Extension:Improved Access Control
If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked.
For further details, see Security issues with authorisation extensions |
This extension is currently not actively maintained! Although it may still work, any bug reports or feature requests will more than likely be ignored. |
 Release status: unmaintained |
|
|---|---|
| Implementation | User rights, Tag |
| Description | Enables group access restriction on a page-by-page basis along with several other features |
| Author(s) | Jonathan Eisenstein (JEisentalk) |
| Latest version | 2.0 (2013-09-01) |
| MediaWiki | 1.13 |
| Database changes | No |
| License | MIT License |
| Download | GitHub: Note: |
The Improved Access Control extension is based on Group Based Access Control 0.8 by Martin Gondermann, originally based on accesscontrol.php by Josh Greenberg. It is a mostly-feature-compatible rewrite based on the other extension's design and was written to be a drop-in replacement with minimal configuration.
Features
This extension, when fully installed, provides support for the following:
- Article access control by group using embedded tags
- Full (edit) access and read-only access supported
- Protection from adding an access control that would lock editor out
- Filtering of Recent Changes based on article read access
- Filtering of Search results based on article read access
- Image protection using the same access groups as articles
- Transclusion of restricted pages protected in Edit and Edit Preview
- Protection from redirection to a restricted page
This extension was written using security issues with authorization extensions as a checklist, but I cannot guarantee full protection beyond what I've seen. However, it has been thoroughly tested in multiple configurations and known issues are outlined below.
Known Issues
Most known access control issues are addressed in this extension, but the following limitations are still known as of version 2.0. These issues may be addressed in a future release.
- Only Usergroup: style groups are supported. MediaWiki groups are not.
- Only the latest access controls are queried for history. If you have restricted content that was removed and the page later made public, the history will also be public.
- Caching might need to be disabled for full protection.
- Performance is somewhat significantly impacted due to many page lookups.
- Transclusion protection may prevent {{:Article}} from working properly in some cases.
- There is no way to specify read-only access without the users being in a group (i.e., no page can have edits restricted to some groups and reads available to all.)
- There is no way to transclude a protected page even if you have access.
- Titles of restricted pages are visible on pages such as Special:AllPages.
- If you log out after having access to a restricted page, action=raw may still give you access.
Documentation
Installation
- Copy this directory (improved-accesscontrol) into your wiki's extensions directory
- Put the following line into your LocalSettings.php:
require_once("extensions/path_here/improved-accesscontrol.php"); - For image protection, copy img_auth.php into your wiki directory and read the directions in that file.
- To change the Permission Denied error, log in as sysop and go to Special:AllMessages (listed as "System messages"). Change 'badaccess' (title) and 'badaccess-group2' (content)
- Customize options in improved-accesscontrol-options.php
- Customize any messages in improved-accesscontrol.i18n.php
Usage
To add access controls to an article, including images, insert a tag in the following form:
<accesscontrol>Name</accesscontrol>
Where Name is defined, depending on configuration, either as a MediaWiki group (NOT CURRENTLY SUPPORTED) or as an article called Usergroup:Name with a list of users. (This page may itself be protected with <accesscontrol>, or limited to sysop accounts.)
For example, you could define a page Usergroup:MyGroup with the content:
*Bill *Ted *Rufus
And another article with:
<accesscontrol>MyGroup</accesscontrol>
This would restrict the article to the user accounts Bill, Ted, and Rufus. Note that there should be no space between the asterik and the user name.
To restrict an article to users in any of a list of groups, separate group names with ',,'. For example:
<accesscontrol>Admins,,Managers</accesscontrol>
To give one of the groups listed read-only access, add (ro) after the name, without a space:
<accesscontrol>Admins,,Managers,,Clients(ro)</accesscontrol>
This would give anyone in the Admins or Managers groups full edit access, and read-only access to users in Clients. Users in multiple groups will get the highest level of access specified.
Note that if adding access controls to an article, you cannot lock yourself out. That is, if you are in Clients, you cannot leave Clients out of the access control list. (This option can be turned off or fine-tuned.)