Protected Namespaces or Wikis

From Biowikifarm Metawiki
Jump to: navigation, search

This is a documentation on how to close individual namespaces or entire wikis from public access (read & write)

LocalSettings.php

protected namespace

In the MediaWikiCommonSettings.php a namespace "Internal" and its corresponding talk page "Internal_talk" is created for all wikis. To properly secure these namespaces, the LocalSettings.php of the individual wikis needs to be adjusted. Using the extension Lockdown (already enabled via MediaWikiCommonSettings.php), the easiest way to do this is to restrict the usage of these namespaces to a new user group, specific to the individual wiki. In the example below, you can see the restriction for the ABCD-Wiki:

$wgNamespacePermissionLockdown[NS_INTERNAL]['read'] = array('abcdUser');
$wgNamespacePermissionLockdown[NS_INTERNAL_TALK]['read'] = array('abcdUser');
$wgGroupPermissions['abcdUser'] = $wgGroupPermissions['user']; #a trick to make the user group show up in the "User rights management" interface

When using this code for other wikis, the user group name should be adjusted accordingly.

protected wiki

It is also possible to block an entire wiki for unapproved users. This is done in the case of the internal GFBio Wiki. Here is the configuration of LocalSettings.php

# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;

# Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;

# Disable editing and reading for retired users
$wgGroupPermissions['retiredUser']['read'] = false;
$wgGroupPermissions['retiredUser']['edit'] = false;

# Disable editing and reading for registered users, too
# (User has to be in group activeUser)
$wgGroupPermissions['user']['read'] = false;
$wgGroupPermissions['user']['edit'] = false;

# Grant read and edit rights only for GFBio users
$wgGroupPermissions['gfbioUser']['read'] = true;
$wgGroupPermissions['gfbioUser']['edit'] = true;

$wgGroupPermissions['sysop']['read'] = true;
$wgGroupPermissions['sysop']['edit'] = true;

# Users should be able to log out, request an account and read the ToS
$wgWhitelistRead[] = "Special:UserLogout";
$wgWhitelistRead[] = "Special:RequestAccount";
$wgWhitelistRead[] = "GFBio_Internal_Wiki:Terms_of_Service"; //TODO:update this line

This will show a page with the title "Permissions errors" to the user trying to access it.

Error page when trying to access a protected wiki

In order to display a bit more informative content to the users, the following script segment was added to the MediaWiki:Common.js page of the Internal GFBio Wiki:

//
// Info Screen for unregistered users and users how are not part of the 'gfbioUser' group.
//
if(wgCanonicalSpecialPageName == "Badtitle" && wgNamespaceNumber == -1){
	var a = document.getElementById("top");
	var username = "";
	if(wgUserName && wgUserName!=""){
		username = "'"+wgUserName+"'";
	}
	var banner = document.createElement("div")
	banner.setAttribute("style","background:#8CD0F4; border:2px solid #3257A0; text-align:left; padding:5px 10px;")
	banner.innerHTML = "<h3>Login Required</h3> <p>This is the <strong>internal wiki</strong> of the GFBio Project.</p><p>To view the content of this wiki, you need: </p><ul><li>to <a href=\"https://gfbio.biowikifarm.net/internal/Special:RequestAccount\">request an account for the biowikifarm</a>. In the description you need to specify, that you are part of the GFBio team. </li></ul> or, if you already have a biowikifarm account, <ul><li>you need to have this account approved for this wiki. In order to do this, please send an email to <a href=\"mailto:d.fichtmueller@bgbm.org?subject=Approve account for GFBio wiki&body=My biowikifarm username is: "+username+"%0D%0AWork package(s):%0D%0ARole:\">d.fichtmueller@bgbm.org</a> and state your biowikifarm user name, the work packages you are involved in and your role within the project.</li></ul><p></p></div>"
	var isGFBioUser = false;
	for(var i=0;i<wgUserGroups.length;i++){
		if(wgUserGroups[i]=="gfbioUser"){
			isGFBioUser = true;
		}
	}
	if(!isGFBioUser){
		a.parentElement.insertBefore(banner,a.nextSibling);
		document.getElementById("firstHeading").style.display = "none";
		document.getElementById("bodyContent").style.display = "none";
	}
}

If you want to adapt this script to another wiki, change the HTML and the required user group.

Welcome Message shown when trying to access a protected wiki

User Approval

In order for the users of a wiki with a protected namespace to be able to access this namespace they have to be added to the corresponding user group. To streamline this process, there is a script which helps the users of the bureaucrat user group (those that can adjust the user groups of other users) to add user to the special user group of the wiki.

The script does 3 things:

  1. Links from Easy Account Approval Script in the user list
    it adds a link "edit rights" to options of a user when viewing the list of users or the list of active users
  2. Link from Easy Account Approval Script on the user page
    it adds a link "Rights" in the page menu of a user page (or user discussion page)
  3. The user groups of a user are being automatically adjusted by the script
    when on the rights page of a user, it automatically preselects the user group of the wiki and adds a comment for the rights log. The bureaucrat only has to click save. To not accidentally assign rights to users that they should not have, the new user group is highlighted in bright green if it has been selected by the script.

In order to user the script, save the following code as MediaWiki:EasyAccountApproval.js and adjust adjust all //TODOs to fit the wiki you are working with.

//script easy account approval so that user can access the internal namespace

if(wgPageName=="Special:ListUsers" || wgPageName=="Special:ActiveUsers"){
	//show "edit rights" link in the user list and active user list
	var linkMenues = document.getElementById("mw-content-text").getElementsByClassName("mw-usertoollinks")
	for(i=0;i<linkMenues.length;i++){
		var linkMenu = linkMenues[i];
		var editRightsLink = linkMenu.lastElementChild.cloneNode(true);
		editRightsLink.href = editRightsLink.href.replace("Special:Block","Special:UserRights");
		editRightsLink.title = editRightsLink.title.replace("Special:Block","Special:UserRights");
		editRightsLink.innerHTML = "edit rights";
		linkMenu.insertBefore(document.createTextNode(" | "), linkMenu.lastChild);
		linkMenu.insertBefore(editRightsLink, linkMenu.lastChild);
	}
}else if(wgPageName.indexOf("Special:UserRights/")===0){
	//auto select the special user group when being on the user rights page
	//TODO: rename id according to user group name and rename variable (optional but advised, including its 3 other occurrences below)
	var abcdUserCheckbox = document.getElementById("wpGroup-abcdUser");
	if(!abcdUserCheckbox.checked){
		abcdUserCheckbox.checked = true;
		var inputReason = document.getElementById("wpReason");
		//TODO adjust reason
		inputReason.value = "is part of the ABCD Team";
 
		var label = abcdUserCheckbox.nextElementSibling;
		label.innerHTML = label.innerHTML + " <i>(auto selected by script)</i>"; 
		label.setAttribute("style","background:#8f8;")
	}
}else if(wgNamespaceNumber==2||wgNamespaceNumber==3){
	//add a rights link in the page menu of a user page (or user discussion page)
	var deleteLink = document.getElementById("ca-delete")
	var username = wgTitle;
	if(username.indexOf("/")!=-1){
		username = username.substring(0,username.indexOf("/"));
	}
	//TODO: modify link
	addPortletLink("p-cactions","//abcd.biowikifarm.net/wiki/Special:UserRights/"+username,"Rights", "ca-user-rights","User Rights","g",deleteLink);
}

To activate the script for bureaucrat users, add the following lines to MediaWiki:Common.js

//add special script for account approval for bureaucrat users
var isBureaucrat = false;
for(var i=0;i<wgUserGroups.length;i++){
	if(wgUserGroups[i]=="bureaucrat"){
		isBureaucrat = true;
	}
}
if(isBureaucrat ){
	importScript('MediaWiki:EasyAccountApproval.js');
}

To allow easy access to the internal namespace for users who are approved for it, you can add the following lines to MediaWiki:Common.js as well and adjust all //TODOs

//add link to internal namespace for all approved user
//TODO adjust variable name (optional but advised, including its 2 other occurrences below)
var isABCDUser = false;
for(var i=0;i<wgUserGroups.length;i++){
	//TODO adjust user group name
	if(wgUserGroups[i]=="abcdUser"){
		isABCDUser = true;
	}
}
if(isABCDUser){
	var recentChanges = document.getElementById("n-recentchanges");
	//TODO: adjust link
	addPortletLink("p-navigation","//abcd.biowikifarm.net/wiki/Internal:Main_Page","Internal", "t-Internal","Internal","i",recentChanges);
}