Difference between revisions of "Protected Namespaces or Wikis"
From Biowikifarm Metawiki
(First version for protected namespaces and easy account approval) |
(added images) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 13: | Line 13: | ||
=== protected wiki === | === protected wiki === | ||
| − | //TODO | + | It is also possible to block an entire wiki for unapproved users. This is done in the case of the [https://gfbio.biowikifarm.net/internal/ internal GFBio Wiki]. Here is the configuration of <code>LocalSettings.php</code> |
| + | <syntaxhighlight lang="php"> | ||
| + | # Disable reading by anonymous users | ||
| + | $wgGroupPermissions['*']['read'] = false; | ||
| + | |||
| + | # Disable anonymous editing | ||
| + | $wgGroupPermissions['*']['edit'] = false; | ||
| + | |||
| + | # Disable editing and reading for retired users | ||
| + | $wgGroupPermissions['retiredUser']['read'] = false; | ||
| + | $wgGroupPermissions['retiredUser']['edit'] = false; | ||
| + | |||
| + | # Disable editing and reading for registered users, too | ||
| + | # (User has to be in group activeUser) | ||
| + | $wgGroupPermissions['user']['read'] = false; | ||
| + | $wgGroupPermissions['user']['edit'] = false; | ||
| + | |||
| + | # Grant read and edit rights only for GFBio users | ||
| + | $wgGroupPermissions['gfbioUser']['read'] = true; | ||
| + | $wgGroupPermissions['gfbioUser']['edit'] = true; | ||
| + | |||
| + | $wgGroupPermissions['sysop']['read'] = true; | ||
| + | $wgGroupPermissions['sysop']['edit'] = true; | ||
| + | |||
| + | # Users should be able to log out, request an account and read the ToS | ||
| + | $wgWhitelistRead[] = "Special:UserLogout"; | ||
| + | $wgWhitelistRead[] = "Special:RequestAccount"; | ||
| + | $wgWhitelistRead[] = "GFBio_Internal_Wiki:Terms_of_Service"; //TODO:update this line | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | This will show a page with the title "Permissions errors" to the user trying to access it. | ||
| + | [[File:Protected_Wiki_Permission_Error.png|frame|left|Error page when trying to access a protected wiki]]<br style="clear:both"/> | ||
| + | In order to display a bit more informative content to the users, the following script segment was added to the <code>MediaWiki:Common.js</code> page of the Internal GFBio Wiki: | ||
| + | |||
| + | <syntaxhighlight lang="javascript"> | ||
| + | // | ||
| + | // Info Screen for unregistered users and users how are not part of the 'gfbioUser' group. | ||
| + | // | ||
| + | if(wgCanonicalSpecialPageName == "Badtitle" && wgNamespaceNumber == -1){ | ||
| + | var a = document.getElementById("top"); | ||
| + | var username = ""; | ||
| + | if(wgUserName && wgUserName!=""){ | ||
| + | username = "'"+wgUserName+"'"; | ||
| + | } | ||
| + | var banner = document.createElement("div") | ||
| + | banner.setAttribute("style","background:#8CD0F4; border:2px solid #3257A0; text-align:left; padding:5px 10px;") | ||
| + | banner.innerHTML = "<h3>Login Required</h3> <p>This is the <strong>internal wiki</strong> of the GFBio Project.</p><p>To view the content of this wiki, you need: </p><ul><li>to <a href=\"https://gfbio.biowikifarm.net/internal/Special:RequestAccount\">request an account for the biowikifarm</a>. In the description you need to specify, that you are part of the GFBio team. </li></ul> or, if you already have a biowikifarm account, <ul><li>you need to have this account approved for this wiki. In order to do this, please send an email to <a href=\"mailto:d.fichtmueller@bgbm.org?subject=Approve account for GFBio wiki&body=My biowikifarm username is: "+username+"%0D%0AWork package(s):%0D%0ARole:\">d.fichtmueller@bgbm.org</a> and state your biowikifarm user name, the work packages you are involved in and your role within the project.</li></ul><p></p></div>" | ||
| + | var isGFBioUser = false; | ||
| + | for(var i=0;i<wgUserGroups.length;i++){ | ||
| + | if(wgUserGroups[i]=="gfbioUser"){ | ||
| + | isGFBioUser = true; | ||
| + | } | ||
| + | } | ||
| + | if(!isGFBioUser){ | ||
| + | a.parentElement.insertBefore(banner,a.nextSibling); | ||
| + | document.getElementById("firstHeading").style.display = "none"; | ||
| + | document.getElementById("bodyContent").style.display = "none"; | ||
| + | } | ||
| + | } | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | If you want to adapt this script to another wiki, change the HTML and the required user group. | ||
| + | |||
| + | [[File:Protected Wiki Welcome Message.png|frame|left|Welcome Message shown when trying to access a protected wiki]]<br style="clear:both"/> | ||
== User Approval == | == User Approval == | ||
| Line 19: | Line 82: | ||
The script does 3 things: | The script does 3 things: | ||
| − | # it adds a link "edit rights" to options of a user when viewing the [[Special:ListUsers|list of users]] or the [[Special:ActiveUsers|list of active users]] | + | # [[File:Easy Account Approval User List.png|frame|Links from Easy Account Approval Script in the user list]]it adds a link "edit rights" to options of a user when viewing the [[Special:ListUsers|list of users]] or the [[Special:ActiveUsers|list of active users]]<br style="clear:both"/> |
| − | # it adds a link "Rights" in the page menu of a user page (or user discussion page) | + | # [[File:Easy Account Approval User Page.png|frame|Link from Easy Account Approval Script on the user page]]it adds a link "Rights" in the page menu of a user page (or user discussion page)<br style="clear:both"/> |
| − | # when on the rights page of a user, it automatically preselects the user group of the wiki and adds a comment for the rights log. The bureaucrat only has to click save. To not accidentally assign rights to users that they should not have, the new user group is highlighted in bright green if it has been selected by the script. | + | # [[File:Easy Account Approval User Rights Management.png|frame|The user groups of a user are being automatically adjusted by the script]]when on the rights page of a user, it automatically preselects the user group of the wiki and adds a comment for the rights log. The bureaucrat only has to click save. To not accidentally assign rights to users that they should not have, the new user group is highlighted in bright green if it has been selected by the script.<br style="clear:both"/> |
| − | + | ||
In order to user the script, save the following code as <code>MediaWiki:EasyAccountApproval.js</code> and adjust adjust all <code>//TODO</code>s to fit the wiki you are working with. | In order to user the script, save the following code as <code>MediaWiki:EasyAccountApproval.js</code> and adjust adjust all <code>//TODO</code>s to fit the wiki you are working with. | ||
Latest revision as of 15:12, 4 February 2015
This is a documentation on how to close individual namespaces or entire wikis from public access (read & write)
LocalSettings.php
protected namespace
In the MediaWikiCommonSettings.php a namespace "Internal" and its corresponding talk page "Internal_talk" is created for all wikis. To properly secure these namespaces, the LocalSettings.php of the individual wikis needs to be adjusted. Using the extension Lockdown (already enabled via MediaWikiCommonSettings.php), the easiest way to do this is to restrict the usage of these namespaces to a new user group, specific to the individual wiki. In the example below, you can see the restriction for the ABCD-Wiki:
$wgNamespacePermissionLockdown[NS_INTERNAL]['read'] = array('abcdUser');
$wgNamespacePermissionLockdown[NS_INTERNAL_TALK]['read'] = array('abcdUser');
$wgGroupPermissions['abcdUser'] = $wgGroupPermissions['user']; #a trick to make the user group show up in the "User rights management" interface
When using this code for other wikis, the user group name should be adjusted accordingly.
protected wiki
It is also possible to block an entire wiki for unapproved users. This is done in the case of the internal GFBio Wiki. Here is the configuration of LocalSettings.php
# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;
# Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;
# Disable editing and reading for retired users
$wgGroupPermissions['retiredUser']['read'] = false;
$wgGroupPermissions['retiredUser']['edit'] = false;
# Disable editing and reading for registered users, too
# (User has to be in group activeUser)
$wgGroupPermissions['user']['read'] = false;
$wgGroupPermissions['user']['edit'] = false;
# Grant read and edit rights only for GFBio users
$wgGroupPermissions['gfbioUser']['read'] = true;
$wgGroupPermissions['gfbioUser']['edit'] = true;
$wgGroupPermissions['sysop']['read'] = true;
$wgGroupPermissions['sysop']['edit'] = true;
# Users should be able to log out, request an account and read the ToS
$wgWhitelistRead[] = "Special:UserLogout";
$wgWhitelistRead[] = "Special:RequestAccount";
$wgWhitelistRead[] = "GFBio_Internal_Wiki:Terms_of_Service"; //TODO:update this line
This will show a page with the title "Permissions errors" to the user trying to access it.
Error page when trying to access a protected wiki
In order to display a bit more informative content to the users, the following script segment was added to the MediaWiki:Common.js page of the Internal GFBio Wiki:
//
// Info Screen for unregistered users and users how are not part of the 'gfbioUser' group.
//
if(wgCanonicalSpecialPageName == "Badtitle" && wgNamespaceNumber == -1){
var a = document.getElementById("top");
var username = "";
if(wgUserName && wgUserName!=""){
username = "'"+wgUserName+"'";
}
var banner = document.createElement("div")
banner.setAttribute("style","background:#8CD0F4; border:2px solid #3257A0; text-align:left; padding:5px 10px;")
banner.innerHTML = "<h3>Login Required</h3> <p>This is the <strong>internal wiki</strong> of the GFBio Project.</p><p>To view the content of this wiki, you need: </p><ul><li>to <a href=\"https://gfbio.biowikifarm.net/internal/Special:RequestAccount\">request an account for the biowikifarm</a>. In the description you need to specify, that you are part of the GFBio team. </li></ul> or, if you already have a biowikifarm account, <ul><li>you need to have this account approved for this wiki. In order to do this, please send an email to <a href=\"mailto:d.fichtmueller@bgbm.org?subject=Approve account for GFBio wiki&body=My biowikifarm username is: "+username+"%0D%0AWork package(s):%0D%0ARole:\">d.fichtmueller@bgbm.org</a> and state your biowikifarm user name, the work packages you are involved in and your role within the project.</li></ul><p></p></div>"
var isGFBioUser = false;
for(var i=0;i<wgUserGroups.length;i++){
if(wgUserGroups[i]=="gfbioUser"){
isGFBioUser = true;
}
}
if(!isGFBioUser){
a.parentElement.insertBefore(banner,a.nextSibling);
document.getElementById("firstHeading").style.display = "none";
document.getElementById("bodyContent").style.display = "none";
}
}
If you want to adapt this script to another wiki, change the HTML and the required user group.
Welcome Message shown when trying to access a protected wiki
User Approval
In order for the users of a wiki with a protected namespace to be able to access this namespace they have to be added to the corresponding user group. To streamline this process, there is a script which helps the users of the bureaucrat user group (those that can adjust the user groups of other users) to add user to the special user group of the wiki.
The script does 3 things:
- it adds a link "edit rights" to options of a user when viewing the list of users or the list of active users
Links from Easy Account Approval Script in the user list - it adds a link "Rights" in the page menu of a user page (or user discussion page)
Link from Easy Account Approval Script on the user page - when on the rights page of a user, it automatically preselects the user group of the wiki and adds a comment for the rights log. The bureaucrat only has to click save. To not accidentally assign rights to users that they should not have, the new user group is highlighted in bright green if it has been selected by the script.
The user groups of a user are being automatically adjusted by the script
In order to user the script, save the following code as MediaWiki:EasyAccountApproval.js and adjust adjust all //TODOs to fit the wiki you are working with.
//script easy account approval so that user can access the internal namespace
if(wgPageName=="Special:ListUsers" || wgPageName=="Special:ActiveUsers"){
//show "edit rights" link in the user list and active user list
var linkMenues = document.getElementById("mw-content-text").getElementsByClassName("mw-usertoollinks")
for(i=0;i<linkMenues.length;i++){
var linkMenu = linkMenues[i];
var editRightsLink = linkMenu.lastElementChild.cloneNode(true);
editRightsLink.href = editRightsLink.href.replace("Special:Block","Special:UserRights");
editRightsLink.title = editRightsLink.title.replace("Special:Block","Special:UserRights");
editRightsLink.innerHTML = "edit rights";
linkMenu.insertBefore(document.createTextNode(" | "), linkMenu.lastChild);
linkMenu.insertBefore(editRightsLink, linkMenu.lastChild);
}
}else if(wgPageName.indexOf("Special:UserRights/")===0){
//auto select the special user group when being on the user rights page
//TODO: rename id according to user group name and rename variable (optional but advised, including its 3 other occurrences below)
var abcdUserCheckbox = document.getElementById("wpGroup-abcdUser");
if(!abcdUserCheckbox.checked){
abcdUserCheckbox.checked = true;
var inputReason = document.getElementById("wpReason");
//TODO adjust reason
inputReason.value = "is part of the ABCD Team";
var label = abcdUserCheckbox.nextElementSibling;
label.innerHTML = label.innerHTML + " <i>(auto selected by script)</i>";
label.setAttribute("style","background:#8f8;")
}
}else if(wgNamespaceNumber==2||wgNamespaceNumber==3){
//add a rights link in the page menu of a user page (or user discussion page)
var deleteLink = document.getElementById("ca-delete")
var username = wgTitle;
if(username.indexOf("/")!=-1){
username = username.substring(0,username.indexOf("/"));
}
//TODO: modify link
addPortletLink("p-cactions","//abcd.biowikifarm.net/wiki/Special:UserRights/"+username,"Rights", "ca-user-rights","User Rights","g",deleteLink);
}
To activate the script for bureaucrat users, add the following lines to MediaWiki:Common.js
//add special script for account approval for bureaucrat users
var isBureaucrat = false;
for(var i=0;i<wgUserGroups.length;i++){
if(wgUserGroups[i]=="bureaucrat"){
isBureaucrat = true;
}
}
if(isBureaucrat ){
importScript('MediaWiki:EasyAccountApproval.js');
}
To allow easy access to the internal namespace for users who are approved for it, you can add the following lines to MediaWiki:Common.js as well and adjust all //TODOs
//add link to internal namespace for all approved user
//TODO adjust variable name (optional but advised, including its 2 other occurrences below)
var isABCDUser = false;
for(var i=0;i<wgUserGroups.length;i++){
//TODO adjust user group name
if(wgUserGroups[i]=="abcdUser"){
isABCDUser = true;
}
}
if(isABCDUser){
var recentChanges = document.getElementById("n-recentchanges");
//TODO: adjust link
addPortletLink("p-navigation","//abcd.biowikifarm.net/wiki/Internal:Main_Page","Internal", "t-Internal","Internal","i",recentChanges);
}
