I have a user that I would like to have some, but not all, of the same rights of sysop. I've created a new user group ... let's say "editor". I'm also using a "userCanHook" function to limit certain functions for users who are not sysop. However, I'd like to allow "editor" some of the functions which are allowed sysops.
If I add a user to "editor" and to "sysop" then disallow "editor" from certain of the functions using $wgGroupPermissions will I be able to disallow those sysop functions from "editor"?
Will "editor" override "sysop" or will "sysop" override "editor"?
Does it depend upon which is listed first in LocalSettings.php?
version: 1.6.7
Raquel Rice wrote:
I have a user that I would like to have some, but not all, of the same rights of sysop. I've created a new user group ... let's say "editor". I'm also using a "userCanHook" function to limit certain functions for users who are not sysop. However, I'd like to allow "editor" some of the functions which are allowed sysops.
If I add a user to "editor" and to "sysop" then disallow "editor" from certain of the functions using $wgGroupPermissions will I be able to disallow those sysop functions from "editor"?
Will "editor" override "sysop" or will "sysop" override "editor"?
Permissions are additive.
Note that setting a particular permission to 'false' for some group just means that membership in the group does not provide that permission; it doesn't take it away if another group the user is in confers the same permission.
Given this scenario: * group A provides permissions P and Q * group B provides permissions Q and R * user Alice in group A * user Bob in group B * user Charles in both groups A and B
then: * Alice has permissions P and Q * Bob has permissions Q and R * Charles has permissions P, Q, and R
So, unless you did something very strange with your hook (in most cases a hook for userCan should not be necessary), then a user's being in 'editor' will not cause them to lack any permissions that their being in 'sysop' gives them.
-- brion vibber (brion @ pobox.com / brion @ wikimedia.org)
On Fri, 28 Jul 2006 13:14:25 -0700 Brion Vibber brion@pobox.com wrote:
Raquel Rice wrote:
<snip>
If I add a user to "editor" and to "sysop" then disallow "editor" from certain of the functions using $wgGroupPermissions will I be able to disallow those sysop functions from "editor"?
Will "editor" override "sysop" or will "sysop" override "editor"?
Permissions are additive.
Note that setting a particular permission to 'false' for some group just means that membership in the group does not provide that permission; it doesn't take it away if another group the user is in confers the same permission.
Given this scenario:
- group A provides permissions P and Q
- group B provides permissions Q and R
- user Alice in group A
- user Bob in group B
- user Charles in both groups A and B
then:
- Alice has permissions P and Q
- Bob has permissions Q and R
- Charles has permissions P, Q, and R
So, unless you did something very strange with your hook (in most cases a hook for userCan should not be necessary), then a user's being in 'editor' will not cause them to lack any permissions that their being in 'sysop' gives them.
-- brion vibber (brion @ pobox.com / brion @ wikimedia.org)
Thank you Brion. Please bear with me while I ask one more little question. I understand about prmissions being additive, but ... in the above scenario ... what if I change that up a bit:
* group A provides permissions P and Q * group B provides permissions Q and R * group C provides permissions X, Y and Z * user Alice in group A * user Bob in group B * user Charles in groups A, B and C
BUT I don't want Charles to have permission Q ... Can I then specify that group C does not have permission Q?
Changing group C permissions to X, Y, Z and !Q
In real life I am using ...
# Any user can edit talk pages. Only Sysop can edit other pages function fnMyUserCan($title, $user, $action, $result) { if ($action == 'edit') { if (!$title->isTalkPage() && !$user->isSysop()) $result = false; } } $wgHooks['userCan'][] = 'fnMyUserCan'; (taken from: http://www.mediawiki.org/wiki/User:Barrylb/Usercan_Hook )
I want "editor" to be able to edit other pages and to do everything that a "sysop" can do but not be able to (let's say) upload. So I create "editor" with $wgGroupPermissions['editor' ]['upload'] = false; in LocalSettings.php, placing it AFTER the "sysop" permissions.
That should give "editor" all "sysop" permissions except upload. Right?
Raquel Rice wrote:
Thank you Brion. Please bear with me while I ask one more little question. I understand about prmissions being additive, but ... in the above scenario ... what if I change that up a bit:
- group A provides permissions P and Q
- group B provides permissions Q and R
- group C provides permissions X, Y and Z
- user Alice in group A
- user Bob in group B
- user Charles in groups A, B and C
BUT I don't want Charles to have permission Q ... Can I then specify that group C does not have permission Q?
Nope. If you don't want Charles to have permission Q, don't put him in a group which confers permission Q.
# Any user can edit talk pages. Only Sysop can edit other pages function fnMyUserCan($title, $user, $action, $result) { if ($action == 'edit') { if (!$title->isTalkPage() && !$user->isSysop()) $result = false; } }
This is pretty scary-looking. :) Note that User::isSysop is obsolete, predating the modern permissions system.
I think what you probably want is something like:
if ($action == 'edit') { if (!$title->isTalkPage() && !$user->isAllowed('editarticles')) $result = false; }
Then you'd give the 'editarticles' permission and whatever else you wanted to the 'editor' group.
I want "editor" to be able to edit other pages and to do everything that a "sysop" can do but not be able to (let's say) upload. So I create "editor" with $wgGroupPermissions['editor' ]['upload'] = false; in LocalSettings.php, placing it AFTER the "sysop" permissions.
That should give "editor" all "sysop" permissions except upload. Right?
If you want to give 'editor' the permissions from 'sysop', just copy the lines and replace 'sysop' with 'editor', so that 'editor' has all those same permissions.
-- brion vibber (brion @ pobox.com)
mediawiki-l@lists.wikimedia.org