User:Fcarpani/SpecialPageSecurity
Appearance
SpecialPageSecurity Release status: unknown |
|
---|---|
Implementation | User rights, Hook, Special |
Description | An extension that can control the access to special pages based on groups |
Author(s) | Fcarpani |
MediaWiki | |
License | No license specified |
Download | see below |
Translate the Fcarpani/SpecialPageSecurity extension if it is available at translatewiki.net |
An extension that can control the access to SpecialPages based on groups
Installation
[edit]- Include the file with this code
- Modify the method executePath in includes/SpecialPage.php following this instructions:
- Add $wfHooks in the global declaration in the function.
- Add the following code in the next line of the profiling instructions (wfProfileIn( ... );):
if (array_key_exists('SpecialPageAuthCheck',$wgHooks)){
if(!wfRunHooks('SpecialPageAuthCheck'))
return false;
};
Configuration
[edit]Now you can add the following declarations in your LocalSettings.php:
# The page to display if the access is denied. This page must be created by que wikiadmin. Can be the same used by PageSecurity.
$wgSpecialPageAuthErrorPage = "Restricted Page";
# If $wgSpecialPageAuthEnable=true, then only users in allowed group can access to the page
$wgSpecialPageAuthEnable=true;
$wgServerName;
# $wgSpecialPageAuth is an array indexed by group. Each bucket have a regular expression for the title (without namespace) of the page.
# The group '''*''' Must be access to some pages. At least Userlogin an Userlogout.
$wgSpecialPageAuth['*']='/^(Userlogin|Userlogout)$/';
# Then other groups can have more pages...
# Logged users can list all pages. Also they can execute Userlogin and Userlogout
$wgSpecialPageAuth['user']='/SpecialPage/';
# The group boys can list all pages but only can execute Resetpass,Confiremail. Also, because they are in user, they can execute the pages for user. If a user belongs to a group with authorization, then he can execute the page.
$wgSpecialPageAuth['boys']='/SpecialPages|Resetpass|Confirmemail/';
The PHP
[edit] <?php
include_once('GlobalFunctions.php');
// This is an attempt to control which SpecialPages can run each group
//
// The intention is set the SpecialPageExecuteBeforePage and if some conditions are not verified, display an error page.
//
//
$pageSpecialSecurityVersion = '0.0.1';
$wgExtensionFunctions[] = "wfSetSpecialPageSecurity";
global $wgExtensionCredits,$wgHooks;
$wgExtensionCredits['parserhook'][] = array(
'name'=>'PageSpecialSecurity',
'version'=>$pageSpecialSecurityVersion,
'author'=>'Fernando Carpani',
'url'=>'http://www.mediawiki.org/wiki/User:Fcarpani/SpecialPageSecurity',
'description' => 'Restricts access to special pages according to security definitions'
);
$wgHooks['SpecialPageAuthCheck'][]="SpecialPageAuthCheck"; /* Must be a boolean function. */
// The array $wgSpecialPageAuth have list of group that can execute this special page.
// The variable $wgSpecialPageAuthEnable control de check (if true, then the do the check
// global $wgSpecialPageAuth; is an array indexed by group and has a regular expression of allowed special page names.
// global $wgSpecialPageAuthEnable;
function wfSetSpecialPageSecurity() {
global $wgSpecialPageAuth,$wgSpecialPageAuthEnable;
if ($wgSpecialPageAuth==NULL){
$wgSpecialPageAuth=array();
}
if ($wgSpecialPageAuthEnable==NULL){
$wgSpecialPageAuthEnable=false;
}
wfDebug("=====>SetSpecialPageSecurity\n");
}
// The implementation is based on a new hook SpecialPageAuthCheck
function SpecialPageAuthCheck(){
global $wgSpecialPageAuthErrorPage,$wgUser,$wgTitle,$wgOut;
if (!SpecialPageAuthTest($wgTitle,$wgUser)){
if (empty($wgSpecialPageAuthErrorPage)) return false;
$title = Title::newFromText($wgSpecialPageAuthErrorPage);
$redirectURL = $title->getFullURL();
$wgOut->redirect($redirectURL);
wfDebug(sprintf("====>SpecialPageAuthCheck: %s user=%d no permitida\n",$wgTitle->mDbkeyform,$wgUser->mId));
return false;
}
return true;
}
function SpecialPageAuthTest(&$title,&$user){
global $wgSpecialPageAuthEnable,$wgSpecialPageAuth;
//$user=$wgUser;
//$title=$wgTitle;
wfDebug(sprintf("===>SpecialPageAuthTest: title=%s , user=%d\n",$title->mDbkeyform,$user->mId));
if($wgSpecialPageAuthEnable){
// get user groups
wfDebug(sprintf("===>SpecialPageAuthCheck: AuthEnable title=%s,user=%d\n",$title->mDbkeyform,$user->mId));
$user_groups=$user->getEffectiveGroups();
// Sysops can execute with basis in other checks.
if (in_array("sysop", $user_groups)) {
return true; // sysop access override granted
} else {
// if the user has a group that is allowed to execute this page, then true, else false.
foreach($user_groups as $group){
wfDebug(sprintf("===>SpecialPageAuthCheck: user %d in group=%s\n",$user->mId,$group));
#if(preg_match("$wgSpecialPageAuth[$group]",$title->mDbkeyform)){
if(preg_match($wgSpecialPageAuth[$group], $title->mDbkeyform, $matches, PREG_OFFSET_CAPTURE)){
wfDebug(sprintf("===>SpecialPageAuthCheck: return Allowed by group=%s\n",$group));
return true;
}
}
return false;
}
} else {
return true;
}
}