MediaWiki/archive/user-group security

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to navigation Jump to search


MediaWiki: customizing: user-group security


Although Mediawiki 1.5 has added the ability to assign users to security groups, it still requires code modification in order to create new groups or change the lists of pages for which those groups have various permissions. Some extensions attempt to fill in the gaps, albeit imperfectly as yet.

Extensions / Customizations

The following extensions add access control to MediaWiki:

Of the two, GroupWikiBase seems to come the closest to providing true granular access control, but it also appears to have at least one security hole (searches will return fragments of restricted pages to non-privileged users). There is a patch here which "fixes" the problem with a kind of brute-force approach which restricts results by name space.

The following patch to the SpecialSearch.php file, however, works with GroupWikiBase to hide search results from any restricted page (changes start at line 324, inside SpecialSearch.showHit()):

SpecialSearch.php patch

<php> function showHit( $result, $terms ) { $fname = 'SpecialSearch::showHit'; wfProfileIn( $fname ); global $wgUser, $wgContLang, $wgLang;

$t = $result->getTitle(); if( is_null( $t ) ) { wfProfileOut( $fname ); return "\n"; } // 2007-03-20 Woozle's additional security patch $restr = $t->getRestrictions($action); if(!userCanExt($t, &$wgUser, 'read',$canView)) { return ; // don't give any info about existence of restricted pages } // end of Wzl patch</php>

implementation notes

These were notes I made while trying to implement security myself, before the above extensions were available. This may now be useless information. --Woozle 14:56, 28 February 2007 (EST)

So far, I've added the following tables:

  • ugroups = groups a.k.a. roles
  • urights = permissions, a.k.a. rights
  • user groups = which users are in which groups
  • ugroup rights = what rights each group has

I have also populated the [urights] table with values from Metawikipedia:Permissions.

Next steps to take:

  • Populate [user groups] with the existing user-group mapping (can be found either in localSettings.php or in the Special:Userrights area (accessible to wiki sysops only)
  • Populate [ugroup rights] with the existing group-rights mapping (I saw this somewhere, but will have to find it again)
  • Modify the code so it reads these tables instead of the hard-coded arrays
  • We will want to write a Special: page for Group/Rights management (or perhaps just modify Special:Userrights to include this).
  • And then there's a little bit of investigation to be done regarding how to protect individual pages. This page sounds like it might have this part of the solution.

Meta articles