Difference between revisions of "Mediawiki Security Matrix"

Mediawiki Security Matrix
Source:	DataSource
Language:	English
Topic:	Mediawiki
SubTopic:	Security
Last Edit By:	DochyJP
LastEdit:	2021-04-14
Document type:	Documentation
Status:	Active
Access:	free

Latest revision as of 13:56, 14 April 2021

Micylou Standard Mediawiki Security Matrix

Defaults

Micylou builds a start-up solution based on the original Mediawiki LTS package and includes additional extensions to build its start-up solution.

Therefore, the roles and rights included in these extensions are taken into account, even if the extension is not activated.

Roles by groups

Source	Permission	Description	By default	As from	* Reset	* Granted	User Reset	User Granted	sysop Granted	Bot Granted	Bureaucrat Granted	Linux-Admin Granted	Wiki-Admin Granted	Wiki-Moderator Granted	Wiki-Editor Granted	Wiki-Updater Granted
Default Mediawiki	apihighlimits	Use higher limits in API queries	bot, sysop	1.12+
Default Mediawiki	applychangetags	Apply tags along with one's changes	user	1.25+			X		X	X						X
Default Mediawiki	autoconfirmed	Not be affected by IP-based rate limits - used for the 'autoconfirmed' group, see the other table below for more information	autoconfirmed, bot, sysop	1.6+
Default Mediawiki	autocreateaccount	Automatically log in with an external user account - a more limited version of createaccount	—	1.27+		X		LDAP REQUIREMENT
Default Mediawiki	autopatrol	Have one's own edits automatically marked as patrolled - $wgUseRCPatrol must be true	bot, sysop	1.9+										X	X
Default Mediawiki	bigdelete	Delete pages with large histories (as determined by $wgDeleteRevisionsLimit)	sysop	1.12+						X				X
Default Mediawiki	block	Block other users from editing - Block options include preventing editing and registering new accounts, and autoblocking other users on the same IP address	sysop	1.5+						X			X	X
Default Mediawiki	blockemail	Block a user from sending email - allows preventing use of the Special:Emailuser interface when blocking - requires the block right	sysop	1.11+						X			X	X	X
Default Mediawiki	bot	Be treated as an automated process - can optionally be viewed	bot	1.5+
Default Mediawiki	browsearchive	Search deleted pages - through Special:Undelete	sysop	1.13+					X	X				X	X	X
Default Mediawiki	changetags	Add and remove arbitrary tags on individual revisions and log entries - currently unused by extensions	user	1.25+	X		X		X	X				X	X	X
Default Mediawiki	createaccount	Create new user accounts - register / registration	*, sysop	1.5+	X				X	X		X		X
Default Mediawiki	createpage	Create pages (which are not discussion pages) - requires the edit right	*, user	1.6+	X		X		X	X				X	X	X	X
Default Mediawiki	createtalk	Create discussion pages - requires the edit right	*, user	1.6+	X		X							X
Default Mediawiki	delete	allows the deletion or undeletion of pages.	sysop	1.5+					X	X			X	X	X	X	X
Default Mediawiki	deletechangetags	Delete tags from the database - currently unused by extensions	sysop	1.28+										X
Default Mediawiki	deletedhistory	View deleted history entries, without their associated text	sysop	1.6+					X	X				X	X	X	X
Default Mediawiki	deletedtext	View deleted text and changes between deleted revisions	sysop						X	X				X	X	X	X
Default Mediawiki	deletelogentry	Delete and undelete specific log entries - allows deleting/undeleting information (action text, summary, user who made the action) of specific log entries - requires the deleterevision right (not available by default)	sysop	1.20+					X	X
Default Mediawiki	deleterevision	Delete and undelete specific revisions of pages - allows deleting/undeleting information (revision text, edit summary, user who made the edit) of specific revisions Split into deleterevision and deletelogentry in 1.20 (not available by default)	sysop	1.6+					X	X				X	X	X
Default Mediawiki	edit	Edit pages	*, user	1.5+	X		X		X	X						X	X
Default Mediawiki	editcontentmodel	Edit the content model of a page	user	1.23.7+	X		X		X	X				X	X	X
Default Mediawiki	editinterface	Edit the user interface - contains interface messages. For editing sitewide CSS/JSON/JS, there are now segregate rights, see below.	sysop, interface-admin	1.5+					X	X				X
Default Mediawiki	editmyoptions	Edit your own preferences	*	1.22+	X				X	X				X	X	X	X
Default Mediawiki	editmyprivateinfo	Edit your own private data (e.g. email address, real name)	*	1.22+	X				X	X				X	X	X	X
Default Mediawiki	editmyusercss	Edit your own user CSS files - prior to 1.31 it was assigned to everyone (i.e. "*") (note that this is not needed if the group already has the editusercss right)	user	1.22+				X
Default Mediawiki	editmyuserjs	Edit your own user JavaScript files - prior to 1.31 it was assigned to everyone (i.e. "*") (note that this is not needed if the group already has the edituserjs right)	user	1.22+				X
Default Mediawiki	editmyuserjson	Edit your own user JSON files (note that this is not needed if the group already has the edituserjson right)	user	1.31+				X
Default Mediawiki	editmywatchlist	Edit your own watchlist. Note some actions will still add pages even without this right.	*	1.22+				X
Default Mediawiki	editprotected	Edit pages protected as "Allow only administrators" - without cascading protection	sysop	1.13+					X	X				X	X	X
Default Mediawiki	editsemiprotected	Edit pages protected as "Allow only autoconfirmed users" - without cascading protection	autoconfirmed, bot, sysop	1.22+					X	X				X	X	X
Default Mediawiki	editsitecss	Edit sitewide CSS	interface-admin	1.32+					X	X				X
Default Mediawiki	editsitejs	Edit sitewide JavaScript	interface-admin	1.32+					X	X				X
Default Mediawiki	editsitejson	Edit sitewide JSON	sysop, interface-admin	1.32+					X	X				X
Default Mediawiki	editusercss	Edit other users' CSS files	interface-admin	1.16+					X	X				X
Default Mediawiki	edituserjs	Edit other users' JavaScript files	interface-admin	1.16+					X	X				X
Default Mediawiki	edituserjson	Edit other users' JSON files	sysop, interface-admin	1.31+					X	X				X
Default Mediawiki	hideuser	Block a username, hiding it from the public - (not available by default)	—	1.10+					X	X				X	X
Default Mediawiki	import	Import pages from other wikis - “transwiki”	sysop	1.5+					X	X				X		X
Default Mediawiki	importupload	Import pages from a file upload - This right was called 'importraw' in and before version 1.5	sysop	1.5+					X	X				X
Default Mediawiki	ipblock-exempt	Bypass IP blocks, auto-blocks and range blocks	sysop	1.9+					X	X				X
Default Mediawiki	managechangetags	Create and (de)activate tags - currently unused by extensions	sysop	1.25+					X	X				X
Default Mediawiki	markbotedits	Mark rolled-back edits as bot edits - see Manual:Administrators#Rollback	sysop	1.12+					X	X				X
Default Mediawiki	mergehistory	Merge the history of pages	sysop	1.12+					X	X				X
Default Mediawiki	minoredit	Mark edits as minor	user	1.6+			X		X	X				X		X	X
Default Mediawiki	move	Move pages - requires the edit right	user, sysop	1.5+			X		X	X				X		X	X
Default Mediawiki	move-categorypages	Move category pages - requires the move right	user, sysop	1.25+			X		X	X				X		X
Default Mediawiki	movefile	Move files - requires the move right and $wgAllowImageMoving to be true	user, sysop	1.14+			X		X	X				X		X
Default Mediawiki	move-rootuserpages	Move root user pages - requires the move right	user, sysop	1.14+			X		X	X				X		X
Default Mediawiki	move-subpages	Move pages with their subpages - requires the move right	user, sysop	1.13+			X		X	X				X		X
Default Mediawiki	nominornewtalk	Not have minor edits to discussion pages trigger the new messages prompt - requires the minor edit right	bot	1.9+
Default Mediawiki	noratelimit	Not be affected by rate limits - not affected by rate limits (prior to the introduction of this right, the configuration variable $wgRateLimitsExcludedGroups was used for this purpose)	sysop, bureaucrat	1.13+					X	X		X		X
Default Mediawiki	override-export-depth	Export pages including linked pages up to a depth of 5	—	?	X				X	X				X
Default Mediawiki	pagelang	Change page language - $wgPageLanguageUseDB must be true	—	1.24+	X				X	X				X
Default Mediawiki	patrol	Mark others' edits as patrolled - $wgUseRCPatrol must be true	sysop	1.5+					X	X				X
Default Mediawiki	patrolmarks	View recent changes patrol marks	—	1.16+	X				X	X				X	X
Default Mediawiki	protect	Change protection levels and edit cascade-protected pages	sysop	1.5+					X	X						X	X
Default Mediawiki	purge	Purge the site cache for a page - URL parameter "&action=purge"	user	1.10+			X		X	X				X
Default Mediawiki	read	Read pages - when set to false, override for specific pages with $wgWhitelistRead		1.5+	X			X
Default Mediawiki	readapi		*, user, bot	1.13+	X		X		X	X	X	X	X	X	X	X	X
Default Mediawiki	reupload	Overwrite existing files - requires the upload right	user, sysop	1.6+			X		X	X				X	X	X	X
Default Mediawiki	reupload-own	Overwrite existing files uploaded by oneself - requires the upload right (note that this is not needed if the group already has the reupload right)	—	1.11+	X				X	X				X	X	X	X
Default Mediawiki	reupload-shared	Override files on the shared media repository locally - (if one is set up) with local files (requires the upload right)	user, sysop	1.6+			X		X	X				X	X	X	X
Default Mediawiki	rollback	Quickly rollback the edits of the last user who edited a particular page	sysop	1.5+					X	X				X	X
Default Mediawiki	sendemail	Send email to other users	user	1.16+			X		X	X		X	X	X	X	X	X
Default Mediawiki	siteadmin	Lock and unlock the database - which blocks all interactions with the web site except viewing. (not available by default)	—	1.5+					X	X			X	X
Default Mediawiki	suppressionlog	View private logs	—	1.6+					X	X			X	X
Default Mediawiki	suppressredirect	Not create redirects from source pages when moving pages	bot, sysop	1.12+					X	X				X
Default Mediawiki	suppressrevision	View, hide and unhide specific revisions of pages from any user - Prior to 1.13 this right was named hiderevision (not available by default)	—	1.6+					X	X				X
Default Mediawiki	unblockself	Unblock oneself - Without it, an administrator that has the capability to block cannot unblock themselves if blocked by another administrator	sysop	1.17+					X	X				X
Default Mediawiki	undelete	Undelete a page - requires the deletedhistory right	sysop	1.12+					X	X				X	X	X
Default Mediawiki	unwatchedpages	View a list of unwatched pages - lists pages that no user has watchlisted	sysop	1.6+					X	X				X
Default Mediawiki	upload	Upload files - requires the edit right and $wgEnableUploads to be true	user, sysop	1.5+			X		X	X		X	X	X	X	X	X
Default Mediawiki	upload_by_url	Upload files from a URL - requires the upload right (Prior to 1.20 it was given to sysops)	—	1.8+						X			X	X
Default Mediawiki	userrights	Edit all user rights - allows the assignment or removal of all* groups to any user.	bureaucrat	1.5+					X	X		X		X
Default Mediawiki	userrights-interwiki	Edit user rights of users on other wikis	—	1.12+						X			X	X
Default Mediawiki	viewmyprivateinfo	View your own private data (e.g. email address, real name)	*	1.22+	X			X
Default Mediawiki	viewmywatchlist	View your own watchlist	*	1.22+	X			X
Default Mediawiki	viewsuppressed	View revisions hidden from any user - i.e. a more narrow alternative to "suppressrevision" (note that this is not needed if the group already has the suppressrevision right)	—	1.24+					X	X						X
Default Mediawiki	writeapi	Use of the write API	*, user, bot	1.13+	X		X		X	X	X	X	X	X	X	X	X
ExtensionRevsApprove	$egApprovedRevsBlankIfUnapproved		FALSE
ExtensionRevsApprove	$egApprovedRevsShowApproveLatest		TRUE
ExtensionRevsApprove	$egApprovedRevsShowNotApprovedMessage		TRUE
ExtensionRevsApprove	approverevision				X		X		X	X					X
ExtensionRevsApprove	egApprovedRevsAuto$maticApprovals		FALSE
ExtensionRevsApprove	egApprovedRevsBlan$kIfUnapproved		FALSE
ExtensionRevsApprove	egApprovedRevsShowNotApprovedMessa$ge		TRUE
ExtensionRevsApprove	viewapprover				X		X	X	X	X	X	X	X	X	X	X	X
ExtensionRevsApprove	viewlinktolatest				X		X							X	X	X	X
Extention UserMerge	usermerge								X	X		X		X
Extension EditUser	edituser								X	X		X

Back to top of this page

Back to Welcome Page

Security matrix of our default solution set up in LocalSettings.php - restricted access

View of the detailed Mediawiki Security Configuration is restricted.