Need to restrict areas of a wiki by user

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Need to restrict areas of a wiki by user

Bob Bader
My boss had me implement a wiki (media wiki 1.63) n Mac Os X and we  
have restricted it so users have to log in with these settings in the  
localsettings.php
-----------
$wgWhitelistRead = array( "Main Page", "Special:Userlogin" );
$wgGroupPermissions['*']['read'] = false;
-------------------


Now my boss wants to limit certain areas/pages of the wiki to  
specified users.

Is there an easy way to do this?

I was looking at the extension PageProtection

http://meta.wikimedia.org/wiki/PageProtection

But it appears I will have to re install PHP with  some new modules  
for the encryption.


Is there any easier way to  restrict access to a page for only  
certain users?


Thanks


Bob
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Need to restrict areas of a wiki by user

Brion Vibber
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bob Bader wrote:

> My boss had me implement a wiki (media wiki 1.63) n Mac Os X and we  
> have restricted it so users have to log in with these settings in the  
> localsettings.php
> -----------
> $wgWhitelistRead = array( "Main Page", "Special:Userlogin" );
> $wgGroupPermissions['*']['read'] = false;
> -------------------
>
>
> Now my boss wants to limit certain areas/pages of the wiki to  
> specified users.
>
> Is there an easy way to do this?

That is not supported by MediaWiki.

Third-party hacks may not be secure; if you actually require this sort
of read limitation for any real reason you should install software which
supports that kind of security from the ground up.

- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFFdxQgwRnhpk1wk44RAgblAJiL6Iikq/HhBM7wj7cs0Lft74IzAKCi86k1
4fTcHja43JiQn4uFctEDgQ==
=xf7o
-----END PGP SIGNATURE-----
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Need to restrict areas of a wiki by user

George William Herbert
On 12/6/06, Brion Vibber <[hidden email]> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Bob Bader wrote:
> > My boss had me implement a wiki (media wiki 1.63) n Mac Os X and we
> > have restricted it so users have to log in with these settings in the
> > localsettings.php
> > -----------
> > $wgWhitelistRead = array( "Main Page", "Special:Userlogin" );
> > $wgGroupPermissions['*']['read'] = false;
> > -------------------
> >
> >
> > Now my boss wants to limit certain areas/pages of the wiki to
> > specified users.
> >
> > Is there an easy way to do this?
>
> That is not supported by MediaWiki.
>
> Third-party hacks may not be secure; if you actually require this sort
> of read limitation for any real reason you should install software which
> supports that kind of security from the ground up.
>
> - -- brion vibber (brion @ pobox.com)



To second this, that's one of the areas where Twiki and a few of the other
alternatives win out in some commercial deployments.

It would be nice to add it to MediaWiki at some point, as the MW software
and user experience are far superior to Twiki and the other alternatives,
but I believe we've established that it's not something useful for the
WikiMedia Foundation projects and therefore a really low priority (which may
never be gotten to).


--
-george william herbert
[hidden email]
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Need to restrict areas of a wiki by user

Fernando Correia
In reply to this post by Bob Bader
I'm too trying to implement this. There are some alternatives. None of them
seems sufficiently secure or user-friendly. Some have glaring holes. But
take a look:

*[ <http://meta.wikimedia.org/wiki/Page_access_restriction_with_MediaWiki>
http://www.mediawiki.org/wiki/Group_Based_Access_Control_Extension Group
Based Access Control Extension]
*[http://meta.wikimedia.org/wiki/PageProtection PageProtection]
*[http://meta.wikimedia.org/wiki/PageProtectionPlus PageProtectionPlus]
*[http://meta.wikimedia.org/wiki/Page_access_restriction_with_MediaWiki Page
access restriction with MediaWiki] (see
[
http://conseil-recherche-innovation.net/index.php/1974/04/11/41-restrict-pages-under-mediawiki-15Restrict
pages under MediaWiki])
*[http://meta.wikimedia.org/wiki/Hidden_pages Hidden pages]
*[http://meta.wikimedia.org/wiki/NamespacePermissions_Extension
NamespacePermissions
Extension]
*[http://meta.wikimedia.org/wiki/Help:User_rights Help:User rights]
*[http://meta.wikimedia.org/wiki/Setting_user_rights_in_MediaWikiHelp:Setting
user rights in MediaWiki]
*[http://meta.wikimedia.org/wiki/Preventing_Access Preventing Access]
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Need to restrict areas of a wiki by user

Jim Hu
Why not just have separate wikis for your different groups?  We tried  
setting permissions for namespaces on one wiki...users promptly  
created new pages in the main namespace that were viewable by  
everyone.  Since the ability to create links and new pages is part of  
the whole point...
=====================================
Jim Hu


On Dec 6, 2006, at 11:29 AM, Fernando Correia wrote:

> I'm too trying to implement this. There are some alternatives. None  
> of them
> seems sufficiently secure or user-friendly. Some have glaring  
> holes. But
> take a look:
>
> *[ <http://meta.wikimedia.org/wiki/ 
> Page_access_restriction_with_MediaWiki>
> http://www.mediawiki.org/wiki/Group_Based_Access_Control_Extension 
> Group
> Based Access Control Extension]
> *[http://meta.wikimedia.org/wiki/PageProtection PageProtection]
> *[http://meta.wikimedia.org/wiki/PageProtectionPlus 
> PageProtectionPlus]
> *[http://meta.wikimedia.org/wiki/ 
> Page_access_restriction_with_MediaWiki Page
> access restriction with MediaWiki] (see
> [
> http://conseil-recherche-innovation.net/index.php/1974/04/11/41- 
> restrict-pages-under-mediawiki-15Restrict
> pages under MediaWiki])
> *[http://meta.wikimedia.org/wiki/Hidden_pages Hidden pages]
> *[http://meta.wikimedia.org/wiki/NamespacePermissions_Extension
> NamespacePermissions
> Extension]
> *[http://meta.wikimedia.org/wiki/Help:User_rights Help:User rights]
> *[http://meta.wikimedia.org/wiki/ 
> Setting_user_rights_in_MediaWikiHelp:Setting
> user rights in MediaWiki]
> *[http://meta.wikimedia.org/wiki/Preventing_Access Preventing Access]
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Need to restrict areas of a wiki by user

Andy Roberts-2
In reply to this post by Bob Bader
On 06/12/06, Bob Bader <[hidden email]> wrote:

> My boss had me implement a wiki (media wiki 1.63) n Mac Os X and we
> have restricted it so users have to log in with these settings in the
> localsettings.php
> -----------
> $wgWhitelistRead = array( "Main Page", "Special:Userlogin" );
> $wgGroupPermissions['*']['read'] = false;
> -------------------
>
>
> Now my boss wants to limit certain areas/pages of the wiki to
> specified users.
>
> Is there an easy way to do this?

These certain areas/pages will effectively constitute a seperate wiki
so one idea might be to implement it as such.  You could then use
interwiki to link between the two or more installations.  Not ideal,
but doable.

--
Andy Roberts

http://distributedresearch.net/blog/
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Need to restrict areas of a wiki by user

Ricardo Rodríguez
In reply to this post by Bob Bader
At least on this side: one of the rules of thumb for the functioning of our group is based in what we call "user empowerment principle": once a user create a new page containing an original (at least within the group) idea, she/he must be empowered to grant access to team members she/he trust.

There are general policies people must follow.

We know how to do that while managing file access. To implement the same system with the collaborative edition environment is our main challenge at the moment.

And I am struggling to stick MediaWiki as long as possible. My problem is that is really difficult for me to contribute, if possible taking into account the basis of the whole project, to such an extension. I understand that it is not a priority and why, but perhaps it must be taken into account that the control of confidence relations is a must for most of the human-based  teams!

Greetings,

Ricardo  

---
Ricardo Rodríguez
Your XEN ICT Team
>>> Jim Hu<[hidden email]> 07/12/06 9:15 >>>
Why not just have separate wikis for your different groups?  We tried  
setting permissions for namespaces on one wiki...users promptly  
created new pages in the main namespace that were viewable by  
everyone.  Since the ability to create links and new pages is part of  
the whole point...
=====================================
Jim Hu


On Dec 6, 2006, at 11:29 AM, Fernando Correia wrote:

> I'm too trying to implement this. There are some alternatives. None  
> of them
> seems sufficiently secure or user-friendly. Some have glaring  
> holes. But
> take a look:
>
> *[ <http://meta.wikimedia.org/wiki/ 
> Page_access_restriction_with_MediaWiki>
> http://www.mediawiki.org/wiki/Group_Based_Access_Control_Extension 
> Group
> Based Access Control Extension]
> *[http://meta.wikimedia.org/wiki/PageProtection PageProtection]
> *[http://meta.wikimedia.org/wiki/PageProtectionPlus 
> PageProtectionPlus]
> *[http://meta.wikimedia.org/wiki/ 
> Page_access_restriction_with_MediaWiki Page
> access restriction with MediaWiki] (see
> [
> http://conseil-recherche-innovation.net/index.php/1974/04/11/41- 
> restrict-pages-under-mediawiki-15Restrict
> pages under MediaWiki])
> *[http://meta.wikimedia.org/wiki/Hidden_pages Hidden pages]
> *[http://meta.wikimedia.org/wiki/NamespacePermissions_Extension
> NamespacePermissions
> Extension]
> *[http://meta.wikimedia.org/wiki/Help:User_rights Help:User rights]
> *[http://meta.wikimedia.org/wiki/ 
> Setting_user_rights_in_MediaWikiHelp:Setting
> user rights in MediaWiki]
> *[http://meta.wikimedia.org/wiki/Preventing_Access Preventing Access]
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l


_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Need to restrict areas of a wiki by user

Fernando Correia
In reply to this post by Jim Hu
Multiple wikis might be too fragmented. For instance, search would be
difficult.

One larger wiki can achieve a critical mass more easily.

2006/12/7, Jim Hu <[hidden email]>:

> Why not just have separate wikis for your different groups?  We tried
> setting permissions for namespaces on one wiki...users promptly
> created new pages in the main namespace that were viewable by
> everyone.  Since the ability to create links and new pages is part of
> the whole point...
> =====================================
> Jim Hu
>
>
> On Dec 6, 2006, at 11:29 AM, Fernando Correia wrote:
>
> > I'm too trying to implement this. There are some alternatives. None
> > of them
> > seems sufficiently secure or user-friendly. Some have glaring
> > holes. But
> > take a look:
> >
> > *[ <http://meta.wikimedia.org/wiki/
> > Page_access_restriction_with_MediaWiki>
> > http://www.mediawiki.org/wiki/Group_Based_Access_Control_Extension
> > Group
> > Based Access Control Extension]
> > *[http://meta.wikimedia.org/wiki/PageProtection PageProtection]
> > *[http://meta.wikimedia.org/wiki/PageProtectionPlus
> > PageProtectionPlus]
> > *[http://meta.wikimedia.org/wiki/
> > Page_access_restriction_with_MediaWiki Page
> > access restriction with MediaWiki] (see
> > [
> > http://conseil-recherche-innovation.net/index.php/1974/04/11/41-
> > restrict-pages-under-mediawiki-15Restrict
> > pages under MediaWiki])
> > *[http://meta.wikimedia.org/wiki/Hidden_pages Hidden pages]
> > *[http://meta.wikimedia.org/wiki/NamespacePermissions_Extension
> > NamespacePermissions
> > Extension]
> > *[http://meta.wikimedia.org/wiki/Help:User_rights Help:User rights]
> > *[http://meta.wikimedia.org/wiki/
> > Setting_user_rights_in_MediaWikiHelp:Setting
> > user rights in MediaWiki]
> > *[http://meta.wikimedia.org/wiki/Preventing_Access Preventing Access]
> > _______________________________________________
> > MediaWiki-l mailing list
> > [hidden email]
> > http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Need to restrict areas of a wiki by user

Fernando Correia
In reply to this post by Ricardo Rodríguez
I have reviewed the protection extensions available. None really does
what my company needs, so I'm venturing into creating a new one, based
on ideas from the existing ones.

If it works this is how it will be used:

// 1. Use the MediaWiki features to create associate users to user groups.
//
// 2. Create named security definitions using a markup like this in a
protected page:
// <security-definition name="Official documentation">
//     <deny action="read">guests</deny>
//     <allow action="read">all</allow>
//     <allow action="edit">sysops, writers</allow>
// </security-definition>
//
// 3. Create a template to ease the page security specification:
// Template:Official_documentation
// This is an official documentation page. The access is restricted.
// <security>Official documentation</security>
//
// 4. Use the security definition template in the pages that should be
protected by it:
// {{Official documentation}}
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Need to restrict areas of a wiki by user

Jim Hu
Other than search, what fragmentation issues are you concerned about  
from separate wikis?  I'm wondering if it would be easier to add  
interwiki searching than to shut off all the unanticipated holes in  
an intrawiki access control system.  An extension to pass an HTTP  
search request to another wiki and reformulate the links would  
probably not be too hard to write.  With either separate wikis or  
controlled access, the permutations of how users might screw up are  
mind boggling, especially if the groups are not just nonintersecting  
subsets of larger groups.  But I think it might be easier to  
configure interwiki searching so that searches only are allowed to  
the appropriate wiki instances.

Anyway, just my $0.02.  I hope I'm wrong and you come up with  
something great!  Some random questions/comments about your approach:

I'd be interested in how you set up the extension to evaluate  
properly from inside a template/transclusion.  I think there are some  
extensions (Cite.php?) that have had problems with that.
When a privileged user creates a new page link from a secured page,  
do you imagine that the new page will be secure by default? Or will  
someone patrol the wiki and administer adding security definitions.

Do you want to block unauthorized users from even knowing that pages  
exist?  By analogy to shell, ls doesn't show files to a user who  
doesn't have permissions on a directory.  If you don't, then I think  
you're going to discourage users from using the wiki by giving them  
lots of "access restricted" messages when they click on something  
that looks like a link.  If you do want to hide pages  you're going  
to need group-specific handling of search, categories, allpages, what  
links here, etc.   Search returns a snippet of the page.  Is that a  
problem?

It also looks like you are thinking of not using namespaces as the  
level for access restriction.  One of the advantages of restricting  
at the namespace level is that there is already control over  
searching to include or exclude specific namespaces.  It might be not  
so hard to exploit that.  The disadvantage is that your users will  
put things in the wrong namespaces by mistake.

=====================================
Jim Hu


On Dec 7, 2006, at 9:32 AM, Fernando Correia wrote:

> I have reviewed the protection extensions available. None really does
> what my company needs, so I'm venturing into creating a new one, based
> on ideas from the existing ones.
>
> If it works this is how it will be used:
>
> // 1. Use the MediaWiki features to create associate users to user  
> groups.
> //
> // 2. Create named security definitions using a markup like this in a
> protected page:
> // <security-definition name="Official documentation">
> //     <deny action="read">guests</deny>
> //     <allow action="read">all</allow>
> //     <allow action="edit">sysops, writers</allow>
> // </security-definition>
> //
> // 3. Create a template to ease the page security specification:
> // Template:Official_documentation
> // This is an official documentation page. The access is restricted.
> // <security>Official documentation</security>
> //
> // 4. Use the security definition template in the pages that should be
> protected by it:
> // {{Official documentation}}
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Need to restrict areas of a wiki by user

Fernando Correia
Thank you for your reply. My answers are below.

2006/12/7, Jim Hu <[hidden email]>:

> Other than search, what fragmentation issues are you concerned about
> from separate wikis?  I'm wondering if it would be easier to add
> interwiki searching than to shut off all the unanticipated holes in
> an intrawiki access control system.  An extension to pass an HTTP
> search request to another wiki and reformulate the links would
> probably not be too hard to write.  With either separate wikis or
> controlled access, the permutations of how users might screw up are
> mind boggling, especially if the groups are not just nonintersecting
> subsets of larger groups.  But I think it might be easier to
> configure interwiki searching so that searches only are allowed to
> the appropriate wiki instances.

I'm concerned that it would be too confusing for our user base to have
several wikis and try to present them as one. For instance, templates
would be local, so would be recent changes, user preferences. Linking
would be awkward (interwiki). And so on.

There's this advice as well from http://www.freepint.com/issues/270706.htm#tips:

<< Wherever we've deployed smaller per-department or per-team wikis
they've rapidly grown stale. Either because there wasn't enough
content, or that users were already contributing to another wiki and
naturally continued to add content there. In almost all cases we've
ended up shutting them down. >>

>
> Anyway, just my $0.02.  I hope I'm wrong and you come up with
> something great!  Some random questions/comments about your approach:
>
> I'd be interested in how you set up the extension to evaluate
> properly from inside a template/transclusion.  I think there are some
> extensions (Cite.php?) that have had problems with that.

I realize there are many potential holes. I'll try my best to make it
work. ISince MediaWiki is not security-friendly, I may have to patch
it, although I'll try to avoid it.

> When a privileged user creates a new page link from a secured page,
> do you imagine that the new page will be secure by default? Or will
> someone patrol the wiki and administer adding security definitions.

No, I don't plan to inherit security from other pages, namespaces or
categories. I plan to have a default security for pages without
specific security information. And I also plan to show on the page its
security level, maybe using icons, borders or colors. Also, since I
use models for new pages, the users can use them to create a new page
with predefined security information. Anyway it will be just a
template like {{Documentation}} that will also insert other things
like categories, etc.

>
> Do you want to block unauthorized users from even knowing that pages
> exist?  By analogy to shell, ls doesn't show files to a user who
> doesn't have permissions on a directory.  If you don't, then I think
> you're going to discourage users from using the wiki by giving them
> lots of "access restricted" messages when they click on something
> that looks like a link.  If you do want to hide pages  you're going
> to need group-specific handling of search, categories, allpages, what
> links here, etc.   Search returns a snippet of the page.  Is that a
> problem?

My priority will be to block content. In some places, I could also
hide page titles. But I don't plan to try and hide all of them. Anyway
I plan to publish the extension for peer review and evolution.

>
> It also looks like you are thinking of not using namespaces as the
> level for access restriction.  One of the advantages of restricting
> at the namespace level is that there is already control over
> searching to include or exclude specific namespaces.  It might be not
> so hard to exploit that.  The disadvantage is that your users will
> put things in the wrong namespaces by mistake.

That's right, namespaces seem like an easier solution to implement.
But it would be more difficult to use and more error-prone. For
instance:

* User would have to make links like [[Documentation:Some title|Some
title]] instead of [[Some title]].
* In many places it would be show "Documentation:Some title" anyway.
* If people forgot and used "[[Some title]]" in a link, it would be on
the default namespace that would probably be low-security.
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Need to restrict areas of a wiki by user

MHart
In reply to this post by Fernando Correia
I created a restriction extension that can prevent access using users or
groups. You just do this:

<restrict>user1,user2,group1,group2</restrict>

When a user attempts to access the page who is not listed in the <restrict>
tag, and is not a member of a listed group, then they are redirected to a
page that tells them "its a restricted page, blah blah".

At Intuit, it is used in a few, select groups where they discuss policy,
security, things that have SEC regulations regarding disclosure and
employees who sell stock. In such cases, it isn't a matter of "trust" in an
organization with more than 7,000 employees, rather it is a matter of
company security (we also hire plenty of contractors who gain temporary
access to our intranet for various reasons) as well as a matter of law (SEC
regs for a public company).

The code is very simple. It renders the "<restrict>etc...</>" tag area in
red as "Restricted page: user1, etc...". If the user/group isn't found, it
redirects the user to a page titled "Restricted Page".

 $wgExtensionFunctions[] = "wfRestrictExtension";

 function wfRestrictExtension() {
     global $wgParser;
     $wgParser->setHook( "restrict", "renderRestrict" );
 }

# The callback function for converting the input text to HTML output
 function renderRestrict( $input ) {
 global $wgUser,$wgOut;

 $inputvars = explode(',', $input);
 $uName = $wgUser->getName();
 $rights = $wgUser->getRights();

 foreach ($inputvars as $val)
 {
  if ($val == $uName)
   return "<br><font color=red>Restricted Page: </font>" . $input . "<br>";
   // return;
  foreach ($rights as $r)
  {
   if ($r == $val)
    return "<br><font color=red>Restricted Page: </font>" . $input . "<br>";
    // return;
  }
 }

 $wgTitle = Title::newFromURL("Restricted_Page");
  $wgOut->redirect($wgTitle->getFullURL());

 return;
 }


- MHart

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Need to restrict areas of a wiki by user

Fernando Correia
Thank you for the info. The redirect trick is interesting.

It seems that this extensions still leaves some holes, though. Like
search results and action=edit.

2006/12/8, MHart <[hidden email]>:

> I created a restriction extension that can prevent access using users or
> groups. You just do this:
>
> <restrict>user1,user2,group1,group2</restrict>
>
> When a user attempts to access the page who is not listed in the <restrict>
> tag, and is not a member of a listed group, then they are redirected to a
> page that tells them "its a restricted page, blah blah".
>
> At Intuit, it is used in a few, select groups where they discuss policy,
> security, things that have SEC regulations regarding disclosure and
> employees who sell stock. In such cases, it isn't a matter of "trust" in an
> organization with more than 7,000 employees, rather it is a matter of
> company security (we also hire plenty of contractors who gain temporary
> access to our intranet for various reasons) as well as a matter of law (SEC
> regs for a public company).
>
> The code is very simple. It renders the "<restrict>etc...</>" tag area in
> red as "Restricted page: user1, etc...". If the user/group isn't found, it
> redirects the user to a page titled "Restricted Page".
>
>  $wgExtensionFunctions[] = "wfRestrictExtension";
>
>  function wfRestrictExtension() {
>      global $wgParser;
>      $wgParser->setHook( "restrict", "renderRestrict" );
>  }
>
> # The callback function for converting the input text to HTML output
>  function renderRestrict( $input ) {
>  global $wgUser,$wgOut;
>
>  $inputvars = explode(',', $input);
>  $uName = $wgUser->getName();
>  $rights = $wgUser->getRights();
>
>  foreach ($inputvars as $val)
>  {
>   if ($val == $uName)
>    return "<br><font color=red>Restricted Page: </font>" . $input . "<br>";
>    // return;
>   foreach ($rights as $r)
>   {
>    if ($r == $val)
>     return "<br><font color=red>Restricted Page: </font>" . $input . "<br>";
>     // return;
>   }
>  }
>
>  $wgTitle = Title::newFromURL("Restricted_Page");
>   $wgOut->redirect($wgTitle->getFullURL());
>
>  return;
>  }
>
>
> - MHart
>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Need to restrict areas of a wiki by user

MHart
> It seems that this extensions still leaves some holes, though. Like
> search results and action=edit.

We use a Google appliance on our sites - it cannot search restricted pages.
Action=edit is a hole, yes, as an internal-only site though, we didn't try
to force that.

I did at one time, though. To prevent action=edit on such pages, I hacked
index.php (now it would be in includes/Wiki.php) to check the page content
before any processing (via the page title requested) and restrict to users
and groups in there.

You are correct in that any purely extension method cannot fully prevent
viewing the page info - you have to hack the software to get that.

We also have a few wikis that are blocked by user name/password on the
folder, but that goes back to the separate wiki that the requester wants to
avoid.

- MHart

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l