okparanoid wrote:
Hello
I have tried to correct Lockdown to being compatible with this model. I haved to let Lockdown grant access of specific group, which change a little the initial "philosophy" of the extension. To work with 1.12 $wgGroupPermissions['*']['read'] need to be set to false in LocalSettings.php
I'm not a php developper (don't know the language and don't know the api of mediawiki) so this has to be tested and certainly contains mistake. Don't use this in production !!! Please take a look at this and let me know the issues/mistakes.
Regards
P.S : Someone can contact the inital author of Lockdown, Daniel Kinzler alias Duesentrieb, i dont have found his email. I would like to propose him the patch.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Here is the script can't attach file with the mailing list :
<?php
/** * Lockdown extension - implements restrictions on individual namespaces and special pages. * * @package MediaWiki * @subpackage Extensions * @author Daniel Kinzler, brightbyte.de * @copyright © 2007 Daniel Kinzler * @licence GNU General Public Licence 2.0 or later */
/* * WARNING: you can use this extension to deny read access to some namespaces. Keep in mind that this * may be circumvented in several ways. This extension doesn't try to * plug such holes. Also note that pages that are not readable will still be shown in listings, * such as the search page, categories, etc. * * Known ways to access "hidden" pages: * - transcluding as template (can't really be fixed without disabling inclusion for specific namespaces; * that could be done by adding a hook to Parser::fetchTemplate) * - Special:export (easily fixed using $wgSpecialPageLockdown) * - the search page may show excerpts from hidden pages. * - supplying oldid=<revisionfromhiddenpage> may work in somve versions of mediawiki. Same with diff, etc. * * NOTE: you cannot GRANT access to things forbidden by $wgGroupPermissions. You can only DENY access * granted there. */
if( !defined( 'MEDIAWIKI' ) ) { echo( "This file is an extension to the MediaWiki software and cannot be used standalone.\n" ); die( 1 ); }
$wgExtensionCredits['other'][] = array( 'name' => 'Lockdown', 'author' => 'Daniel Kinzler', 'url' => 'http://mediawiki.org/wiki/Extension:Lockdown', 'description' => 'per-namespace group permissions', );
$wgNamespacePermissionLockdown = array(); $wgSpecialPageLockdown = array();
$wgHooks['userCan'][] = 'lockdownUserCan';
function lockdownUserCan($title, $user, $action, &$result) { global $wgNamespacePermissionLockdown, $wgSpecialPageLockdown, $wgWhitelistRead; #print "<br />nsAccessUserCan(".$title->getPrefixedDBkey().", ".$user->getName().", $action)<br />\n";
$result = NULL;
//don't impose extra restrictions on UI pages if ($title->isCssJsSubpage()) return true;
if ($action == 'read' && $wgWhitelistRead) { //don't impose read restrictions on whitelisted pages if (in_array($title->getPrefixedText(), $wgWhitelistRead)) { return true; } }
$groups = NULL; $ns = $title->getNamespace(); if( NS_SPECIAL == $ns ) { if ($action != 'read') { $result = false; return true; } else { foreach ($wgSpecialPageLockdown as $page => $g) { if (!$title->isSpecial($page)) continue; $groups = $g; break; } } }
if (!$groups) $groups = @$wgNamespacePermissionLockdown[$ns][$action]; if (!$groups) $groups = @$wgNamespacePermissionLockdown['*'][$action]; if (!$groups) $groups = @$wgNamespacePermissionLockdown[$ns]['*'];
#this namespace has not specific configuration #continue processing without taking any decision if (!$groups) return true;
#print "<br />nsAccessUserCan(".$title->getPrefixedDBkey().", ".$user->getName().", $action)<br />\n"; #print_r($groups);
$ugroups = $user->getEffectiveGroups(); #print_r($ugroups);
$match = array_intersect($ugroups, $groups); #print_r($match);
if ($match) { #group is specifically allowed by lockdown - stop processing $result = true; return false; } else { #print "<br />DENY<br />\n"; #user is not member of a group specially restriced via lockdown #deny access and abort processing $result = false; return false; } }