扩展:Lockdown
如果您需要按页面或部分页面的访问控制,建议您安装适当的内容管理包。 MediaWiki的最初目的并不是提供按页面的访问限制,并且几乎所有添加这一功能的措施或补丁都或多或少存在缺陷,这可能导致暴露机密数据。 对于任何数据泄露,我们不承担任何责任。
更多详情请参见授权扩展的安全问题 |
Lockdown 发行状态: 稳定版 |
|
---|---|
实现 | 用户权限 |
描述 | 实现按命名空间的用户组权限 |
作者 | Daniel Kinzler (Duesentrieb留言) |
MediaWiki | 1.31+ |
PHP | 5.5+ |
许可协议 | GNU通用公眾授權條款2.0或更新版本 |
下載 | README |
|
|
季度下載量 | 353 (Ranked 9th) |
前往translatewiki.net翻譯Lockdown扩展 | |
問題 | 开启的任务 · 报告错误 |
Lockdown擴展實現一個方式設定用戶組訪向指定命名空間及特殊頁面。 This provides a more finely grained security model than the one provided by the default $wgGroupPermissions and $wgNamespaceProtection settings.
The following pages about the security model used by MediaWiki per default may be helpful to understand the instructions below:
安裝
- 下载文件,并将解压后的
Lockdown
文件夹移动到extensions/
目录中。
开发者和代码贡献人员应从Git安装扩展,输入:cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/Lockdown - 将下列代码放置在您的LocalSettings.php 的底部:
wfLoadExtension( 'Lockdown' );
- 按需求配置
- 完成 – 在您的wiki上导航至Special:Version,以验证已成功安装扩展。
示例
To use Lockdown to:
- prevent access to Special:Export to logged in users (registered user)
- restrict editing of the project namespace to logged in users (registered users)
You can then use the following:
$wgSpecialPageLockdown['Export'] = [ 'user' ];
$wgNamespacePermissionLockdown[NS_PROJECT]['edit'] = [ 'user' ];
See below for an explanation and more examples.
配置
Note that the Lockdown extension can only be used to restrict access, not to grant it. If access is denied by some built-in setting of MediaWiki, it cannot be allowed using the Lockdown extension.
$wgSpecialPageLockdown
$wgSpecialPageLockdown
allows you to specify for each special page which user groups have access to it.
For example, to limit the use of Special:Export to logged in users, use this in LocalSettings.php
:
$wgSpecialPageLockdown['Export'] = [ 'user' ];
Note that some special pages "natively" require a specific permission.
For example, Special:MovePage, which can be used to move pages, requires the "move
" permission (granted only to logged-in users per default).
This restriction can not be overridden using the Lockdown extension.
Some special page titles are not capitalized the way they appear on-wiki. For instance, Special:RecentChanges is Recentchanges internally, so to restrict it you need:
$wgSpecialPageLockdown['Recentchanges'] = [ 'user' ];
A full list of special page titles is available in the "MessagesEn.php" file ($specialPageAliases
array) or alternatively use the "siteinfo" API module like e.g. /api.php?action=query&meta=siteinfo&siprop=specialpagealiases in your wiki.
$wgActionLockdown
$wgActionLockdown
allows you to specify for each action which user groups have access to it.
For example, to limit the use of the history page to logged in users, use this in LocalSettings.php:
$wgActionLockdown['history'] = [ 'user' ];
Note that some actions can not be locked down this way. In particular, it will not work for the ajax
action.
$wgNamespacePermissionLockdown
$wgNamespacePermissionLockdown
lets you restrict which user groups have which permissions on which namespace. For example, to grant only members of the sysop group write access to the project namespace, use this:
$wgNamespacePermissionLockdown[NS_PROJECT]['edit'] = [ 'sysop' ];
Wildcards for either the namespace or the permission (but not both at once) are supported. More specific definitions take precedence:
$wgNamespacePermissionLockdown[NS_PROJECT]['*'] = [ 'sysop' ];
$wgNamespacePermissionLockdown[NS_PROJECT]['read'] = [ '*' ];
$wgNamespacePermissionLockdown['*']['move'] = [ 'autoconfirmed' ];
The first two lines restrict all permissions in the project namespace to members of the sysop group, but still allow reading to anyone. The third line limits page moves in all namespaces to members of the autoconfirmed group.
Note that this way, you cannot grant permissions that have not been allowed by the build-in $wgGroupPermissions setting. The following does not allow regular users to patrol edits in the main namespace:
$wgNamespacePermissionLockdown[NS_MAIN]['patrol'] = [ 'user' ];
Instead, you would have to grant this right in $wgGroupPermissions first, and then restrict it again using $wgNamespacePermissionLockdown:
$wgGroupPermissions['user']['patrol'] = true;
$wgNamespacePermissionLockdown['*']['patrol'] = [ 'sysop' ];
$wgNamespacePermissionLockdown[NS_MAIN]['patrol'] = [ 'user' ];
Note that when restricting read-access to a namespace, the restriction can easily be circumvented if the user has read access to any other namespace: by including a read-protected page as a template, it can be made visible. To avoid this, you would have to forbid the use of pages from that namespace as templates, by adding the namespace's ID to $wgNonincludableNamespaces :
$wgNamespacePermissionLockdown[NS_PROJECT]['read'] = [ 'user' ];
$wgNonincludableNamespaces[] = NS_PROJECT;
You can of course also use Lockdown with custom namespaces defined using $wgExtraNamespaces :
// define custom namespaces
$wgExtraNamespaces[100] = 'Private';
$wgExtraNamespaces[101] = 'Private_talk';
// restrict "read" permission to logged in users
$wgNamespacePermissionLockdown[100]['read'] = [ 'user' ];
$wgNamespacePermissionLockdown[101]['read'] = [ 'user' ];
// prevent inclusion of pages from that namespace
$wgNonincludableNamespaces[] = 100;
$wgNonincludableNamespaces[] = 101;
Note that custom namespaces should always be defined in pairs, the namespace proper (with an even id), and the associated talk namespace (with an odd id).
If you want to use constants to refer to your namespaces, you need to define them:
// define constants for your custom namespaces, for a more readable configuration
define('NS_PRIVATE', 100);
define('NS_PRIVATE_TALK', 101);
// define custom namespaces
$wgExtraNamespaces[NS_PRIVATE] = 'Private';
$wgExtraNamespaces[NS_PRIVATE_TALK] = 'Private_talk';
// restrict "read" permission to logged in users
$wgNamespacePermissionLockdown[NS_PRIVATE]['read'] = [ 'user' ];
$wgNamespacePermissionLockdown[NS_PRIVATE_TALK]['read'] = [ 'user' ];
// prevent inclusion of pages from that namespace
$wgNonincludableNamespaces[] = NS_PRIVATE;
$wgNonincludableNamespaces[] = NS_PRIVATE_TALK;
You could also use array_fill() to restrict multiple namespaces at once, e.g. if you wanted to restrict namespaces 0 to 2009 to editing by sysops only:
$wgNamespacePermissionLockdown = array_fill( 0, 2010, [ 'edit' => [ 'sysop' ] ] );
$wgNamespacePermissionLockdown vs $wgActionLockdown
$wgActionLockdown
is checked considerably sooner (in the MediaWikiPerformAction hook) in the request-handling process than $wgNamespacePermissionLockdown
(which is checked in the getUserPermissionsErrors hook).
If an action that $wgActionLockdown
does not permit is attempted, a permission error is displayed. Likewise, $wgNamespacePermissionLockdown
lets the end user know which groups are allowed to perform the action.
Managing groups
You can control which user belongs to which groups with the page Special:Userrights. Only existing groups will be proposed, but you can "create" a new group by creating an entry for it in $wgGroupPermissions (even if you don't actually need to set a permission there, but it has to appear on the left hand side of the array). For example:
$wgGroupPermissions['somegroupname']['read'] = true;
For more information, see Help:User rights, Manual:User rights, and Manual:User rights management.
Additional measures
Images and other uploaded files still can be seen and included on any page. Protections on the Image namespace do not prevent that. See Manual:Image Authorisation for information on how to prevent unauthorized access to images. See also:
Known issues
Lockdown is known to be broken for MW 1.27.x to 1.30.x [1]. Possible side-effects of using it include:
- Incomplete list of namespaces showing under the Advanced tab of Special:Search and on the special page for ReplaceText
- Searchbox no longer offering autocompletion for certain namespaces
A workaround may be to list all namespaces under $wgContentNamespaces , but success is not guaranteed. Another temporary solution is to use a version before the breaking commits, as detailed in Topic:Tr4xxpln3fnpz3eu.
See also
- Category:User rights extensions
- GroupManager (BlueSpice) - for adding, editing and deleting user groups
- PermissionManager (BlueSpice) - for administering user rights to user groups
- UserProtect - Allows per-user per-right per-page protection
- PageOwnership - Multi-layered permission manager, whole wiki or specific pages, with friendly interface
- AccessControl - Allows restricting access to specific pages and files
- CategoryLockdown - Allows restricting access by category and group
此扩展在以下wiki农场/托管网站和/或软件包中提供: 這不是一份權威名單。 即使某些wiki农场/托管网站和/或软件包未在这里列出,它们也可能提供此扩展。 请检查你的wiki农场/托管网站或软件包以确认提供情况。 |