How do I edit MediaWiki security settings
From PaulGuWiki
Contents |
Changing group permissions
A default MediaWiki installation assigns certain rights to default groups (see below). You can change the default rights by editing the $wgGroupPermissions array in LocalSettings.php with the syntax
$wgGroupPermissions['group']['right'] = true /* or false */;
If a member has multiple groups, they get the highest permission of any groups. All users, including anonymous users, are in the '*' group; all registered users are in the 'user' group. In addition to the default groups, you can arbitrarily create new groups using the same array.
Examples
This example will disable viewing of all pages not listed in $wgWhitelistRead, then re-enable for registered users only:
$wgGroupPermissions['*']['read'] = false; # The following line is not actually necessary, since it's in the defaults. Setting # '*' to false doesn't disable rights for groups that have the right separately set # to true! $wgGroupPermissions['user']['read'] = true;
This example will disable editing of all pages, then re-enable for users with confirmed e-mail addresses only:
# Disable for everyone. $wgGroupPermissions['*']['edit'] = false; # Disable for users, too: by default 'user' is allowed to edit, even if '*' is not. $wgGroupPermissions['user']['edit'] = false; # Make it so users with confirmed e-mail addresses are in the group. $wgAutopromote['emailconfirmed'] = APCOND_EMAILCONFIRMED; # Hide group from user list. $wgImplicitGroups = array( 'emailconfirmed' ); # Finally, set it to true for the desired group. $wgGroupPermissions['emailconfirmed']['edit'] = true;
This example will create an arbitrary "ninja" group that can block users and delete pages, and whose edits are hidden by default in the recent changes log:
$wgGroupPermissions['ninja']['bot'] = true; $wgGroupPermissions['ninja']['block'] = true; $wgGroupPermissions['ninja']['delete'] = true;
List of Groups
The following groups are available in the latest version of MediaWiki. If you are using an older version then some of these may not be implemented.
| Group | Description | Versions |
|---|---|---|
| * | all users (including anonymous). | 1.5+ |
| user | registered accounts. | 1.5+ |
| autoconfirmed | registered accounts at least as old as $wgAutoConfirmAge and having at least as many edits as $wgAutoConfirmCount. | 1.6+ |
| emailconfirmed | registered accounts with confirmed email addresses. | 1.7 - 1.13 |
| bot | accounts with the bot right (intended for automated scripts). | 1.5+ |
| sysop | users who by default can delete and restore pages, block and unblock users, et cetera. | 1.5+ |
| bureaucrat | users who by default can change other users' rights. | 1.5+ |
| developer | A group for the 'siteadmin' right. The group is deprecated by default, as well as the right. | 1.5+ |
From MW 1.12, you can create your own groups into which users are automatically promoted
Default rights
The default rights are defined in DefaultSettings.php. MediaWiki 1.13 alpha defines the following (for older versions see $wgGroupPermissions).
/** * Permission keys given to users in each group. * All users are implicitly in the '*' group including anonymous visitors; * logged-in users are all implicitly in the 'user' group. These will be * combined with the permissions of all groups that a given user is listed * in in the user_groups table. * * Note: Don't set $wgGroupPermissions = array(); unless you know what you're * doing! This will wipe all permissions, and may mean that your users are * unable to perform certain essential tasks or access new functionality * when new permissions are introduced and default grants established. * * Functionality to make pages inaccessible has not been extensively tested * for security. Use at your own risk! * * This replaces wgWhitelistAccount and wgWhitelistEdit */ $wgGroupPermissions = array(); // Implicit group for all visitors $wgGroupPermissions['*' ]['createaccount'] = true; $wgGroupPermissions['*' ]['read'] = true; $wgGroupPermissions['*' ]['edit'] = true; $wgGroupPermissions['*' ]['createpage'] = true; $wgGroupPermissions['*' ]['createtalk'] = true; $wgGroupPermissions['*' ]['writeapi'] = true; // Implicit group for all logged-in accounts $wgGroupPermissions['user' ]['move'] = true; $wgGroupPermissions['user' ]['move-subpages'] = true; $wgGroupPermissions['user' ]['read'] = true; $wgGroupPermissions['user' ]['edit'] = true; $wgGroupPermissions['user' ]['createpage'] = true; $wgGroupPermissions['user' ]['createtalk'] = true; $wgGroupPermissions['user' ]['writeapi'] = true; $wgGroupPermissions['user' ]['upload'] = true; $wgGroupPermissions['user' ]['reupload'] = true; $wgGroupPermissions['user' ]['reupload-shared'] = true; $wgGroupPermissions['user' ]['minoredit'] = true; $wgGroupPermissions['user' ]['purge'] = true; // can use ?action=purge without clicking "ok" // Implicit group for accounts that pass $wgAutoConfirmAge $wgGroupPermissions['autoconfirmed']['autoconfirmed'] = true; // Users with bot privilege can have their edits hidden // from various log pages by default $wgGroupPermissions['bot' ]['bot'] = true; $wgGroupPermissions['bot' ]['autoconfirmed'] = true; $wgGroupPermissions['bot' ]['nominornewtalk'] = true; $wgGroupPermissions['bot' ]['autopatrol'] = true; $wgGroupPermissions['bot' ]['suppressredirect'] = true; $wgGroupPermissions['bot' ]['apihighlimits'] = true; $wgGroupPermissions['bot' ]['writeapi'] = true; #$wgGroupPermissions['bot' ]['editprotected'] = true; // can edit all protected pages without cascade protection enabled // Most extra permission abilities go to this group $wgGroupPermissions['sysop']['block'] = true; $wgGroupPermissions['sysop']['createaccount'] = true; $wgGroupPermissions['sysop']['delete'] = true; $wgGroupPermissions['sysop']['bigdelete'] = true; // can be separately configured for pages with > $wgDeleteRevisionsLimit revs $wgGroupPermissions['sysop']['deletedhistory'] = true; // can view deleted history entries, but not see or restore the text $wgGroupPermissions['sysop']['undelete'] = true; $wgGroupPermissions['sysop']['editinterface'] = true; $wgGroupPermissions['sysop']['editusercssjs'] = true; $wgGroupPermissions['sysop']['import'] = true; $wgGroupPermissions['sysop']['importupload'] = true; $wgGroupPermissions['sysop']['move'] = true; $wgGroupPermissions['sysop']['move-subpages'] = true; $wgGroupPermissions['sysop']['patrol'] = true; $wgGroupPermissions['sysop']['autopatrol'] = true; $wgGroupPermissions['sysop']['protect'] = true; $wgGroupPermissions['sysop']['proxyunbannable'] = true; $wgGroupPermissions['sysop']['rollback'] = true; $wgGroupPermissions['sysop']['trackback'] = true; $wgGroupPermissions['sysop']['upload'] = true; $wgGroupPermissions['sysop']['reupload'] = true; $wgGroupPermissions['sysop']['reupload-shared'] = true; $wgGroupPermissions['sysop']['unwatchedpages'] = true; $wgGroupPermissions['sysop']['autoconfirmed'] = true; $wgGroupPermissions['sysop']['upload_by_url'] = true; $wgGroupPermissions['sysop']['ipblock-exempt'] = true; $wgGroupPermissions['sysop']['blockemail'] = true; $wgGroupPermissions['sysop']['markbotedits'] = true; $wgGroupPermissions['sysop']['suppressredirect'] = true; $wgGroupPermissions['sysop']['apihighlimits'] = true; $wgGroupPermissions['sysop']['browsearchive'] = true; $wgGroupPermissions['sysop']['noratelimit'] = true; #$wgGroupPermissions['sysop']['mergehistory'] = true; // Permission to change users' group assignments $wgGroupPermissions['bureaucrat']['userrights'] = true; $wgGroupPermissions['bureaucrat']['noratelimit'] = true; // Permission to change users' groups assignments across wikis #$wgGroupPermissions['bureaucrat']['userrights-interwiki'] = true; #$wgGroupPermissions['sysop']['deleterevision'] = true; // To hide usernames from users and Sysops #$wgGroupPermissions['suppress']['hideuser'] = true; // To hide revisions/log items from users and Sysops #$wgGroupPermissions['suppress']['suppressrevision'] = true; // For private suppression log access #$wgGroupPermissions['suppress']['suppressionlog'] = true; /** * The developer group is deprecated, but can be activated if need be * to use the 'lockdb' and 'unlockdb' special pages. Those require * that a lock file be defined and creatable/removable by the web * server. */ # $wgGroupPermissions['developer']['siteadmin'] = true;