[Mediawiki-l] Permissions of groups on namespaces

[Fabien.Bouleau at ses-astra.com]

Hello everyone,

I have modified the isAllowed() function in the includes/User.php file
(tested with MediaWiki 1.6.5). It provides the possibility to restrain user
groups to read or edit specific namespaces only.

For instance I have a namespace named 'MyProject' and I want a set of users
only to be able to access it. Then I create a dedicated group
'MyProjectEditors'.

Here is how the LocalSettings.php file looks like:

  $wgExtraNamespaces =
    array(100 => "MyProject",
          101 => "MyProject_Talk",
      );

  unset($wgGroupPermissions['user' ]);

  $wgGroupPermissions['*'    ]['createaccount']   = false;
  $wgGroupPermissions['*'    ]['read']            = false;
  $wgGroupPermissions['*'    ]['edit']            = false;
  $wgGroupPermissions['*'    ]['minoredit']       = false;
  $wgGroupPermissions['*'    ]['createpage']      = false;
  $wgGroupPermissions['*'    ]['createtalk']      = false;

  $wgGroupPermissions['user' ]['readable']        = array(NS_MAIN, NS_TALK,
NS_CATEGORY, NS_USER, NS_SPECIAL);

  $wgGroupPermissions['MyProjectEditors']['readable'] = array(100, 101);
  $wgGroupPermissions['MyProjectEditors']['editable'] = array(100, 101);

  $wgWhitelistRead = array( "Main Page", "Special:Userlogin", "-",
"MediaWiki:Monobook.css" );

Here is the isAllowed() function:

    function isAllowed($action='') {
        global $wgTitle, $wgGroupPermissions;

        if ( $action === '' )
            // In the spirit of DWIM
            return true;

        $editable = array();
        $readable = array();

        foreach($this->getEffectiveGroups() as $group) {
            isset($wgGroupPermissions[$group]['editable'])
                and $editable = array_merge($editable,
$wgGroupPermissions[$group]['editable']);
            isset($wgGroupPermissions[$group]['readable'])
                and $readable = array_merge($readable,
$wgGroupPermissions[$group]['readable']);
        }

        if ( $action === 'edit' || $action == 'createpage' ) {
            return in_array($wgTitle->getNamespace(), $editable) ||
in_array($action, $this->mRights);
        }

        if ( $action === 'read' ) {
            return in_array($wgTitle->getNamespace(), $readable) ||
in_array($action, $this->mRights);
        }

        $this->loadFromDatabase();
        return in_array( $action , $this->mRights );
    }

Note that you can allow groups to read-only access as well (set 'readable'
and not 'editable').

Best Regards,
Fabien.
--
DISCLAIMER:
This e-mail contains proprietary information some or all of which may be
legally privileged. It is for the intended recipient only. If an addressing
or transmission error has misdirected this e-mail, please notify the author
by replying to this e-mail. If you are not the intended recipient you must
not use, disclose, distribute, copy, print, or rely on this e-mail.