On May 17, 2008, at 3:28 PM, DanTMan wrote:
That is against how MediaWiki works. Every account is part of the user group. And inheritance is done with true always overriding false. In other words, because a student is a user even though createaccount is set to false for them, the fact that they are a user which has createaccount set to true means that they are allowed to create an account. You can't force that off. That's not how MediaWiki's permissions system works, and if the extension is based off that bad assumption then it definitely won't go into svn cause that's the kind of thing that will only work if you hack MediaWiki to work that way, and hacks aren't supported.
I could have sworn that it worked in an earlier version of MW, but I see that setting
$wgGroupPermissions['student'] = false;
behaves just like you say it does. However, it was easy to whip up an extension to modify this behavior without hacking MW, by hooking at UserGetRights.
http://www.mediawiki.org/wiki/Extension:RestrictiveRights
Obviously, I wish that was the default - I think admins expect that if they explicitly turn something off in LocalSettings, it should not be overridden by something else. But that's just me.
Additionally, it's pointless to try and create an extension with a more limited way to manage permissions based off the Userrights stuff. Because if someone can use your form, then can just as easily access the build in Special:Userrights and edit permissions with what they are allowed to do. Restricting that within a extension's special page is pointless because all it gives you is a false sense of security that doesn't exist.
I'm not going to update the mediawiki.org page yet, since I figure it's likely that you will find other problems (unless you're sick of this and have given up!), but I have a test revision if you're willing to keep looking at these
http://trimer.tamu.edu/jh/UserRightsList.0.5a1.tgz
I created an global variable that can be set to allow users who do not have userrights to modify specific subsets of group membership of users they created. For my setup, I use:
$egUserRightsListChGrp['user'][] = 'student';
Inside the extension, I modify $wgAddGroups and $wgRemoveGroups based on $egUserRightsListChGrp, but since this is local to the extension, it does not affect access to Special:Userrights.
I also changed the date handling based on your suggestions, and did some other stuff to aid independence from mysql. But I don't have any installations to test those on.
I hope I'm getting closer to addressing your concerns.
JH
<snip>
===================================== Jim Hu Associate Professor Dept. of Biochemistry and Biophysics 2128 TAMU Texas A&M Univ. College Station, TX 77843-2128 979-862-4054