미디어위키 확장 기능 매뉴얼
OOjs UI icon advanced.svg
출시 상태: 안정
구현 User rights
설명 Implements per-namespace group permissions
만든이 Daniel Kinzler (Duesentriebtalk)
MediaWiki 1.23+
데이터베이스 변경 아니오
라이선스 GPLv2+
  • $wgNamespacePermissionLockdown
  • $wgSpecialPageLockdown
  • $wgActionLockdown
Lockdown 확장 기능 번역 (translatewiki.net에서 가능한 경우)
사용법과 버전 매트릭스를 확인합니다.
이슈 미해결 작업 · 버그 보고

Lockdown 확장 도구는 주어진 사용자 그룹 집합에 대해 특정 이름공간 또는 페이지로의 접근을 제한하는 방법을 구현합니다. 이는 기본으로 제공되는 $wgGroupPermissions, $wgNamespaceProtection 설정보다 더 잘 조직된 시큐리티 모델을 제공합니다.

미디어위키에서 기본으로 사용되는 시큐리티 모델에 대한 다음 문서들은 아래 지침을 이해하는 데 도움을 줄 것입니다.


  • 파일을 다운로드해서, extensions/ 폴더 내의 Lockdown 이라는 이름의 디렉터리 내에 설치합니다.
  • 아래의 코드를 LocalSettings.php의 말미에 추가합니다:
    require_once "$IP/extensions/Lockdown/Lockdown.php";
  • Configure as required below calling the extension with require_once.
  •   완료 – 위키의 ‘Special:Version’에 이동해서, 확장기능이 올바르게 설치된 것을 확인합니다.


To use Lockdown to prevent access to Special:Export and restrict editing of the project namespace to logged in users (registered users), you can then use the following:

$wgSpecialPageLockdown['Export'] = array('user');
$wgNamespacePermissionLockdown[NS_PROJECT]['edit'] = array('user');

See below for an explanation and more examples.

환경 설정Edit

Note that the Lockdown extension can only be used to *restrict* access, not to *grant* it. If access is denied by some built-in setting of MediaWiki, it cannot be allowed using the Lockdown extension.


$wgSpecialPageLockdown allows you to specify for each special page which user groups have access to it. For example, to limit the use of Special:Export to logged in users, use this in LocalSettings.php:

$wgSpecialPageLockdown['Export'] = array('user');

Note that some special pages "natively" require a specific permission. For example, Special:Userrights, which can be used to assign user groups, requires the "userrights" permission (granted only to the "bureaucrat" group per default). This restriction can not be overridden using the Lockdown extension.

Some special page titles are not capitalized the way they appear on-wiki. For instance, Special:RecentChanges is Recentchanges internally, so to restrict it you need:

$wgSpecialPageLockdown['Recentchanges'] = array('user');

A full list of special page titles is available in /includes/specials/ or in the "MessagesEn.php" file ($specialPageAliases array)


r45703 이래로 $wgActionLockdown allows you to specify for each action which user groups have access to it. For example, to limit the use of the history page to logged in users, use this in LocalSettings.php:

$wgActionLockdown['history'] = array('user');

Note that some actions can not be locked down this way. In particular, it will not work for the ajax action.


$wgNamespacePermissionLockdown lets you restrict which user groups have which permissions on which namespace. For example, to grant only members of the sysop group write access to the project namespace, use this:

$wgNamespacePermissionLockdown[NS_PROJECT]['edit'] = array('sysop');

Wildcards for either the namespace or the permission (but not both at once) are supported. More specific definitions take precedence:

$wgNamespacePermissionLockdown[NS_PROJECT]['*'] = array('sysop');
$wgNamespacePermissionLockdown[NS_PROJECT]['read'] = array('*');

$wgNamespacePermissionLockdown['*']['move'] = array('autoconfirmed');

The first two lines restrict all permissions in the project namespace to members of the sysop group, but still allow reading to anyone. The third line limits page moves in all namespaces to members of the autoconfirmed group.

Note that this way, you cannot *grant* permissions that have not been allowed by the build-in $wgGroupPermissions setting. The following does *not* allow regular users to patrol edits in the main namespace:

$wgNamespacePermissionLockdown[NS_MAIN]['patrol'] = array('user');

Instead, you would have to grant this right in $wgGroupPermissions first, and then restrict it again using $wgNamespacePermissionLockdown:

$wgGroupPermissions['user']['patrol'] = true;

$wgNamespacePermissionLockdown['*']['patrol'] = array('sysop');
$wgNamespacePermissionLockdown[NS_MAIN]['patrol'] = array('user');

Note that when restricting read-access to a namespace, the restriction can easily be circumvented if the user has read access to any other namespace: by including a read-protected page as a template, it can be made visible. To avoid this, you would have to forbid the use of pages from that namespace as templates, by adding the namespace's ID to $wgNonincludableNamespaces (this feature was introduced in MediaWiki 1.10, revision 19934, and is also available as an extension for earlier versions):

$wgNamespacePermissionLockdown[NS_PROJECT]['read'] = array('user');
$wgNonincludableNamespaces[] = NS_PROJECT;

You can of course also use Lockdown with custom namespaces defined using $wgExtraNamespaces:

#define custom namespaces
$wgExtraNamespaces[100] = 'Private';
$wgExtraNamespaces[101] = 'Private_talk';

#restrict "read" permission to logged in users
$wgNamespacePermissionLockdown[100]['read'] = array('user');
$wgNamespacePermissionLockdown[101]['read'] = array('user');

#prevent inclusion of pages from that namespace
$wgNonincludableNamespaces[] = 100;
$wgNonincludableNamespaces[] = 101;

Note that custom namespaces should always be defined in pairs, the namespace proper (with an even id), and the associated talk namespace (with an odd id).

If you want to use constants to refer to your namespaces, you need to define them:

#define constants for your custom namespaces, for a more readable configuration
define('NS_PRIVATE', 100);
define('NS_PRIVATE_TALK', 101);

#define custom namespaces
$wgExtraNamespaces[NS_PRIVATE] = 'Private';
$wgExtraNamespaces[NS_PRIVATE_TALK] = 'Private_talk';

#restrict "read" permission to logged in users
$wgNamespacePermissionLockdown[NS_PRIVATE]['read'] = array('user');
$wgNamespacePermissionLockdown[NS_PRIVATE_TALK]['read'] = array('user');

#prevent inclusion of pages from that namespace
$wgNonincludableNamespaces[] = NS_PRIVATE;
$wgNonincludableNamespaces[] = NS_PRIVATE_TALK;

You could also use array_fill() to restrict multiple namespaces at once, e.g. if you wanted to restrict namespaces 0 to 2009 to editing by sysops only:

$wgNamespacePermissionLockdown = array_fill( 0, 2010, array( 'edit' => array( 'sysop' ) ) );

Managing groupsEdit

You can control which user belongs to which groups with the page Special:Userrights. Only existing groups will be proposed, but you can "create" a new group by creating an entry for it in Manual:$wgGroupPermissions (even if you don't actually need to set a permission there, but it has to appear on the left hand side of the array). For example:

$wgGroupPermissions['somegroupname']['read'] = true;

For more information, see Help:User rights, Manual:User rights, and Manual:User rights management.

Additional measuresEdit

숨은 문서들Edit

The Lockdown extension may prevent page content from being shown, but it does not remove inaccessible pages from listings. To hide such pages, several patches must be applied to MediaWiki. See Extension:Lockdown/hiding_pages for some (unofficial) suggestions. See also mailarchive:mediawiki-l/2009-June/031231.html.

Images and other uploaded filesEdit

Images and other uploaded files still can be seen and included on any page. Protections on the Image namespace do not prevent that. See Manual:Image Authorisation for information on how to prevent unauthorized access to images. See also:

같이 보기Edit

English  • 日本語 • 한국어 • русский