Extension:FlaggedRevs/Restricting unapproved revisions
<translate> If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package.</translate> <translate> MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data.</translate> <translate> We are not responsible for anything being leaked.</translate>
<translate> For further details, see [[<tvar name=1>Special:MyLanguage/Security issues with authorization extensions</tvar>|Security issues with authorisation extensions]]</translate> |
This page describes how to only give read access to the stable versions of articles to anonymous users for MediaWiki 1.17+.
Basic idea
This approach works as follows:
- (i) Make all pages unreadable and uneditable by non-users (that is, readable only for users)
- (ii) But make the stable version of pages an exception in that they are readable to non-users
The details to do this are described in the next few sections.
Making the site readable only by users
See Manual:Preventing_access#Restrict_viewing_of_all_pages and Manual:Preventing_access#Restrict_editing_of_all_pages
Add these lines to your LocalSettings.php file:
# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
# But allow them to read e.g., these pages:
$wgWhitelistRead = array ( "Main Page", "Special:Userlogin", "Help:Contents");
# Like previous, but for French (be careful of encoding! save file as UTF-8!)
# $wgWhitelistRead = array( ":Page Principale", "Special:Userlogin", "Aide en français");
Adding stable version as exemption for non-users
Add the following to LocalSettings.php:
# Flagged revisions are always visible to users with rights below.
# Use '*' for non-user accounts. This is for read-restricted wikis.
$wgFlaggedRevsVisible = array( '*' );
$wgFlaggedRevsVisible
is an array of user groups. Setting it to array('*')
will let all visitors be able to see the stable version of pages. Setting it to array('supergroup')
will make the stable versions visible to users in the group 'supergroup'.MediaWiki >= 1.19
Add the following code to LocalSettings.php (or an appropriate custom start-up config file):
$wgHooks['TitleReadWhitelist'][] = 'efFlaggedRevsHooks_userCanView';
...and then define the following function:
function efFlaggedRevsHooks_userCanView( Title $title, $user, &$result ) {
global $wgFlaggedRevsVisible, $wgTitle;
if ( empty( $wgFlaggedRevsVisible ) ) {
return true;
}
# Admin may set this to false, rather than array()...
$groups = $user->getGroups();
$groups[] = '*';
if ( !array_intersect( $groups, $wgFlaggedRevsVisible ) ) {
return true;
}
# See if there is a stable version. Also, see if, given the page
# config and URL params, the page can be overridden. The later
# only applies on page views of $title.
if ( !empty( $wgTitle ) && $wgTitle->equals( $title ) ) {
$view = FlaggablePageView::singleton();
// Cache stable version while we are at it.
if ( $view->showingStable() ) {
$result = true;
}
} else {
// Search and such need to know that the reader can view this page
if ( FlaggedRevision::newFromStable( $title ) ) {
$result = true;
}
}
return true;
}
MediaWiki <= 1.18
Add the following code to localsettings.php (or an appropriate custom start-up config file):
$wgHooks['userCan'][] = 'efFlaggedRevsHooks_userCanView';
...and then define the following function:
function efFlaggedRevsHooks_userCanView( Title $title, $user, $action, &$result ) {
global $wgFlaggedRevsVisible, $wgTitle;
# Assume $action may still not be set, in which case, treat it as 'view'...
# Return out if $result set to false by some other hooked call.
if ( $action !== 'read' || $result === false || empty( $wgFlaggedRevsVisible ) ) {
return true;
}
# Check if user is in a group that at least lets them see stable versions
$groups = array_merge( $user->getGroups(), array( '*' ) );
if ( !array_intersect( $groups, $wgFlaggedRevsVisible ) ) {
return true;
}
# See if there is a stable version. Also, see if, given the page
# config and URL params, the page can be overridden. The later
# only applies on page views of $title.
if ( !empty( $wgTitle ) && $wgTitle->equals( $title ) ) {
$view = FlaggedArticleView::singleton();
// Cache stable version while we are at it.
if ( $view->showingStable() ) {
$result = true;
}
} else {
// Search and such need to know that the reader can view this page
if ( FlaggedRevision::newFromStable( $title ) ) {
$result = true;
}
}
return true;
}
Caveats
$wgFlaggedRevsOverride = true
.$wgWhitelistRead
is set properly. You will at least want something like $wgWhitelistRead = array( 'Main Page', 'Special:Search' )
. You may also want visible directory or category pages. Otherwise, the wiki will be hard to browse for readers.Whitelisting non-reviewed pages per namespace
Instead of using the $wgWhitelistRead
setting to whitelist particular non-reviewed pages that should remain readable, one can whitelist selected namespaces. With this approach, one can for example whitelist:
- Only
NS_SPECIAL
– the bare minimum for usability with this approach. - All namespaces for which FlaggedRevs is not enabled.
To do the latter of these, one can modify the code for LocalSettings.php provided further above (either version), adding the below immediately above the line with the "See if there is a stable version. [...]" comment:
global $wgFlaggedRevsNamespaces;
# Whitelist page if not in a reviewed namespace
if ( !in_array( $wgTitle->getNamespace(),
$wgFlaggedRevsNamespaces ) ) {
$result = true;
return true;
}
The use of the $wgFlaggedRevsNamespaces
array in the above code can be replaced with any other array of namespace entries. In this way, one can freely configure which namespaces to whitelist.
The above approach can also be combined with the use of the $wgWhitelistRead
setting – this allows whitelisting only particular unreviewed pages in certain namespaces, while also fully whitelisting other namespaces.
By whitelisting pages inside a function, it is also possible to check pages according to other criteria than their namespaces, if needed for a particular wiki. More advanced checks might use other data provided by MediaWiki, and/or by other MediaWiki extensions.