Topic on Project:Support desk

I have been handed a media-wiki (ver 1.25) webserver as a part of a project I took on from an employee who left the company. I don't believe he had much knowledge of setting this thing up other than what the software did at the initial install time. It requires you to login, using the company-wide active directory authentication, but after one logs in, it is free for all as far as editing goes. Even though it is against the idea of wiki, I need to restrict this editing capability to only a handful of people, due to the critical nature of information on this website. This site is intranet only and have no Internet facing parts, if it makes any difference.

On my own, I have researched quite a bit and found the file /var/www/html/includes/DefaultSettings.php and found the section where lines starting with $wgGroupPermissions, followed by some rules, but I could not figure out how to change these lines and how to add people (AD UserIDs) to the groups mentioned, or create new groups if necessary. I need either a document, explaining how this is accomplished step-by-step, or need a light hand-holding as I am a wikimedia beginner.

Thanks in advance

See Manual:User rights. Also, 1.25 is an ancient unsupported version that is nowadays full of security issues. Please update: Download.

Thank you for your response. I know it might be an old version but this version came bundled in the tool a vendor provided to us and doing an upgrade on my own, may jeopardize the supportability pf the tool. Hence, even though as much as I want to, I can not upgrade/update wikimedia. My saving grace is, tool is not internet facing and only can be accessed by internal people, who should login to their AD accounts to make any changes to the wiki pages.

Having said that, I have read the userrights manual pages, promoted my user id to bureucrat (spelling ??) level. But after that, what I tried to do, did not seem to take a foothold.

Here is what I did:

[snippet below is from the current "DefaultSettings.php" file:]

/** @cond file_level_code */

// Implicit group for all visitors

$wgGroupPermissions['*']['createaccount'] = true;

$wgGroupPermissions['*']['read'] = true;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['wikiadm']['edit'] = true; <<--this is the line I added

$wgGroupPermissions['*']['createpage'] = true;

$wgGroupPermissions['*']['createtalk'] = true;

$wgGroupPermissions['*']['writeapi'] = true;

$wgGroupPermissions['*']['editmyusercss'] = true;

$wgGroupPermissions['*']['editmyuserjs'] = true;

$wgGroupPermissions['*']['viewmywatchlist'] = true;

$wgGroupPermissions['*']['editmywatchlist'] = true;

$wgGroupPermissions['*']['viewmyprivateinfo'] = true;

$wgGroupPermissions['*']['editmyprivateinfo'] = true;

$wgGroupPermissions['*']['editmyoptions'] = true;

#$wgGroupPermissions['*']['patrolmarks'] = false; // let anons see what was patrolled

The line I pointed is what I added. And using "https://tool.mycorp.com/index.php?title=Special:UserRights" page, I made my user id a member of this group. By my understanding of lines prior to my addition, I was under the impression that every each group's members are able to read but not able to edit. Lo and behold, my next cubicle coworker, who has no relation to this tool, was able to open a page, click edit and was presented with the editor panel immediately. And yes I have restarted the apache2 instance after making all these changes.

What am I doing wrong here ?

Logged in users also have the edit permission by default.

$wgGroupPermissions['user']['edit'] = false;

Also note that changes should be made in LocalSettings.php and not in DefaultSettings.php, in case you ever upgrade your wiki, your modifications to DefaultSettings.php will be lost.

Doesn't the line

$wgGroupPermissions['*']['edit'] = false;

encompass the group 'user' ? I mean, does the line you mention, have to be there explicitly ? If yes, could you possibly tell me why ?

The line has to be there.

The reason is that group * contains _all_ users of the wiki, even those, who are _not_ logged in.

Group user on the other hand does only contain those users, who _are_ logged in. So you could take edit right away from group * and grant it to group user. This would effectively disallow editing for anonymous users while it still allows editing for those users, who are logged in.

Btw, Manual:User_rights#List_of_groups has a list of user groups. These groups are available in your MediaWiki installation by default.

With a line like

$wgGroupPermissions['wikiadm']['edit'] = true;

you effectively create a new user group called "wikiadm" and give the edit right to the members of this group. By default however, there are exactly no users in this group. Maybe it is a better idea to stick with the user groups, which are defined by default and to only use those for the beginning? All wiki administrators for example by default are in the group called sysop. So maybe this is what you want to add to the bottom of your LocalSettings.php file:

 $wgGroupPermissions['*']['edit'] = false;
 $wgGroupPermissions['user']['edit'] = false;
 $wgGroupPermissions['sysop']['edit'] = true;