Extension:Semantic ACL

MediaWiki extensions manual
Semantic ACL
Release status: stable
Description Allows per-page (or file) read and edit restrictions to be set using Semantic MediaWiki properties.
Author(s)
Maintainer(s) Antoine Mercier-Linteau
Latest version 0.3
MediaWiki 1.38+
PHP 7.0+
Database changes No
License GNU General Public License 2.0 or later
Download
  • $wgSemanticACLWhitelistIPs
  • $wgSemanticACLEnableCascadingACL
  • $wgSemanticACLEnablePrivateLinks
  • $wgSemanticACLPublicImagesCategory
  • sacl-exempt
  • view-non-categorized-media

Compatibility

  • Semantic MediaWiki 4.0 and later
Quarterly downloads 13 (Ranked 123rd)
Translate the Semantic ACL extension if it is available at translatewiki.net
Issues Open tasks · Report a bug

The Semantic ACL (Access Control List) extension allows read and edit restrictions to be set on pages and files using semantic properties. Restrictions can be for anonymous/registered users, user groups, or individual users.

Features

edit

On top of denying viewing or editing of pages to certain users, Semantic ACL:

Works through transclusions
If a page transcludes a page or a subset of the page with protection in place, users not allowed to view that content will see a placeholder message instead.
Works with files
If a file is protected, users not allowed to see the file will be denied access to the file page and will see placeholder content where the file is used on other pages. Placeholder content will be displayed instead if a file is uncategorized or part of a category that an anonymous user cannot see. Please note that this does not prevent files from being retrieved using raw URLs.
Works with search results and semantic queries
Search results, including a page that a user cannot see, won't display its content, only its title. Semantic page queries (except count) exclude pages a user can't view.
Works with Structured Discussions and talk pages
A talk page or a structured discussion will get the same protection as its associated content page.
Works within the wiki
No need to edit LocalSettings.php to modify restrictions; everything is done from inside your wiki.
Works with many use cases
Restrictions can be enabled for anonymous/registered users, user groups, or individual users.
Allows sharing protected pages with a private link
A key can be defined on a page to allow certain visitors to bypass protection when they have the private link.
Cascading permissions
Parent pages can cascade their permissions to sub-pages.

Installation

edit
  • Install Semantic MediaWiki as instructed in its documentation since this extension is required to function.
  • Download and move the extracted SemanticACL folder to your extensions/ directory.
    Developers and code contributors should install the extension from Git instead, using:cd extensions/
    git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/SemanticACL
  • Add the following code at the bottom of your LocalSettings.php file:
    wfLoadExtension( 'SemanticACL' );
    
  • Configure as required.
  •   Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Usage

edit
This extension turns off the parser cache for pages that have ACL permissions.

To set restrictions, mark up a page with the appropriate properties.

To set read restrictions, use this property: [[Visible to::]]. If set to whitelist set allowed users or groups:

  • [[Visible to user::]]
  • [[Visible to group::]]

To set edit restrictions (which apply to all other actions), use this property: [[Editable by::]]. If set to whitelist set allowed users or groups:

  • [[Editable by user::]]
  • [[Editable by group::]]

The "main" property (Editable by or Visible to) can take one or more of these values. Except for "public", a user must satisfy all conditions set.

  • public — overrides all other values and never denies access.
  • users — denies access to users who are not logged in.
  • whitelist — denies access to all users who are not whitelisted, either explicitly or by being in a whitelisted group.
  • key — allows access by private link (ie: http://mediawiki.org/Extension:Semantic_ACL?semanticacl-key=12345abcde);
    • the key for the link is configured using the {{#SEMANTICACL_PRIVATE_LINK:12345abcde}} magic word; the magic word will also output the private link.
    • Private links only work for page viewing;
    • Changing the private link will invalidate previous versions of the private link.

The read and edit restrictions have separate whitelists. You can add one or more users or groups to the whitelist using the appropriate properties. Note that the User: prefix is mandatory for the single-user whitelist (eg: [[Editable by user::User:John_Doe]]).

Example

edit

These properties, included on a page, would allow only users in the "moderator" group to read the page and only the user "Chief Moderator" to edit it. Visitors have the private link containing the correct key.

[[Visible to::whitelist]]
[[Visible to group::moderator]]

[[Editable by::whitelist]]
[[Editable by user::User:Chief Moderator]]

[[Visible to::key]]
{{#SEMANTICACL_PRIVATE_LINK:12345abcde}} <!-- outputs http://mediawiki.org/Extension:Semantic_ACL?semanticacl-key=12345abcde  -->

Property values are displayed by default in the output. If you don't want to, wrap them in a hidden <div> or use {{#set: Property name=property value }}

<div style="display:none">[[Visible to::whitelist]]</div>
{{#set:Visible to group=moderator}}

User rights

edit
sacl-exempt

Users with the sacl-exempt user group are never allowed access by this extension. This failsafe prevents pages from becoming permanently uneditable by having an empty whitelist.

By default, administrators (users in the sysop group) are given this right.

Also, IPs listed in $wgSemanticACLWhitelistIPs are also granted full access.

view-non-categorized-media

When $wgPublicImagesCategory is set, users that have the view-non-categorized-media right can browse media that has not been categorized as public.

Cascading ACL

edit

Permissions from a page can be cascaded to all subpages when [[Cascade permissions to subpages::1]] is set.

The following rules apply when cascading:

  1. If a subpage does not define any ACL properties, permissions are looked up on the base page until a page with cascading enabled is found, or there is no more base page
  2. A page is free to override permissions set by a base page
  3. A private link to a base page that cascades its permissions will grant access to all subpages unless a subpage overrides the permissions
  4. cascading is expensive because permissions have to be looked up to the whole chain; hence, it is disabled by default.

Configuration

edit
Parameter Default Comment Examples
$wgSemanticACLWhitelistIPs null IPs listed in this array are granted full access To give local host full access: ['127.0.0.1', '::1']
$wgSemanticACLPublicImagesCategory null Only files within this category are shown to unregistered users. This feature is useful for wikis that use copyrighted images that have not been cleared for public viewing. Non-copyrighted_files
$wgSemanticACLEnablePrivateLinks true Allows the bypassing of page protections using a private link.
$wgSemanticACLEnableCascadingACL false Enable cascading ACL.

See also

edit