaum@example.org )");
	return true;
}
$wgHooks['UserLoginForm'][]='efLoginFormMessage';

限制编辑

限制所有页面的编辑

Users will still be able to read pages with these modifications, and they can view the source by using Special:Export/Article name or other methods. 参见bug 1859

参见Help:User rights 手册:$wgGroupPermissions 。 如果您使用扩展:滥用过滤器 ,任何维基管理员也可以实施各种限制。

有关如何保护所有页面免受特定类别用户编辑(而非查看)的一些示例:

限制匿名用户编辑

要求用户在编辑之前进行注册。

$wgGroupPermissions['*']['edit'] = false;

限制所有非管理员用户编辑

要求一个用户是管理员(sysop)用户组的成员。

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = false;
$wgGroupPermissions['sysop']['edit'] = true;

限制所有人的编辑

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = false;
$wgGroupPermissions['sysop']['edit'] = false;

限制一整个名字空间的编辑

MediaWiki版本: 1.10

从MediaWiki版本1.10开始,可以使用$wgNamespaceProtection 变量保护整个名字空间。 示例:

# Only allow autoconfirmed users to edit Project namespace
$wgNamespaceProtection[NS_PROJECT] = array( 'autoconfirmed' );

# Don't allow anyone to edit non-talk pages until they've confirmed their
# e-mail address (assuming we have no custom namespaces and allow edits
# from non-emailconfirmed users to start with)
# Note for 1.13: emailconfirmed group and right were removed from default
# setup, if you want to use it, you'll have to re-enable it manually
$wgNamespaceProtection[NS_MAIN]     = $wgNamespaceProtection[NS_USER]  =
$wgNamespaceProtection[NS_PROJECT]  = $wgNamespaceProtection[NS_IMAGE] =
$wgNamespaceProtection[NS_TEMPLATE] = $wgNamespaceProtection[NS_HELP]  =
$wgNamespaceProtection[NS_CATEGORY] = array( 'emailconfirmed' );

# Only allow sysops to edit "Policy" namespace
$wgGroupPermissions['sysop']['editpolicy'] = true;
$wgNamespaceProtection[NS_POLICY] = array( 'editpolicy' );

Note that in the last case it's assumed that a custom namespace exists and that NS_POLICY is a defined constant equal to the namespace number. See Manual:Using custom namespaces and Manual:Namespace_constants for a list of MediaWiki's core namespaces.

限制某些特定页面的编辑

使用保护 功能。 默认情况下,任何管理员都可以保护页面,因此只有其他管理员可以编辑它们。 In 1.9 and higher, by default they can also protect pages so only "autoconfirmed" users (with accounts older than a configured period) can edit them. 这不需要编辑配置文件。

If you want to restrict editing to groups with specific permissions, edit $wgRestrictionLevels . To prevent actions other than edit and move, use $wgRestrictionTypes .

限制所有页面的编辑

要对所有页面的编辑施加全面限制,但允许一些(例如沙箱,加入请求页面等)可编辑,您可以使用EditSubpages 扩展。 This may not fit too often, but you could also use the Restrict editing of certain specific pages method mentioned above, with all name spaces protected, and only a special one editable by everyone which has all the pages you want editable.

限制某些IP地址范围的编辑

学校和其他机构可能希望阻止指定的IP地址范围以外的编辑。 为此,请参阅手册:封禁与解除封禁 。 The only way to do this at present without modifying the code is to go to Special:Blockip and systematically rangeblock every one of the address ranges that you don't want to be able to edit. 这适用于所有未来版本的MediaWiki。 它不会在每个名字空间的基础上工作。

限制特定用户的编辑

使用用户封禁 功能剥夺用户的所有编辑权限。 MediaWiki并不能直接向单独用户授予权利;相反,权限始终给予用户组。 除了更改用户组之外,核心软件无法更改特定用户的权限以限制或允许编辑特定页面。

限制所有页面的创建

Revoking the edit right already prevents affected users from creating new pages and talk pages.
# Anonymous users can't create pages
$wgGroupPermissions['*']['createpage'] = false;

# Only users with accounts four days old or older can create pages
# Requires MW 1.6 or higher.
$wgGroupPermissions['*'            ]['createpage'] = false;
$wgGroupPermissions['user'         ]['createpage'] = false;
$wgGroupPermissions['autoconfirmed']['createpage'] = true;

限制在某些名字空间中创建页面

There are separate rights for creating talk pages (createtalk) and creating non-talk pages (createpage). If you need per-namespace control finer than that, it is not possible in core MediaWiki, and requires an extension such as Extension:Lockdown .

限制对上传文件的访问权限

Manual:Image Authorisation , img_auth.php , 手册:User rights (read)

如果您已启用上传文件的功能,则这些文件将由底层Web服务器直接提供。 因此,基于帐户的文件访问权限默认情况下不受限制

警告 警告: Setting the user right "read" (allow viewing pages) to false will only protect wiki (article, talk, ...) pages, but uploaded files (images, files, docs... in the $wgUploadPath subdirectories) will always remain readable via direct access by default.
Use the information from Manual:Image Authorisation and img_auth.php pages when you have the need to restrict image views and file download access to only logged-in users.

服务器配置中上传文件的访问限制示例

如果将敏感文件上传到可通过互联网访问的维基,您可能希望添加对访问这些文件的限制。 On Apache, if your local network were 10.1.2.*, you could restrict serving files to local addresses with:

  <Location /mediawiki/images>
    Order deny,allow
    Allow from 10.1.2.3
    Deny from all
  </Location>

限制查看

限制所有页面的查看

警告 警告: If you want anonymous users to be unable to view the wiki markup/code, you should not allow them to edit any page (see #Restrict editing of all pages above). If they can edit any page, they can use template inclusion to view even pages they can't edit. This may be possible to avoid in 1.10 by using $wgNonincludableNamespaces (or in earlier versions using the NonincludableNamespaces extension), but that may not have been extensively tested.
警告 警告: This method allows any visitor to view the wiki after creating an account. 您可能希望将其与上面的#限制帐户创建结合使用。
警告 警告: 对于知道图像目录名称的任何人,仍然可以查看上传的图像。 Either point $wgUploadPath to the img_auth.php script and follow the instructions in 手册:图片授权 , or use some external method to protect images, like .htaccess.
如果匿名用户无法查看您的页面,则搜索引擎也无法查看。 您的网站将不会被Google索引。

将这一行添加到你的LocalSettings.php中:

# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;

# But allow them to read e.g., these pages:
$wgWhitelistRead =  [ "Main Page", "Help:Contents" ];

# Allow Jobs to be run
$wgWhitelistRead = [ "Special:RunJobs" ];

The $wgWhitelistRead setting allows users to view the main page. If page names have more than one word, use a space " " between them, not an underscore "_".

In addition to the main page of such a private site, you could give access to the Recentchanges page (if you think that its content isn't private) for feed readers by adding "Special:Recentchanges" to $wgWhitelistRead .

If you need to protect even the sidebar, main page, or login screen for any reason, it's recommended that you use higher-level authentication such as .htpasswd or equivalent.

Although Special:Listusers won't be available, it can be determined if a username is correct from Userlogin errors. You may want to give a common text for MediaWiki:wrongpassword and MediaWiki:nosuchusershort.

限制特定页面的查看

为了防止除管理员之外的任何人查看页面,它可以 被删除 。 To prevent even sysops from viewing it, it can be removed more permanently with Oversight extension. 要完全销毁页面文本,可以手动从数据库中删除它。 在任何情况下,在此状态下都无法编辑页面,并且大多数情况下不再存在。

To have a page act normally for some users but be invisible to others, as is possible for instance in most forum software, is a very different matter. MediaWiki专为两种基本访问模式而设计:

  1. 每个人都可以查看wiki上的每个页面(可能除了一些特殊页面)。 这是维基百科及其姊妹项目使用的模式。
  2. 匿名用户只能查看主页和登录页面,不能编辑任何页面。 这在技术实现方面基本上与上述相同(只是对每个页面视图进行额外检查),这就是它存在的原因。 这是某些私人维基使用的操作模式,例如各种维基媒体委员会使用的维基。

如果您打算拥有不同的视图权限,则MediaWiki不适合您的使用。 (参见bug 1924。) Data is not necessarily clearly delineated by namespace, page name, or other criteria, and there are a lot of leaks you'll have to plug if you want to make it so (see security issues with authorization extensions for a sample). 其他wiki软件可能更符合您的目的。 以上是对您的忠告。 如果必须使用MediaWiki,则有三种基本可能性:

  1. 将您的wiki设置为私有和白名单特定页面,这些页面将在LocalSetting.php文件中以$wgWhitelistRead 公开。 请参阅上面的章节。
  2. Set up separate wikis with a shared user database , configure one as viewable and one as unviewable (see above), and make interwiki links between them.
  3. 安装第三方文件或扩展程序。 You will have to reapply it every time you upgrade the software, and it may not be updated immediately when new security fixes or upgrades of MediaWiki are released. Third-party hacks are, of course, not supported by MediaWiki developers, and if you're having problems you shouldn't ask on MediaWiki-l, #mediawiki, or other official support channels. A number of hacks are listed in Category:Page specific user rights extensions . 如果您打算使用其中一个,请参阅security issues with authorization extensions

限制导出

参见: Manual:Parameters_to_Special:Export

无法导出自rev:19935起无法读取的页面内容。

从所有页面移除登录链接

可以从所有页面的右上角删除登录/创建帐户链接, 因为用户仍然可以登录Special:SpecialPages>Special:UserLogin。 In LocalSettings.php use (tested with MediaWiki 1.16)

function NoLoginLinkOnMainPage( &$personal_urls ){
    unset( $personal_urls['login'] );
    unset( $personal_urls['anonlogin'] );
    return true;
}
$wgHooks['PersonalUrls'][]='NoLoginLinkOnMainPage';

移除账户

If you want to completely remove access to a user, e.g. on a simple private wiki, it's not possible to simply delete the account (unless no edits have been made ); you can block it, but the user will still be able to read pages. However, using User Merge and Delete extension you can merge the account in another one and delete the former; the original account will then "disappear". If you want to preserve history readability (i.e., to have edits from the user to be still shown under his name), you can create a new account e.g. with username "OriginalUserName (deactivated)" and then merge "OriginalUserName" into the former, or even use Renameuser extension to rename "OriginalUserName" into "AnotherUserName", then create an account under "OriginalUserName" and merge "AnotherUserName" into it: in this manner, "OriginalUserName" will be completely "usurped" (if you've set a non-null password).

Since MediaWiki 1.16.0, it is possible to set $wgBlockDisablesLogin to true to prevent access and reading to blocked users.

其他限制

您可能希望页面仅由其创建者编辑,或禁止查看历史记录或任何其他任何内容。 MediaWiki的未经修改版本中这些功能不可用。 If you need more fine-grained permissions, see the #See also section for links to other wiki packages that are designed for this, as well as hacks that attempt to contort MediaWiki into something it's not designed to be but may work anyway.

参见

有一些您可能感兴趣的相关手册/帮助页面:

其他维基软件可能比MediaWiki更好地支持细粒度的访问控制:

如果您想要更好的访问控制但想要使用MediaWiki,这是一个扩展列表,并且允许在软件中实现不可能的限制。 其中的修改可能已经过时(请查看他们的版本)。 如果经过第三方修改的文件出现问题,请不要在官方MediaWiki支持渠道中询问。