Category:Access Control
overview
Pages marked by these category:Access Control categories are subject to access control privilege checks.
This Access Control mechanism is provided by customisations of:
- mediawiki/LocalSettings.php, and
- mediawiki/extensions/rabcg/RestrictAccessByCategoryAndGroup.php
- mediawiki/includes/skin/Skins.php
The Restrict access by category and group[1] extension was originally developed by Andrés Orencio Ramirez Perez.
🚩 Note: The original code is a hook callback that provided a yes/no access decision to view a page based solely on correlating page category markings to various privilege groups. The $access parameter was ignored, and the grant was assumed for all privileges.
🚩 Note: This code relies on the userCan hook which has been deprecated in version 1.32. However the hook has been partially retained for backwards compatibility. In my option, the whole User permission mechanism and page access control is unwieldy, and the userCan hook is only called in some circumstances. This makes it impractical to alter spread-out code to grant access once access has been denied via any other callback in the hook chains. It is alleged that the mediawiki privileges code is due to be refactored, which will almost certainly mean a different technique will need to be employed to restrict and grant User access to pages. Doing so would be very worthwhile for use cases where you need fine-grained security e.g. in this wiki, which contains content that requires safeguarding as well as auditing.
read access
Pages containing these read access control categories are private and not accessible by a user unless the user is assigned to at least one of the corresponding privilege groups by an administrator, or the page has been marked with category:public, or the page is a white-listed page (e.g. Special:Login, Special:Logout).
The group privileges are setup in LocalSettings.php and groups are assigned to users from Special:UserRights pages.
The category:public is an inclusive privacy marking that makes the page visible to all users, including unauthenticated users.
Only authenticated users who are assigned to at least one group, and administrators, may access pages that are not marked with any category marking.
Pages marked with any other read category:Access Control marking are only accessible to authenticated users who have been assigned the corresponding group. In this way those categories work like an inclusive or where they are not exclusive.
The special category:user: followed by a user is a marking that provides that user with an exclusion from other users accessing their page, except for the sysop administrator, or except when the page is also marked with another user's category:user: mark.
The category:private and special user categories are exclusive, and the user must be a member of the private group, or be one of the user marked on the page, or a sysop respectively.
unauthenticated users
🚩 Note: Anonymous Users are only able to Access:
- pages containing the public category privilege, and
- Special: pages:
- Special:Login
- Special:Logout
- Special:UserLogin
- Special:UserLogout
- Special:Badtitle
- Special:Random
- Special:RecentChanges
- Special:Version
- Special:AllPages
- Special:Search - added 2023-06-08 so unauthenticated users can search the category:Public indexed pages for content.
The Navigation menu will contain minimal hyperlink entries for anonymous access:
- What links here
- Printable version
The navigation menu links are setup in skins/Skins.php that has been modified to exclude the following links for anonymous users:
- Special:Pages
- pageinfo
- permalink
edit access
Access control markings have been extended to include the edit action (and may be extended to other actions in the future). Where the action follows the category: prefix.
The specialisations involve [[category:edit:user:]] marking and [[category:edit:]] marking where referenced group is a synonym of the category marking. e.g. [[category:edit:user:ralph]] or [[category:edit:trainer]] where the group is trainer.
Some examples follow:
- [[category:edit:user:ralph]] will permit the page to be edited by [[user:ralph]] for user ralph or a [[sysop]]
- [[:category:edit:trainer]] will permit the page to be edited by a user that has been assigned to the group [[trainer]].
Note: that the group trainer can be a private group controlling page read (or visibility) to members of that group. It would need to be marked as a private permission e.g. in LocalSettings.php.
references
categories
This page is marked as category:public so the public (anonymous users) may access/view this page.
☢ Do not mark this page as category:private. Currently this page is marked category:Public which may change in the future.
The other category:Index is the non-public Index which may contain other, and non public page links.
Subcategories
This category has the following 12 subcategories, out of 12 total.
Pages in category "Access Control"
The following 6 pages are in this category, out of 6 total.