Extension:PasswordProtected

From MediaWiki.org
Jump to: navigation, search
If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked, leading to loss of funds or one's job.
For further details, see Security issues with authorization extensions
This extension stores its code inside a wiki page. Please be aware that MediaWiki developers do not review or keep track of extensions that put their code on the wiki.
  • These types of extensions may contain security holes that have not been noticed by a capable developer.
  • ...may use out of date interfaces and lose compatibility with new versions of MediaWiki easily as developers do not review on-wiki extension code when removing old interfaces.
  • ...and may suffer from various forms of bad coding style which could cause problems in use of the extension.
  • Additionally, it's possible that a 3rd party may alter the code and insert vulnerabilities into the code.
The developer is encouraged and invited to request access to MediaWiki's code repository to address this.
MediaWiki extensions manual - list
Crystal Clear action run.png
Password Protected Pages

Release status: stable
Implementation Tag, Hook
Description Makes page able to be protected via passwords
Author(s) StinkflyTalk
Last version 1.0
MediaWiki 1.11
License No license specified
Download See bellow
Hooks used
OutputPageBeforeHTML

userCan

Check usage (experimental)

Contents

[edit] What can this extension do?

It can protect pages and require a password to edit/view.

Despite these password, if the user clicks to the View Source tab, he can see the code of the page and with it the password and the content. So this extension does not protect your contents to be viewed.

[edit] Usage

In page put in: <password>the password for the page</password>

This doesn't seem to work if you enter the password right away when creating the page. It seems it's not assigned ID soon enough. (in MediaWiki 1.14.0) According to my tests you have to save the page first and then edit again to add the password.

[edit] Download instructions

Cut and paste the code found below and place it in $IP/extensions/passwordpages.php. Note: $IP stands for the root directory of your MediaWiki installation, the same directory that holds LocalSettings.php.

[edit] Installation

To install this extension, add the following to LocalSettings.php:

require_once("$IP/extensions/passwordpages.php");

And execute this to your database (add in front of protect_pages your prefix):

CREATE TABLE `protect_pages` (
  `pageid` int(3) NOT NULL,
  `password` blob NOT NULL
)

or better

CREATE TABLE `protect_pages` (
  `pageid` int(3) NOT NULL PRIMARY KEY,
  `password` blob NOT NULL
)

this will speed up your queries as it creates an index on the `pageid` column. The syntax may be a little different in Postgres.

[edit] Code

<?php
// This module needs Special Pages, and in some instances its not included
require_once( "$IP/includes/SpecialPage.php" );
 
// Password protection
@session_start();
$wgExtensionCredits['validextensionclass'][] = array(
       'name' => 'Password Protected Pages',
       'author' =>'Stinkfly', 
       'url' => 'http://www.stinkfly.co.uk', 
       'description' => 'This password protects pages, so only people with the password can access. (failsafe: check database)'
       );
$wgSpecialPages['Depassword'] = new SpecialPage("Depassword", '', true, "wfSpecialDepassword");
$wgExtensionFunctions[] = "wfPasswordProtect";
$pwdLang = array(
    'en' => array( 'depassword' => "Remove Password Protection",
                   'pwd-protect' => "Attempting to access password protected page",
                   'pwd-ask' => "<div style='border: 1px solid red; border-bottom-size: 3px; padding: 5px;'>This page is password protected! Any user requires an password for access. <form action=\"$1\" method=post>Password: <input type='password' name='password' /><input value='Unlock' type='submit' /></form></div>",
                   'pwd-ok' => "<div style='border: 1px solid red; border-bottom-size: 3px; padding: 5px;'>This page is password protected and you can view it for this session. Do not close your web browser otherwise you'll need to re-enter the password. <form action=\"$1\" method=get><input type='hidden' name='password' value='' /><input type='submit' name='locker' value='Lock' /></form></div>",
                   'depwd' => "<p>This removes password protection from pages. This means that you also have to remove the &lt;password&gt; field</p>",
                   'depwdtext' => "<p>Are you sure you wish to remove protection on $1?</p>",
                   'depwdnoprotection' => "<p><b>Cannot continue</b> An fatal error has occured: The page doesn't even have password protection</p>",
                   'removeprotection' => "Remove Protection",
                   'depwddone' => "<p>Password protect has been removed. You may need to force-refresh the page for changes to appear</p>"),
    'de' => array( 'depassword' => "Passwortschutz entfernen",
                   'pwd-protect' => "Es wird versucht auf eine passwortgesch&uuml;tzte Seite zu zu greifen",
                   'pwd-ask' => "<div style='border: 1px solid red; border-bottom-size: 3px; padding: 5px;'>Diese Seite ist passwortgesch&uuml;tzt! Jeder Benutzer ben&ouml;tigt ein Passwort für den Zugriff. <form action=\"$1\" method=post>Passwort: <input type='password' name='password' /><input value='Entsperren' type='submit' /></form></div>",
                   'pwd-ok' => "<div style='border: 1px solid red; border-bottom-size: 3px; padding: 5px;'>Diese Seite ist passwortgesch&uuml;tzt und Sie k&ouml;nnen die Seite für die Dauer der aktuellen Session sehen. Schlie&szlig;en Sie den Web-Browser nicht, sonst m&uuml;ssen Sie das Passwort erneut eingebend. <form action=\"$1\" method=get><input type='hidden' name='password' value='' /><input type='submit' name='locker' value='Sperren' /></form></div>",
                   'depwd' => "<p>Hier wird der Passwortschutz entfernt. Das bedeutet, dass Sie das &lt;password&gt;-Feld ebenfalls entfernen m&uuml;en.</p>",
                   'depwdtext' => "<p>Sind Sie sicher, dass die den Passwortschutz auf $1 entfernen m&ouml;chten?</p>",
                   'depwdnoprotection' => "<p><b>Fortsetzung nicht möglich</b> Fataler Fehler: Die Seite ist nicht passwortgesch&uuml;tzt</p>",
                   'removeprotection' => "Passwortschutz entfernen",
                   'depwddone' => "<p>Der Passwortschutz wurde entfernt. Sie m&uuml;ssen m&ouml;glicherweise das Aktualisieren der Seite erzwingen um die &Auml;nderungen zu sehen.</p>"),
    'fr' => array( 'depassword' => "Enlever la protection par mot de passe",
                   'pwd-protect' => "Ceci est une page protegee par mot de passe",
                   'pwd-ask' => "<div style='border: 1px solid red; border-bottom-size: 3px; padding: 5px;'>Cette page est protegee par mot de passe! Vous devez entrer le mot de passe pour acceder a cette page. <form action=\"$1\" method=post>Mot de passe: <input type='password' name='password' /><input value='Unlock' type='submit' /></form></div>",
                   'pwd-ok' => "<div style='border: 1px solid red; border-bottom-size: 3px; padding: 5px;'>Cette page est protegee et vous pouvez la consulter pour cette session. Si vous fermez le navigateur vous devrez re-entrer le mot de passe. <form action=\"$1\" method=get><input type='hidden' name='password' value='' /><input type='submit' name='locker' value='Lock' /></form></div>",
                   'depwd' => "<p>Retire la protection. Cela signifie que vous devez effacer le &lt;mot de passe&gt; du champ</p>",
                   'depwdtext' => "<p>Etes vous sur de vouloir retirer la protection de la page $1?</p>",
                   'depwdnoprotection' => "<p><b>Ne peut continuer</b> Une erreur fatale est survenue: La page n'est pas protegee</p>",
                   'removeprotection' => "Enlever la protection",
                   'depwddone' => "<p>Le mot de passe a ete efface. Vous devez forcer le rafraichissement de la page pour prendre en compte le changement.</p>")
);
$wgHooks['OutputPageBeforeHTML'][] = 'wfPwdCheck';
$wgHooks['userCan'][] = "wfPwdUsercan";
 
function wfPasswordProtect(){
      global $wgMessageCache, $pwdLang, $wgParser;
      $wgParser->setHook( 'password', 'wfPasswordTag' );
      foreach ( $pwdLang as $lang => $langMessages ) {
        $wgMessageCache->addMessages( $langMessages, $lang );
      }
}
 
function wfPasswordTag( $input, $args, $parser ){
    // here we need to update our table to say that we've got password protection here
    global $wgDBprefix, $wgTitle;
    $db = wfGetDB( DB_MASTER );
//     $parser->disableCache();
    $db->query("DELETE FROM `{$wgDBprefix}protect_pages` WHERE pageid='".$wgTitle->getArticleID()."'");
    $db->query("INSERT INTO `{$wgDBprefix}protect_pages` (`pageid`,`password`) VALUES ('".$wgTitle->getArticleID()."','".$input."')");
    return "";
}
$one = false;
function wfPwdCheck( &$out, &$text ){
    global $wgTitle, $one;
    // here is the magic: we need to get it all right here or it won't work
    if(wfPwdIsProtected($wgTitle)){
         // right, this page is now recoginsed as being protect, we need to now check to see if we're allowed in
         if(isset($_POST['password']) && $_POST['password']){
              $r = wfPwdChk($wgTitle, $_POST['password']);
              if($r == true){
                $_SESSION['pwd-' . $wgTitle->getText()] = "yoyo";
              }
         }
         if(isset($_GET['locker']) && $_GET['locker'])
              unset($_SESSION['pwd-' . $wgTitle->getText()]);
         if($_SESSION['pwd-' . $wgTitle->getText()] != "yoyo"){
              // show form
              $out->setPageTitle(wfMsg("pwd-protect"));
              if($one == false){ $one = true;
              $text = wfMsg("pwd-ask", array(1 => $wgTitle->getLocalUrl()));
              }
         }
         else{
              $text = wfMsg("pwd-ok", array(1 => $wgTitle->getLocalUrl())) . $text;
         }
    }
      return true;
}
 
function wfPwdUsercan( $title, $user, $action, &$result ){
    global $wgOut, $one;
    $wgTitle = $title;
    // here is the magic: we need to get it all right here or it won't work
    if(wfPwdIsProtected($wgTitle) and $action == "edit" or $action == "viewsource"){
         // right, this page is now recoginsed as being protect, we need to now check to see if we're allowed in
         if(isset($_POST['password']) && $_POST['password']){
              $r = wfPwdChk($wgTitle, $_POST['password']);
              if($r == true){
                $_SESSION['pwd-' . $wgTitle->getText()] = "yoyo";
              }
         }
         if(isset($_GET['locker']) && $_GET['locker'])
              unset($_SESSION['pwd-' . $wgTitle->getText()]);
         if($_SESSION['pwd-' . $wgTitle->getText()] != "yoyo"){
              // show form
              $wgOut->setPageTitle(wfMsg("pwd-protect"));
             // if($one != true){ $one = true;
             // $wgOut->addHtml(wfMsg("pwd-ask", array(1 => $wgTitle->getLocalUrl())));
             //}
              $result = false;return $result;
         }
    }
    $result = true;
    return true;
}
 
function wfPwdChk($title, $password){
     // let's do some checks: is $title password == $password
     global $wgDBprefix;
     if($password == "")
        return false;
     $db = wfGetDB( DB_MASTER );
     $result = $db->query("SELECT * FROM {$wgDBprefix}protect_pages WHERE pageid='".$title->getArticleID()."'");
     while ( $row = $db->fetchObject( $result ) ) {
        $myrow = $row;
    }
    return $myrow->password == $password;
}
 
function wfPwdIsProtected($title){
     // let's do some checks: is $title password protected or not?
     global $wgDBprefix;
     $db = wfGetDB( DB_MASTER );
     $result = $db->query("SELECT * FROM {$wgDBprefix}protect_pages WHERE pageid='".$title->getArticleID()."'");
 
     if ( $row = $db->fetchObject( $result ) ) {
        // return as, we've found our row
        return true;
    }
    return false;
}
 
function wfSpecialDepassword($Par){
      // here we need to check to see if $wgUser is the creator of $Par
      global $wgUser, $wgOut, $wgTitle, $wgDBprefix;
      $title = Title::newFromText($Par);
      $article = new Article($title);
      $user = $article->getUser();
      $wgOut->addHtml(wfMsg("depwd"));
      if(!wfPwdIsProtected($title)){
        $wgOut->addHtml(wfMsg("depwdnoprotection"));
        return;
      }
      if($wgUser->getId() == $user or wfIsSysop($wgUser)){
        if(isset($_POST['iamsure']) && $_POST['iamsure']){
           $db = wfGetDB( DB_MASTER );
           $db->query("DELETE FROM `{$wgDBprefix}protect_pages` WHERE pageid='".$title->getArticleID()."'");
           $wgOut->addHtml(wfMsg("depwddone"));
           return;
        }
        // This is when we ask the user if he/she really wants to remove the password (admins can do this too)
        $wgOut->addHtml(wfMsg("depwdtext", array(1 => $title->getText())));
        $wgOut->addHtml("<form action='' method=post><input type='submit' value='".wfMsg('removeprotection')."' name='iamsure' /></form>");
      }
}
 
function wfIsSysop($user){
    $groups = $user->getGroups();
    return in_array('sysop', $groups);
}
?>
Retrieved from "http://www.mediawiki.org/w/index.php?title=Extension:PasswordProtected&oldid=477929"
Personal tools
Namespaces

Variants
Actions
Navigation
Support
Download
Development
Communication
Print/export
Toolbox