Rm space. Apostrophes of omission.
← Older revision
Revision as of 11:21, 19 August 2012
Line 1:
Line 1:
{{languages}}
{{languages}}
−
For help customizing user rights, see [[Manual:User rights]]. This page contains examples useful for restricting access.
For help customizing user rights, see [[Manual:User rights]]. This page contains examples useful for restricting access.
Most of the examples need changes to MediaWiki configuration file [[Manual:LocalSettings.php|LocalSettings.php]]. Snippets of code with no accompanying instructions must be added to LocalSettings.php to take effect. To add one or more lines to the file, follow these steps:
Most of the examples need changes to MediaWiki configuration file [[Manual:LocalSettings.php|LocalSettings.php]]. Snippets of code with no accompanying instructions must be added to LocalSettings.php to take effect. To add one or more lines to the file, follow these steps:
−
# If there is a ?> at the end of the file, remove it. It's not necessary and may cause problems in certain situations.
+
# If there is a ?> at the end of the file, remove it. It's unnecessary and may cause problems in certain situations.
−
# Add the line to the '''end''' of the file, using a text editor. It doesn't matter if there are some blank lines above or below the addition. '''Do not use Windows Notepad''', which may add a "[[w:Byte Order Mark|Byte Order Mark]]" (BOM) and muck up the file. Typical symptoms of BOMs include white pages and errors about headers already being sent. To remove a BOM, you'll have to edit the file in a [[w:hex editor|hex editor]]. Windows WordPad seems to work fine, as does [[wikipedia:Notepad++|Notepad++]]. Removal of BOMs can also be accomplished using the [[w:Vim (text_editor)|Vim text editor]] by opening the file in Vim, typing :set nobomb, and resaving the file. If you're using a Mac, TextEdit will also do the job.
+
# Add the line to the '''end''' of the file, using a text editor. It doesn't matter if there are some blank lines above or below the addition. '''Do not use Windows Notepad''', which may add a "[[w:Byte Order Mark|Byte Order Mark]]" (BOM) and muck up the file. Typical symptoms of BOMs include white pages and errors about headers already being sent. To remove a BOM, you'll have to edit the file in a [[w:hex editor|hex editor]]. Windows WordPad seems to work fine, as does [[wikipedia:Notepad++|Notepad++]]. Removal of BOMs can also be accomplished using the [[w:Vim (text_editor)|Vim text editor]] by opening the file in Vim, typing :set nobomb, and resaving the file. If you're using a Mac, TextEdit will also do the job.
−
For more detailed information on editing LocalSettings.php read [[Manual:LocalSettings.php]].
+
For more detailed information on editing LocalSettings.php, read [[Manual:LocalSettings.php]].
==Simple private wiki==
==Simple private wiki==
Line 56:
Line 55:
#:When you click the "create account" button instead, you have to manually send the user his password. If you've set [[Manual:$wgMinimalPasswordLength|$wgMinimalPasswordLength=0]] (default configuration up to version 1.15) and you've left the password field blank, the user will be emailed an e-mail address confirmation request but will be unable to access [[Manual:Interface/Special pages summary|Special:Confirmemail]] to perform the confirmation. Instead, the user will get an error (unless you've added it to [[Manual:$wgWhitelistRead|$wgWhitelistRead]]); the user will be able to login with a blank password and then confirm email, but their password will not have been reset (it will have to be reset manually).
#:When you click the "create account" button instead, you have to manually send the user his password. If you've set [[Manual:$wgMinimalPasswordLength|$wgMinimalPasswordLength=0]] (default configuration up to version 1.15) and you've left the password field blank, the user will be emailed an e-mail address confirmation request but will be unable to access [[Manual:Interface/Special pages summary|Special:Confirmemail]] to perform the confirmation. Instead, the user will get an error (unless you've added it to [[Manual:$wgWhitelistRead|$wgWhitelistRead]]); the user will be able to login with a blank password and then confirm email, but their password will not have been reset (it will have to be reset manually).
−
It may be appropriate to edit the text displayed when a non-user attempts to log in. This can be done at [[MediaWiki:Nosuchuser]], when logged in as a sysop. Use plain text without any special formatting, as the formatting is ignored and the text is literally rendered. (Might have changed, see [[Mediazilla:12952|bug 12952]]).
+
It may be appropriate to edit the text displayed when a non-user attempts to log in. This can be done at [[MediaWiki:Nosuchuser]], when logged in as a sysop. Use plain text without any special formatting, as the formatting is ignored and the text is literally rendered. (Might have changed, see [[Mediazilla:12952|bug 12952]]).
You may also modify the contents of the e-mail sent to new users by editing the page [[MediaWiki:Createaccount-text]].
You may also modify the contents of the e-mail sent to new users by editing the page [[MediaWiki:Createaccount-text]].
Line 207:
Line 206:
{{Page security extension disclaimer}}
{{Page security extension disclaimer}}
−
To prevent anyone but sysops from viewing a page, it can simply be [[Help:Deleting a page|deleted]]. To prevent even sysops from viewing it, it can be removed more permanently with [[Extension:Oversight|the Oversight extension]]. To completely destroy the text of the page, it can be manually removed from the database. In any case, the page cannot be edited while in this state, and for most purposes no longer exists.
+
To prevent anyone but sysops from viewing a page, it can simply be [[Help:Deleting a page|deleted]]. To prevent even sysops from viewing it, it can be removed more permanently with [[Extension:Oversight|the Oversight extension]]. To completely destroy the text of the page, it can be manually removed from the database. In any case, the page cannot be edited while in this state, and for most purposes no longer exists.
To have a page act normally for some users but be invisible to others, as is possible for instance in most forum software, is a very different matter. MediaWiki is designed for two basic access modes:
To have a page act normally for some users but be invisible to others, as is possible for instance in most forum software, is a very different matter. MediaWiki is designed for two basic access modes:
−
# Everyone can view every single page on the wiki (with the possible exception of a few special pages). This is the mode used by Wikipedia and its sister projects.
+
# Everyone can view every single page on the wiki (with the possible exception of a few special pages). This is the mode used by Wikipedia and its sister projects.
# Anonymous users can only view the Main Page and login page, and cannot edit any page. This is basically the same as the above, in terms of technical implementation (just an extra check for every page view), which is why it exists. This is the mode of operation used by certain private wikis such as those used by various Wikimedia committees.
# Anonymous users can only view the Main Page and login page, and cannot edit any page. This is basically the same as the above, in terms of technical implementation (just an extra check for every page view), which is why it exists. This is the mode of operation used by certain private wikis such as those used by various Wikimedia committees.
−
'''If you intend to have different view permissions than that, MediaWiki is not designed for your usage.''' (See [[Mediazilla:1924|bug 1924]].) Data is not necessarily clearly delineated by namespace, page name, or other criteria, and there are a lot of leaks you'll have to plug if you want to make it so (see ''[[security issues with authorization extensions]]'' for a sample). Other wiki software may be more suitable for your purpose. You have been warned. If you must use MediaWiki, there are two basic possibilities:
+
'''If you intend to have different view permissions than that, MediaWiki is not designed for your usage.''' (See [[Mediazilla:1924|bug 1924]].) Data is not necessarily clearly delineated by namespace, page name, or other criteria, and there are a lot of leaks you'll have to plug if you want to make it so (see ''[[security issues with authorization extensions]]'' for a sample). Other wiki software may be more suitable for your purpose. You have been warned. If you must use MediaWiki, there are two basic possibilities:
# Set up separate wikis with a [[Manual:$wgSharedDB|shared user database]], configure one as viewable and one as unviewable ([[#Disable anonymous reading|see above]]), and [[Help:Interwiki linking|make interwiki links]] between them.
# Set up separate wikis with a [[Manual:$wgSharedDB|shared user database]], configure one as viewable and one as unviewable ([[#Disable anonymous reading|see above]]), and [[Help:Interwiki linking|make interwiki links]] between them.
Line 245:
Line 244:
However, using [[Extension:User Merge and Delete|User Merge and Delete extension]] you can merge the account in another one and delete the former; the original account will then "disappear". If you want to preserve history readability (i.e., to have edits from the user to be still shown under his name), you can create a new account e.g. with username "OriginalUserName (deactivated)" and then merge "OriginalUserName" into the former, or even use [[Extension:Renameuser|Renameuser extension]] to rename "OriginalUserName" into "AnotherUserName", then create an account under "OriginalUserName" and merge "AnotherUserName" into it: in this manner, "OriginalUserName" will be completely "usurped" (if you've set a non-null password).
However, using [[Extension:User Merge and Delete|User Merge and Delete extension]] you can merge the account in another one and delete the former; the original account will then "disappear". If you want to preserve history readability (i.e., to have edits from the user to be still shown under his name), you can create a new account e.g. with username "OriginalUserName (deactivated)" and then merge "OriginalUserName" into the former, or even use [[Extension:Renameuser|Renameuser extension]] to rename "OriginalUserName" into "AnotherUserName", then create an account under "OriginalUserName" and merge "AnotherUserName" into it: in this manner, "OriginalUserName" will be completely "usurped" (if you've set a non-null password).
−
In MediaWiki 1.16.0 it's possible to set [[Manual:$wgBlockDisablesLogin|$wgBlockDisablesLogin]] to true to prevent access and reading to blocked users.
+
In MediaWiki 1.16.0, it is possible to set [[Manual:$wgBlockDisablesLogin|$wgBlockDisablesLogin]] to true to prevent access and reading to blocked users.
==Other restrictions==
==Other restrictions==
Line 271:
Line 270:
*[http://tikiwiki.org/ TikiWiki] has fully configuable access control to features and permission levels.
*[http://tikiwiki.org/ TikiWiki] has fully configuable access control to features and permission levels.
−
If you want better access control but want to use MediaWiki, this is a list of '''extensions''' and hacks to allow restrictions not possible in the software proper. These hacks may be out-of-date (check the version they're for). Please don't ask in official MediaWiki support channels if something goes wrong with a third-party hack.
+
If you want better access control but want to use MediaWiki, this is a list of '''extensions''' and hacks to allow restrictions not possible in the software proper. These hacks may be out-of-date (check the version they're for). Please don't ask in official MediaWiki support channels if something goes wrong with a third-party hack.
*[[Extension:NamespacePermissions]]
*[[Extension:NamespacePermissions]]
Line 287:
Line 286:
*[[Extension:Halo Access Control List]]
*[[Extension:Halo Access Control List]]
*[[Extension:SimpleSecurity]]
*[[Extension:SimpleSecurity]]
−
*[[meta:Page access restriction with MediaWiki]]
*[[meta:Page access restriction with MediaWiki]]