Jump to content

Extension:UserVerification

From mediawiki.org
MediaWiki extensions manual
UserVerification
Release status: beta
Implementation Hook , Special page
Description Provides a framework to manage verified users through different methods and to restrict performing actions to verified or email-authenticated users
Author(s) thomas-topway-it (thomas-topway-ittalk)
Latest version 1.0 (2024-08-18)
Compatibility policy Master maintains backward compatibility.
MediaWiki 1.35+
License GNU General Public License 2.0 or later
Download
  • $wgUserVerificationRequireUserVerifiedActions
  • $wgUserVerificationDisableVersionCheck
  • $wgUserVerificationEmailConfirmToEdit
  • $wgUserVerificationUploadDir
  • userverification-can-manage-verification
Quarterly downloads 1 (Ranked 136th)
Translate the UserVerification extension if it is available at translatewiki.net

UserVerification provides a framework to manage verified users through different methods and to restrict performing actions to verified or email-authenticated users. It is conceived to be a near-optimal solution to protect the wiki from spam users, or to restrict the execution of specific actions based on a strict user verification. Could be used in conjunction with Extension:PageOwnership and Extension:PageEncryption.


Key-features:

  • sensitive user data are protected with symmetric and asymmetric encryption (based on Sodium and Defuse php-encryption)
  • prevents unverified users to perform the designated set of actions
  • intuitive UI by which to manage user verification (for administrators) and to enter data for users
  • prevents not email authenticated users to edit the wiki as long as the global parameter $wgUserVerificationEmailConfirmToEdit is set to true


Installation

[edit]
  • Download and move the extracted UserVerification folder to your extensions/ directory
  • Run composer update --no-dev in the extension's folder, to install the required PHP libraries
  • Add the following code at the bottom of your LocalSettings.php
wfLoadExtension( 'UserVerification' );
  • Run php maintenance/update.php (it will create the database tables that this extension needs)
  • run php extensions/UserVerification/maintenance/CreateKeys.php --password [your password] in order to create a site-level password by which to encrypt/decrypt all sensitive data, including files with ID and proof of residence, entered by users.
  • Yes Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.




Special page Manage users

[edit]

The extension provides a special page by which to monitor and manage the verification status of all users, with relevant information like "email authenticated", "editcount", "autoconfirmed", etc. The verification status can be edited by authorized users between the values "none", "pending", "verified", "not required".


Special page User verification

[edit]

As long as an action is added to the global parameter $wgUserVerificationRequireUserVerifiedActions and the user does not have the right "userverification-can-manage-verification", the action is forbidden until the status of the user is not verified.

The extension will therefore show a message to the user, with a link to the following form:


by which the user is required to enter the following information:

  • first name
  • last name
  • sex (includes the option "decline sex identity")
  • date of birth
  • place of birth
  • country of birth
  • country of residence
  • address of residence
  • email
  • phone number (optional)
  • proof of identity (file)
  • proof of residence (file)


Note that these are standard information required for an official identification and they are fit to adequately identify an user. Future versions of the extensions may also feature alternate methods for user verification, like Orchid, Credas, Twitter, Linked-in, Facebook, Github, etc., only upon explicit request. [1].

Also note that all the entered data are encrypted with an asymmetric key created through the maintenance script CreateKeys, and then read through an encrypted private key unlocked through a symmetric encryption. (asymmetric encryption is based on Sodium and symmetric encryption on Defuse php-encryption.

Once that the user has inserted their data, they will be accessible from the Special page Manage users, after inserting the site-level password (required to decrypt the private key)



Also note that in order to let the users upload files, the folder specified from the parameter $UserVerificationUploadDir ("{$IP}/../MWUploads/UserVerification" by default) must be writable by the webserver.


Configuration

[edit]
variable description default
$wgUserVerificationEmailConfirmToEdit require email verification to edit true
$wgUserVerificationRequireUserVerifiedActions require user verification to perform the specified actions []
$wgUserVerificationUploadDir {$IP}/../MWUploads/UserVerification
$wgUserVerificationDisableVersionCheck disable version check false


Example configuration:

$wgUserVerificationEmailConfirmToEdit = true;
$wgUserVerificationRequireUserVerifiedActions = [ 'edit' ];
$wgUserVerificationUploadDir = "{$IP}/../MWUploads/UserVerification";


Rights and privileges

[edit]

Groups

[edit]

The extension creates the following groups: (they are assignable to users through the standard special page Special:UserRights)

group description
userverification-admin let users to manage verified users
userverification-require-verification convenience group for the use with Extension:PageOwnership
userverification-do-not-require-verification convenience group for the use with Extension:PageOwnership


The extension creates the following user rights.

right description
userverification-can-manage-verification Can manage verification of all users of the wiki

Group rights

[edit]
group userverification-can-manage-verification
sysop v
bureaucrat v
userverification-admin v


Roadmap

[edit]
  • add Extension:Echo notifications for admins on user registration
  • show alert to users after sign-up to require email verification (if $wgUserVerificationEmailConfirmToEdit is set to true)
  • add alternative user verification like Orchid, Credas, Twitter, Linked-in, Facebook, Github, etc. (only on request, please write at the email address posted here)


See also

[edit]


  1. An optimal way is by using government's digital identity of your country, like https://www.spid.gov.it/, or EU's electronic-identification