Extension:Improved Access Control
 |
If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked, leading to loss of funds or one's job. For further details, see Security issues with authorization extensions |
 Release status: stable |
|||
|---|---|---|---|
| Implementation | User rights, Tag | ||
| Description | Enables group access restriction on a page-by-page basis along with several other features | ||
| Author(s) | Jonathan Eisenstein (JEisentalk) | ||
| Latest version | 2.0 (2013-09-01) | ||
| MediaWiki | 1.13.1 | ||
| Database changes | No | ||
| License | The MIT License | ||
| Download | Project page Subversion [Help] Browse source code |
||
|
|||
|
Translate the Improved Access Control extension if it is available at translatewiki.net |
|||
| Check usage and version matrix; code metrics | |||
This extension is based on Group Based Access Control 0.8 by Martin Gondermann, originally based on accesscontrol.php by Josh Greenberg. It is a mostly-feature-compatible rewrite based on the other extension's design and was written to be a drop-in replacement with minimal configuration.
Features[edit | edit source]
This extension, when fully installed, provides support for the following:
- Article access control by group using embedded tags
- Full (edit) access and read-only access supported
- Protection from adding an access control that would lock editor out
- Filtering of Recent Changes based on article read access
- Filtering of Search results based on article read access
- Image protection using the same access groups as articles
- Transclusion of restricted pages protected in Edit and Edit Preview
- Protection from redirection to a restricted page
This extension was written using security issues with authorization extensions as a checklist, but I cannot guarantee full protection beyond what I've seen. However, it has been thoroughly tested in multiple configurations and known issues are outlined below.
Known Issues[edit | edit source]
Most known access control issues are addressed in this extension, but the following limitations are still known as of version 2.0. These issues may be addressed in a future release.
- Only Usergroup: style groups are supported. MediaWiki groups are not.
- Only the latest access controls are queried for history. If you have restricted content that was removed and the page later made public, the history will also be public.
- Caching might need to be disabled for full protection.
- Performance is somewhat significantly impacted due to many page lookups.
- Transclusion protection may prevent {{:Article}} from working properly in some cases.
- There is no way to specify read-only access without the users being in a group (i.e., no page can have edits restricted to some groups and reads available to all.)
- There is no way to transclude a protected page even if you have access.
- Titles of restricted pages are visible on pages such as Special:AllPages.
- If you log out after having access to a restricted page, action=raw may still give you access.
Documentation[edit | edit source]
Installation[edit | edit source]
- Copy this directory (improved-accesscontrol) into your wiki's extensions directory
- Put the following line into your LocalSettings.php:
require_once("extensions/path_here/improved-accesscontrol.php"); - For image protection, copy img_auth.php into your wiki directory and read the directions in that file.
- To change the Permission Denied error, log in as sysop and go to Special:AllMessages (listed as "System messages"). Change 'badaccess' (title) and 'badaccess-group2' (content)
- Customize options in improved-accesscontrol-options.php
- Customize any messages in improved-accesscontrol.i18n.php
Usage[edit | edit source]
To add access controls to an article, including images, insert a tag in the following form:
<accesscontrol>Name</accesscontrol>
Where Name is defined, depending on configuration, either as a MediaWiki group (NOT CURRENTLY SUPPORTED) or as an article called Usergroup:Name with a list of users. (This page may itself be protected with <accesscontrol>, or limited to sysop accounts.)
For example, you could define a page Usergroup:MyGroup with the content:
*Bill *Ted *Rufus
And another article with:
<accesscontrol>MyGroup</accesscontrol>
This would restrict the article to the user accounts Bill, Ted, and Rufus. Note that there should be no space between the asterik and the user name.
To restrict an article to users in any of a list of groups, separate group names with ',,'. For example:
<accesscontrol>Admins,,Managers</accesscontrol>
To give one of the groups listed read-only access, add (ro) after the name, without a space:
<accesscontrol>Admins,,Managers,,Clients(ro)</accesscontrol>
This would give anyone in the Admins or Managers groups full edit access, and read-only access to users in Clients. Users in multiple groups will get the highest level of access specified.
Note that if adding access controls to an article, you cannot lock yourself out. That is, if you are in Clients, you cannot leave Clients out of the access control list. (This option can be turned off or fine-tuned.)
See also[edit | edit source]
- Page specific user rights extensions
- Extensions with unknown license
- Stable extensions
- User rights extensions
- Tag extensions
- MIT licensed extensions
- Extensions in Google Code version control
- Extensions in Google Code version control (Svn)
- UserCan extensions
- EditFilter extensions
- FetchChangesList extensions
- All extensions
- View page extensions
- Edit extensions
