MediaWiki user-group security

MediaWiki: customizing: user-group security

Overview
Although Mediawiki 1.5 has added the ability to assign users to security groups, it still requires code modification in order to create new groups or change the lists of pages for which those groups have various permissions. Some extensions attempt to fill in the gaps, albeit imperfectly as yet.

Extensions / Customizations
The following extensions add access control to MediaWiki:
 * Page by page access: page-based access control
 * GroupWikiBase: page-based access control

Of the two, GroupWikiBase seems to come the closest to providing true granular access control, but it also appears to have at least one security hole (searches will return fragments of restricted pages to non-privileged users). There is a patch here which "fixes" the problem with a kind of brute-force approach which restricts results by name space.

The following patch to the SpecialSearch.php file, however, works with GroupWikiBase to hide search results from any restricted page (changes start at line 324, inside SpecialSearch.showHit):

SpecialSearch.php patch
function showHit( $result, $terms ) { $fname = 'SpecialSearch::showHit'; wfProfileIn( $fname ); global $wgUser, $wgContLang, $wgLang;

$t = $result->getTitle; if( is_null( $t ) ) { wfProfileOut( $fname ); return "\n"; } // 2007-03-20 Woozle's additional security patch $restr = $t->getRestrictions($action); if(!userCanExt($t, &$wgUser, 'read',$canView)) { return '';	// don't give any info about existence of restricted pages } // end of Wzl patch

implementation notes
These were notes I made while trying to implement security myself, before the above extensions were available. This may now be useless information. --Woozle 14:56, 28 February 2007 (EST)

So far, I've added the following tables:
 * ugroups = groups a.k.a. roles
 * urights = permissions, a.k.a. rights
 * user groups = which users are in which groups
 * ugroup rights = what rights each group has

I have also populated the [urights] table with values from Permissions.

Next steps to take:
 * Populate [user groups] with the existing user-group mapping (can be found either in localSettings.php or in the Special:Userrights area (accessible to wiki sysops only)
 * Populate [ugroup rights] with the existing group-rights mapping (I saw this somewhere, but will have to find it again)
 * Modify the code so it reads these tables instead of the hard-coded arrays
 * We will want to write a Special: page for Group/Rights management (or perhaps just modify Special:Userrights to include this).
 * And then there's a little bit of investigation to be done regarding how to protect individual pages. This page sounds like it might have this part of the solution.

Meta articles

 * Help:User rights: list of permissions currently used in code
 * Hidden pages: "Here are some thoughts on introducing the feature of hidden pages that are only visible and editable by some users."
 * Page access restriction with MediaWiki: "I made a patch to enable page restriction under the MediaWiki software."
 * Permissions: seems to be a Special page for displaying Permissions data. Not sure how useful this is.
 * Articles which are only vaguely related:
 * MediaWiki FAQ
 * Write your own MediaWiki extension (this should be in Customization)
 * Category:Mediawiki Extensions (should probably also be in Customization)