User:Fcarpani/SpecialPageSecurity

MediaWiki extensions manual
SpecialPageSecurity
Release status: unknown
Implementation User rights, Hook, Special
Description An extension that can control the access to special pages based on groups
Author(s) Fcarpani
MediaWiki
License No license specified
Download see below
Translate the Fcarpani/SpecialPageSecurity extension if it is available at translatewiki.net

An extension that can control the access to SpecialPages based on groups

Installation

edit
  1. Include the file with this code
  2. Modify the method executePath in includes/SpecialPage.php following this instructions:
    1. Add $wfHooks in the global declaration in the function.
    2. Add the following code in the next line of the profiling instructions (wfProfileIn( ... );):
if (array_key_exists('SpecialPageAuthCheck',$wgHooks)){
        if(!wfRunHooks('SpecialPageAuthCheck'))
          return false;
      };

Configuration

edit

Now you can add the following declarations in your LocalSettings.php:

# The page to display if the access is denied. This page must be created by que wikiadmin. Can be the same used by PageSecurity. 
$wgSpecialPageAuthErrorPage = "Restricted Page";
# If $wgSpecialPageAuthEnable=true, then only users in allowed group can access to the page
$wgSpecialPageAuthEnable=true;
$wgServerName;
# $wgSpecialPageAuth is an array indexed by group. Each bucket have a regular expression for the title (without namespace) of the page.
# The group '''*''' Must be access to some pages. At least Userlogin an Userlogout.
$wgSpecialPageAuth['*']='/^(Userlogin|Userlogout)$/';
# Then other groups can have more pages...
# Logged users can list all pages. Also they can execute Userlogin and Userlogout
$wgSpecialPageAuth['user']='/SpecialPage/';
# The group boys can list all pages but only can execute Resetpass,Confiremail. Also, because they are in user, they can execute the pages for user. If a user belongs to a group with authorization, then he can execute the page. 
$wgSpecialPageAuth['boys']='/SpecialPages|Resetpass|Confirmemail/';

The PHP

edit
 <?php
 include_once('GlobalFunctions.php');
 // This is an attempt to control which SpecialPages can run each group
 //
 // The intention is set the SpecialPageExecuteBeforePage and if some conditions are not verified, display an error page.
 //
 //
 $pageSpecialSecurityVersion = '0.0.1';
 $wgExtensionFunctions[] = "wfSetSpecialPageSecurity";
 global $wgExtensionCredits,$wgHooks;
 $wgExtensionCredits['parserhook'][] = array(
     'name'=>'PageSpecialSecurity',
     'version'=>$pageSpecialSecurityVersion,
     'author'=>'Fernando Carpani',
     'url'=>'http://www.mediawiki.org/wiki/User:Fcarpani/SpecialPageSecurity',
     'description' => 'Restricts access to special pages according to security definitions'
     );
 $wgHooks['SpecialPageAuthCheck'][]="SpecialPageAuthCheck"; /* Must be a boolean function. */     


 // The array $wgSpecialPageAuth have list of group that can execute this special page. 
 // The variable $wgSpecialPageAuthEnable control de check (if true, then the do the check

 // global $wgSpecialPageAuth; is an array indexed by group and has a regular expression of allowed special page names.
 // global $wgSpecialPageAuthEnable; 

 function wfSetSpecialPageSecurity() {
   global $wgSpecialPageAuth,$wgSpecialPageAuthEnable;
   if ($wgSpecialPageAuth==NULL){
     $wgSpecialPageAuth=array();
   }
   if ($wgSpecialPageAuthEnable==NULL){
     $wgSpecialPageAuthEnable=false;
   }
         wfDebug("=====>SetSpecialPageSecurity\n");
 } 

 // The implementation is based on a new hook SpecialPageAuthCheck 

 function SpecialPageAuthCheck(){
   global $wgSpecialPageAuthErrorPage,$wgUser,$wgTitle,$wgOut; 

   if (!SpecialPageAuthTest($wgTitle,$wgUser)){
     if (empty($wgSpecialPageAuthErrorPage)) return false;
     $title = Title::newFromText($wgSpecialPageAuthErrorPage);
     $redirectURL = $title->getFullURL();
     $wgOut->redirect($redirectURL);
     wfDebug(sprintf("====>SpecialPageAuthCheck: %s user=%d no permitida\n",$wgTitle->mDbkeyform,$wgUser->mId));
     return false;
   }
  return true;
 }



 function SpecialPageAuthTest(&$title,&$user){
   global $wgSpecialPageAuthEnable,$wgSpecialPageAuth;
   //$user=$wgUser;
   //$title=$wgTitle;
   wfDebug(sprintf("===>SpecialPageAuthTest: title=%s , user=%d\n",$title->mDbkeyform,$user->mId));

   if($wgSpecialPageAuthEnable){
     // get user groups
     wfDebug(sprintf("===>SpecialPageAuthCheck: AuthEnable title=%s,user=%d\n",$title->mDbkeyform,$user->mId));
     $user_groups=$user->getEffectiveGroups();
     // Sysops can execute with basis in other checks.
     if (in_array("sysop", $user_groups)) {
                 return true;  // sysop access override granted
     } else  {
            // if the user has a group that is allowed to execute this page, then true, else false.
         foreach($user_groups as $group){
           wfDebug(sprintf("===>SpecialPageAuthCheck: user %d in group=%s\n",$user->mId,$group));
           #if(preg_match("$wgSpecialPageAuth[$group]",$title->mDbkeyform)){
           if(preg_match($wgSpecialPageAuth[$group], $title->mDbkeyform, $matches, PREG_OFFSET_CAPTURE)){
             wfDebug(sprintf("===>SpecialPageAuthCheck: return Allowed by group=%s\n",$group));
             return true;
           }
         }
         return false;
       }

   } else  {
       return true;
   }

 }