Extension:Restrict access by category and group
 | If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked.
For further details, see Security issues with authorisation extensions |
| This extension stores its source code on a wiki page. Please be aware that this code may be unreviewed or maliciously altered. They may contain security holes, outdated interfaces that are no longer compatible etc. Note: No localisation updates are provided for this extension by translatewiki.net. |
 | This extension is currently not actively maintained! Although it may still work, any bug reports or feature requests will more than likely be ignored. |
 Release status: unmaintained |
|
|---|---|
| Implementation | User rights |
| Description | Restrict access to pages by users groups and documents categories |
| Author(s) | Andrés Orencio Ramírez Pérez - Andy (lodopidolotalk) |
| Latest version | 2.0.1 (Extension talk) (2016-10-16) |
| MediaWiki | Tested on 1.12.0 to 1.16.0 |
| License | GNU General Public License 2.0 or later |
| Download | No link |
|
private |
|
This extension can restrict access to users by group and document category.
Even though MediaWiki is a free/public access collaborative document tool, sometimes it can be helpful, especially in business environments, to have a restricted view of wiki documents.
For example, department's financial documents should not be accessed by customer services users.
In this extension you can establish four access restrictions:
- Public: White pages: those are public pages that can be accessed by everybody. This is helpful when you have a private MediaWiki and anonymous can only authenticate and see Main page. See $wgWhitelistRead.
- Public categories: those are all categories that aren't in your groups.php file. Those categories are public.
- No public categories: those are all categories that are in your groups.php file. Those categories are restricted. Documents that belong to these categories may be accessed by users who belong to at least one of these groups.
- Private categories:those are all categories that are in your groups.php file with [private] = true option. These categories are private, and only users who belong to one or more of this categories closed to which the document will have access. It is the same behavior that if the document did not belong to any of the no public categories basis only membership to the private category (respect to access).
Configuration Example
[edit]If you have same configuration like this:
then:
- user1 could access to public document 1 only.
- user 2 could access to public document 1, no public document 3 and no public document 4.
- user 3 could access to public document 1, no public document 3, no public document 4 and private document 2.
Usage
[edit]All documents you want to restrict access to, you must add to a category. So you have multiple categories.
Files:
- $IP/extensions/rabcg/rabcg.php: this is the extension.
- $IP/extensions/rabcg/groups.php: this is the group catalog.
In your groups.php file, you must add the categories you want to make no public or private. This is made by group definition. For Example:
<?php
// This is a no public category: Financial no public data.
$wgGroupPermissions['Financial no public data']['*'] = true;
// This is a private category: Financial private data.
$wgGroupPermissions['Financial private data']['private'] = true;
To apply this category to your document, you only must write:
[[Category:Financial private data]]
This is only one more category of your document.
Previously (after create the groups in your groups.php file), you must make groups assignments to users by Special:UserRights page.
Download instructions
[edit]This extension is not yet in MediaWiki SVN Repository. Therefore, you must copy & paste the following code as is explained in the installation section below.
Installation
[edit]To install this extension, create a file extensions/RestrictAccessByCategoryAndGroup/RestrictAccessByCategoryAndGroup.php with the following code:
<?php
if ( !defined( 'MEDIAWIKI' ) ) {
die( 'Not a valid entry point.' );
}
$wgExtensionCredits['parserhook'][] = array(
'name' => 'Restrict access by category and group',
'author' => 'Andrés Orencio Ramirez Perez',
'url' => 'https://www.mediawiki.org/wiki/Extension:Restrict_access_by_category_and_group',
'description' => 'Allows to restrict access to pages by users groups and page categories',
'version' => '2.0.1'
);
$wgHooks['getUserPermissionsErrors'][] = 'restrictAccessByCategoryAndGroup';
function restrictAccessByCategoryAndGroup( $title, $user, $action, &$result ) {
global $wgGroupPermissions;
global $wgWhitelistRead;
global $wgLang;
global $wgHooks;
global $wgContLang;
global $wgWhitelistRead;
global $wgVersion;
//The Main Page, Login and Logout pages should always be accessible
if ( $wgVersion >= '1.17' ) {
$wgWhitelistRead[] = wfMessage( 'mainpage' )->plain();
} else {
$wgWhitelistRead[] = wfMsgForContent( 'mainpage' );
}
$wgWhitelistRead[] = SpecialPage::getTitleFor( 'Userlogin' )->getLocalUrl();
$wgWhitelistRead[] = SpecialPage::getTitleFor( 'Userlogout' )->getLocalUrl();
$validCategory = false;
$groupExists = false;
$pageHasCategories = false;
$privateCategory = false;
$privateCategoryTemp = false;
$categoryNamespace = $wgLang->getNsText( NS_CATEGORY );
$whitePage = true;
//System categories
$systemCategory = array();
foreach ( array_change_key_case( $title->getParentCategories(), CASE_LOWER ) as $key => $value ) {
$formatedKey = substr( $key, ( strpos( $key, ":" ) + 1 ) );
$systemCategory[ $formatedKey ] = $value;
}
//Is this page a white page?
if ( isset( $wgWhitelistRead[0] ) ) {
$whitePage = in_array( $title, $wgWhitelistRead );
}
//If the page has no categories, it's public.
if ( count( $title->getParentCategories() ) == 0 ) {
$validCategory = true;
} else {
//For each system categories
foreach ( $wgGroupPermissions as $key => $value ) {
//If current system category is defined as private, then tmpCatP is true
if ( isset( $wgGroupPermissions[ $key ]['private'] ) ) {
$privateCategoryTemp = $wgGroupPermissions[ $key ]['private'];
} else {
$privateCategoryTemp = false;
}
//If current system category exist in the document category array ...
if ( array_key_exists( strtolower( str_replace( " ", "_", $key ) ), $systemCategory ) ) {
if ( $privateCategoryTemp and !$privateCategory ) {
$privateCategory = true;
$validCategory = false;
}
//We see that the user belongs to one of the groups (like of category)
if ( in_array( $key, $user->getGroups() ) and ( !$privateCategory or ( $privateCategoryTemp and $privateCategory ) ) ) {
$validCategory = true;
}
$groupExists = true;
}
}
$pageHasCategories = count( $title->getParentCategories() ) > 0;
}
if ( !$pageHasCategories ) {
return true;
}
if ( !$groupExists and !$whitePage ) {
return true;
}
if ( ( $user->isRegistered() and $validCategory ) or $whitePage ) {
return true;
}
$result = false;
return false;
}
Then add the following to your LocalSettings.php:
require_once "$IP/extensions/RestrictAccessByCategoryAndGroup/RestrictAccessByCategoryAndGroup.php";
$wgGroupPermissions['Financial no public data']['*'] = true;
$wgGroupPermissions['Financial private data']['private'] = true;
Note : User::getGroups was deprecated in MediaWiki 1.35
[edit]AH01071: Got error 'PHP message: PHP Deprecated: Use of MediaWiki\\User\\User::getGroups was deprecated in MediaWiki 1.35. [Called from restrictAccessByCategoryAndGroup in /mediawiki/extensions/RestrictAccessByCategoryAndGroup/RestrictAccessByCategoryAndGroup.php at line 74] in /mediawiki/includes/debug/MWDebug.php on line 386'
extensions/RestrictAccessByCategoryAndGroup/RestrictAccessByCategoryAndGroup.php
Ligne 74 :
if ( in_array( $key, $user->getGroups() ) and ( !$privateCategory or ( $privateCategoryTemp and $privateCategory ) ) ) {
...
How to solved the error AH01071 ?