Difference between revisions of "Mediawiki Security Matrix"

From Micylou WIKI
Jump to navigation Jump to search
(Page creation)
 
m (Text replacement - "[{{fullurl:{{FULLPAGENAMEE}}|action=mpdf}} Download this page as PDF]" to "")
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
Security matrix sample to set up in LocalSettings.php
+
<!-- Template Infobox Generic-->
 +
{{Template:Class-Infobox-Generic<!-- ALL MUST BE FILLED IN -->
 +
|image = <!-- If an logo is required, enter the link here -->
 +
|Section = [[Section::{{PAGENAME}}]]
 +
|Source = [[Source::DataSource]]  <!-- [[Source::DataSource]], [[Source::Query]] ... -->
 +
|Language = [[Language::English]] <!-- [[Language::English]], [[Language::Français]], [[Language::Nederlands]] -->
 +
|Topic =  [[Topic::Mediawiki]] <!-- [[Topic::Mediawiki]], [[Subject::Microsoft]], ... -->
 +
|SubTopic = [[SubTopic::Security]] <!-- [[SubTopic::Mediawiki Extension]], [[SubTopic::Office 365]] , ... -->
 +
        |DocumentType =  [[DocumentType::Documentation]] <!-- [[DocumentType::User Guide]], [[DocumentType::Procedure]], [[DocumentType::Script]], [[DocumentType::Gallery]], ...-->
 +
|LastEditBy = [[LastEditBy::{{REVISIONUSER}}]]
 +
|LastEdit = [[LastEdit::{{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}]]
 +
|Status = [[Status::Active]] <!--[[Status::Active]]  [[Status::Development]] [[Status::Obsolete]] [[Status::Archived]] [[Status::To Delete]]-->
 +
|Access = [[Access::free]] <!--[[Access::free]] [[Access::Private]] [[Access::Subscription]] -->
 +
<!-- Template version 1.01 -->
 +
}}
 +
<!-- End of Template Infobox Generic-->
  
 +
== Micylou Standard Mediawiki Security Matrix ==
 +
=== Defaults ===
 +
Micylou builds a start-up solution based on the original Mediawiki LTS package and includes additional extensions to build its start-up solution.
 +
 +
Therefore, the roles and rights included in these extensions are taken into account, even if the extension is not activated.
 +
 +
=== Roles by groups ===
 +
{| class="wikitable sortable"
 +
|-
 +
! Source !! Permission !! Description !! By default !! As from !! * Reset !! * Granted !! User Reset !! User Granted !! administrator Granted!| sysop Granted !! Bot Granted !! Bureaucrat Granted !! Linux-Admin Granted !! Wiki-Admin Granted !! Wiki-Moderator Granted !! Wiki-Editor Granted !! Wiki-Updater Granted
 +
|-
 +
| Default Mediawiki || apihighlimits || Use higher limits in API queries || bot, sysop || 1.12+
 +
|-
 +
| Default Mediawiki || applychangetags || Apply tags along with one's changes || user || 1.25+ ||  ||  || X ||  || X|| X ||  ||  ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || autoconfirmed || Not be affected by IP-based rate limits - used for the 'autoconfirmed' group, see the other table below for more information || autoconfirmed, bot, sysop || 1.6+
 +
|-
 +
| Default Mediawiki || autocreateaccount || Automatically log in with an external user account - a more limited version of createaccount || — || 1.27+ ||  || X ||  || LDAP REQUIREMENT
 +
|-
 +
| Default Mediawiki || autopatrol || Have one's own edits automatically marked as patrolled - $wgUseRCPatrol must be true || bot, sysop || 1.9+ ||  ||  ||  ||  || ||  ||  ||  ||  || X || X
 +
|-
 +
| Default Mediawiki || bigdelete || Delete pages with large histories (as determined by $wgDeleteRevisionsLimit) || sysop || 1.12+ ||  ||  ||  ||  || || X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || block || Block other users from editing - Block options include preventing editing and registering new accounts, and autoblocking other users on the same IP address || sysop || 1.5+ ||  ||  ||  ||  || || X ||  ||  || X || X
 +
|-
 +
| Default Mediawiki || blockemail || Block a user from sending email - allows preventing use of the Special:Emailuser interface when blocking - requires the block right || sysop || 1.11+ ||  ||  ||  ||  || || X ||  ||  || X || X || X
 +
|-
 +
| Default Mediawiki || bot || Be treated as an automated process - can optionally be viewed || bot || 1.5+
 +
|-
 +
| Default Mediawiki || browsearchive || Search deleted pages - through Special:Undelete || sysop || 1.13+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X || X || X
 +
|-
 +
| Default Mediawiki || changetags || Add and remove arbitrary tags on individual revisions and log entries - currently unused by extensions || user || 1.25+ || X ||  || X ||  || X|| X ||  ||  ||  || X || X || X
 +
|-
 +
| Default Mediawiki || createaccount || Create new user accounts - register / registration || *, sysop || 1.5+ || X ||  ||  ||  || X|| X ||  || X ||  || X
 +
|-
 +
| Default Mediawiki || createpage || Create pages (which are not discussion pages) - requires the edit right || *, user || 1.6+ || X ||  || X ||  || X|| X ||  ||  ||  || X || X || X || X
 +
|-
 +
| Default Mediawiki || createtalk || Create discussion pages - requires the edit right || *, user || 1.6+ || X ||  || X ||  || ||  ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || delete || allows the deletion or undeletion of pages. || sysop || 1.5+ ||  ||  ||  ||  || X|| X ||  ||  || X || X || X || X || X
 +
|-
 +
| Default Mediawiki || deletechangetags || Delete tags from the database - currently unused by extensions || sysop || 1.28+ ||  ||  ||  ||  || ||  ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || deletedhistory || View deleted history entries, without their associated text || sysop || 1.6+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X || X || X || X
 +
|-
 +
| Default Mediawiki || deletedtext || View deleted text and changes between deleted revisions || sysop ||  ||  ||  ||  ||  || X|| X ||  ||  ||  || X || X || X || X
 +
|-
 +
| Default Mediawiki || deletelogentry || Delete and undelete specific log entries - allows deleting/undeleting information (action text, summary, user who made the action) of specific log entries - requires the deleterevision right (not available by default) || sysop || 1.20+ ||  ||  ||  ||  || X|| X
 +
|-
 +
| Default Mediawiki || deleterevision || Delete and undelete specific revisions of pages - allows deleting/undeleting information (revision text, edit summary, user who made the edit) of specific revisions Split into deleterevision and deletelogentry in 1.20 (not available by default) || sysop || 1.6+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X || X || X
 +
|-
 +
| Default Mediawiki || edit || Edit pages || *, user || 1.5+ || X ||  || X ||  || X|| X ||  ||  ||  ||  ||  || X || X
 +
|-
 +
| Default Mediawiki || editcontentmodel || Edit the content model of a page || user || 1.23.7+ || X ||  || X ||  || X|| X ||  ||  ||  || X || X || X
 +
|-
 +
| Default Mediawiki || editinterface || Edit the user interface - contains interface messages. For editing sitewide CSS/JSON/JS, there are now segregate rights, see below. || sysop, interface-admin || 1.5+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || editmyoptions || Edit your own preferences || * || 1.22+ || X ||  ||  ||  || X|| X ||  ||  ||  || X || X || X || X
 +
|-
 +
| Default Mediawiki || editmyprivateinfo || Edit your own private data (e.g. email address, real name) || * || 1.22+ || X ||  ||  ||  || X|| X ||  ||  ||  || X || X || X || X
 +
|-
 +
| Default Mediawiki || editmyusercss || Edit your own user CSS files - prior to 1.31 it was assigned to everyone (i.e. "*") (note that this is not needed if the group already has the editusercss right) || user || 1.22+ ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || editmyuserjs || Edit your own user JavaScript files - prior to 1.31 it was assigned to everyone (i.e. "*") (note that this is not needed if the group already has the edituserjs right) || user || 1.22+ ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || editmyuserjson || Edit your own user JSON files (note that this is not needed if the group already has the edituserjson right) || user || 1.31+ ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || editmywatchlist || Edit your own watchlist. Note some actions will still add pages even without this right. || * || 1.22+ ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || editprotected || Edit pages protected as "Allow only administrators" - without cascading protection || sysop || 1.13+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X || X || X
 +
|-
 +
| Default Mediawiki || editsemiprotected || Edit pages protected as "Allow only autoconfirmed users" - without cascading protection || autoconfirmed, bot, sysop || 1.22+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X || X || X
 +
|-
 +
| Default Mediawiki || editsitecss || Edit sitewide CSS || interface-admin || 1.32+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || editsitejs || Edit sitewide JavaScript || interface-admin || 1.32+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || editsitejson || Edit sitewide JSON || sysop, interface-admin || 1.32+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || editusercss || Edit other users' CSS files || interface-admin || 1.16+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || edituserjs || Edit other users' JavaScript files || interface-admin || 1.16+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || edituserjson || Edit other users' JSON files || sysop, interface-admin || 1.31+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || hideuser || Block a username, hiding it from the public - (not available by default) || — || 1.10+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X || X
 +
|-
 +
| Default Mediawiki || import || Import pages from other wikis - “transwiki” || sysop || 1.5+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X ||  || X
 +
|-
 +
| Default Mediawiki || importupload || Import pages from a file upload - This right was called 'importraw' in and before version 1.5 || sysop || 1.5+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || ipblock-exempt || Bypass IP blocks, auto-blocks and range blocks || sysop || 1.9+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || managechangetags || Create and (de)activate tags - currently unused by extensions || sysop || 1.25+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || markbotedits || Mark rolled-back edits as bot edits - see Manual:Administrators#Rollback || sysop || 1.12+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || mergehistory || Merge the history of pages || sysop || 1.12+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || minoredit || Mark edits as minor || user || 1.6+ ||  ||  || X ||  || X|| X ||  ||  ||  || X ||  || X || X
 +
|-
 +
| Default Mediawiki || move || Move pages - requires the edit right || user, sysop || 1.5+ ||  ||  || X ||  || X|| X ||  ||  ||  || X ||  || X || X
 +
|-
 +
| Default Mediawiki || move-categorypages || Move category pages - requires the move right || user, sysop || 1.25+ ||  ||  || X ||  || X|| X ||  ||  ||  || X ||  || X
 +
|-
 +
| Default Mediawiki || movefile || Move files - requires the move right and $wgAllowImageMoving to be true || user, sysop || 1.14+ ||  ||  || X ||  || X|| X ||  ||  ||  || X ||  || X
 +
|-
 +
| Default Mediawiki || move-rootuserpages || Move root user pages - requires the move right || user, sysop || 1.14+ ||  ||  || X ||  || X|| X ||  ||  ||  || X ||  || X
 +
|-
 +
| Default Mediawiki || move-subpages || Move pages with their subpages - requires the move right || user, sysop || 1.13+ ||  ||  || X ||  || X|| X ||  ||  ||  || X ||  || X
 +
|-
 +
| Default Mediawiki || nominornewtalk  || Not have minor edits to discussion pages trigger the new messages prompt - requires the minor edit right || bot || 1.9+
 +
|-
 +
| Default Mediawiki || noratelimit || Not be affected by rate limits - not affected by rate limits (prior to the introduction of this right, the configuration variable $wgRateLimitsExcludedGroups was used for this purpose) || sysop, bureaucrat || 1.13+ ||  ||  ||  ||  || X|| X ||  || X ||  || X
 +
|-
 +
| Default Mediawiki || override-export-depth || Export pages including linked pages up to a depth of 5 || — || ? || X ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || pagelang || Change page language - $wgPageLanguageUseDB must be true || — || 1.24+ || X ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || patrol || Mark others' edits as patrolled - $wgUseRCPatrol must be true || sysop || 1.5+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || patrolmarks || View recent changes patrol marks || — || 1.16+ || X ||  ||  ||  || X|| X ||  ||  ||  || X || X
 +
|-
 +
| Default Mediawiki || protect || Change protection levels and edit cascade-protected pages || sysop || 1.5+ ||  ||  ||  ||  || X|| X ||  ||  ||  ||  ||  || X || X
 +
|-
 +
| Default Mediawiki || purge || Purge the site cache for a page - URL parameter "&action=purge" || user || 1.10+ ||  ||  || X ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || read || Read pages - when set to false, override for specific pages with $wgWhitelistRead ||  || 1.5+ || X ||  ||  || X
 +
|-
 +
| Default Mediawiki || readapi ||  || *, user, bot || 1.13+ || X ||  || X ||  || X|| X || X || X || X || X || X || X || X
 +
|-
 +
| Default Mediawiki || reupload || Overwrite existing files - requires the upload right || user, sysop || 1.6+ ||  ||  || X ||  || X|| X ||  ||  ||  || X || X || X || X
 +
|-
 +
| Default Mediawiki || reupload-own || Overwrite existing files uploaded by oneself - requires the upload right (note that this is not needed if the group already has the reupload right) || — || 1.11+ || X ||  ||  ||  || X|| X ||  ||  ||  || X || X || X || X
 +
|-
 +
| Default Mediawiki || reupload-shared || Override files on the shared media repository locally - (if one is set up) with local files (requires the upload right) || user, sysop || 1.6+ ||  ||  || X ||  || X|| X ||  ||  ||  || X || X || X || X
 +
|-
 +
| Default Mediawiki || rollback || Quickly rollback the edits of the last user who edited a particular page || sysop || 1.5+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X || X
 +
|-
 +
| Default Mediawiki || sendemail || Send email to other users || user || 1.16+ ||  ||  || X ||  || X|| X ||  || X || X || X || X || X || X
 +
|-
 +
| Default Mediawiki || siteadmin || Lock and unlock the database - which blocks all interactions with the web site except viewing. (not available by default) || — || 1.5+ ||  ||  ||  ||  || X|| X ||  ||  || X || X
 +
|-
 +
| Default Mediawiki || suppressionlog || View private logs || — || 1.6+ ||  ||  ||  ||  || X|| X ||  ||  || X || X
 +
|-
 +
| Default Mediawiki || suppressredirect || Not create redirects from source pages when moving pages || bot, sysop || 1.12+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || suppressrevision || View, hide and unhide specific revisions of pages from any user - Prior to 1.13 this right was named hiderevision (not available by default) || — || 1.6+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || unblockself || Unblock oneself - Without it, an administrator that has the capability to block cannot unblock themselves if blocked by another administrator || sysop || 1.17+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || undelete || Undelete a page - requires the deletedhistory right || sysop || 1.12+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X || X || X
 +
|-
 +
| Default Mediawiki || unwatchedpages || View a list of unwatched pages - lists pages that no user has watchlisted || sysop || 1.6+ ||  ||  ||  ||  || X|| X ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || upload || Upload files - requires the edit right and $wgEnableUploads to be true || user, sysop || 1.5+ ||  ||  || X ||  || X|| X ||  || X || X || X || X || X || X
 +
|-
 +
| Default Mediawiki || upload_by_url || Upload files from a URL - requires the upload right (Prior to 1.20 it was given to sysops) || — || 1.8+ ||  ||  ||  ||  || || X ||  ||  || X || X
 +
|-
 +
| Default Mediawiki || userrights || Edit all user rights - allows the assignment or removal of all* groups to any user. || bureaucrat || 1.5+ ||  ||  ||  ||  || X|| X ||  || X ||  || X
 +
|-
 +
| Default Mediawiki || userrights-interwiki || Edit user rights of users on other wikis || — || 1.12+ ||  ||  ||  ||  || || X ||  ||  || X || X
 +
|-
 +
| Default Mediawiki || viewmyprivateinfo || View your own private data (e.g. email address, real name) || * || 1.22+ || X ||  ||  || X
 +
|-
 +
| Default Mediawiki || viewmywatchlist || View your own watchlist || * || 1.22+ || X ||  ||  || X
 +
|-
 +
| Default Mediawiki || viewsuppressed || View revisions hidden from any user - i.e. a more narrow alternative to "suppressrevision" (note that this is not needed if the group already has the suppressrevision right) || — || 1.24+ ||  ||  ||  ||  || X|| X ||  ||  ||  ||  ||  || X
 +
|-
 +
| Default Mediawiki || writeapi || Use of the write API || *, user, bot || 1.13+ || X ||  || X ||  || X|| X || X || X || X || X || X || X || X
 +
|-
 +
| ExtensionRevsApprove || $egApprovedRevsBlankIfUnapproved ||  || FALSE
 +
|-
 +
| ExtensionRevsApprove || $egApprovedRevsShowApproveLatest ||  || TRUE
 +
|-
 +
| ExtensionRevsApprove || $egApprovedRevsShowNotApprovedMessage  ||  || TRUE
 +
|-
 +
| ExtensionRevsApprove || approverevision ||  ||  ||  || X ||  || X ||  || X|| X ||  ||  ||  ||  || X
 +
|-
 +
| ExtensionRevsApprove || egApprovedRevsAuto$maticApprovals ||  || FALSE
 +
|-
 +
| ExtensionRevsApprove || egApprovedRevsBlan$kIfUnapproved ||  || FALSE
 +
|-
 +
| ExtensionRevsApprove || egApprovedRevsShowNotApprovedMessa$ge ||  || TRUE
 +
|-
 +
| ExtensionRevsApprove || viewapprover ||  ||  ||  || X ||  || X || X || X|| X || X || X || X || X || X || X || X
 +
|-
 +
| ExtensionRevsApprove || viewlinktolatest ||  ||  ||  || X ||  || X ||  || ||  ||  ||  ||  || X || X || X || X
 +
|-
 +
| Extention UserMerge || usermerge ||  ||  ||  ||  ||  ||  ||  || X|| X ||  || X ||  || X
 +
|-
 +
| Extension EditUser || edituser ||  ||  ||  ||  ||  ||  ||  || X|| X ||  || X
 +
|}
 +
 +
 +
<br><br>[[#Top|Back to top of this page]]
 +
<br><br>[[English|Back to Welcome Page]] <br><br>
 +
 +
=== Security matrix of our default solution set up in LocalSettings.php - restricted access ===
 +
{{#ifgroup:Micylou-restricted|
 +
<u>'''Note'''</u> : This part is only visible if user is logged and belongs to the Micylou-restricted security group.
 
<pre>
 
<pre>
 
# Security settings
 
# Security settings
###########################################
+
################################################
# Group restricted categories added by JP #
+
# Group restricted categories added by Micylou #
###########################################
+
################################################
 
# Activation of the extension            ############################################################
 
# Activation of the extension            ############################################################
 
require_once "$IP/extensions/RestrictAccessByCategoryAndGroup/RestrictAccessByCategoryAndGroup.php"; #
 
require_once "$IP/extensions/RestrictAccessByCategoryAndGroup/RestrictAccessByCategoryAndGroup.php"; #
Line 25: Line 241:
 
         $wgGroupPermissions['Wiki-Admin']['Process-Editor'] = true;
 
         $wgGroupPermissions['Wiki-Admin']['Process-Editor'] = true;
 
         $wgGroupPermissions['Wiki-Admin']['Semantic-DBA'] = true;
 
         $wgGroupPermissions['Wiki-Admin']['Semantic-DBA'] = true;
 +
        $wgGroupPermissions['administrator']['Semantic-DBA'] = true;
 +
        $wgGroupPermissions['sysop']['Semantic-DBA'] = true;
  
##################################
+
###############################################################################
# GLOBAL Group permissions reset # other default permissions remain unchanged
+
# GLOBAL Group permissions reset # other default permissions remain unchanged #
#############################################################################
+
###########################################################################################################
$wgGroupPermissions['*']['read']    = false;
+
# Setting '*' to false doesn't disable rights for groups that have the right separately set to true!      #
$wgGroupPermissions['*']['upload'] = false;
+
# To avoid bypass of security because of an update, each right disable command is repeated for each group #
$wgGroupPermissions['*']['createpage'] = false;
+
###########################################################################################################
$wgGroupPermissions['*']['edit'] = false;
+
# Non-registered users rights disabling
$wgGroupPermissions['*']['viewlinktolatest'] = false;
+
$wgGroupPermissions['*']['approverevision']    = false;
$wgGroupPermissions['*']['move'] = false;
+
$wgGroupPermissions['*']['approverevision']    = false;
$wgGroupPermissions['*']['delete'] = false;
+
$wgGroupPermissions['*']['viewapprover']   = false;
$wgGroupPermissions['*']['protect'] = false;
+
$wgGroupPermissions['*']['viewapprover']   = false;
$wgGroupPermissions['*']['createaccount'] = false;
+
$wgGroupPermissions['*']['viewlinktolatest']   = false;
$wgGroupPermissions['*']['createtalk'] = false;
+
$wgGroupPermissions['*']['viewlinktolatest']   = false;
$wgGroupPermissions['*']['applychangetags'] = false;
+
$wgGroupPermissions['*']['applychangetags']   = false;
$wgGroupPermissions['*']['editsemiprotected']    = false;
+
$wgGroupPermissions['*']['changetags']   = false;
$wgGroupPermissions['*']['editprotected']    = false;
+
$wgGroupPermissions['*']['changetags']   = false;
 +
$wgGroupPermissions['*']['createaccount']   = false;
 +
$wgGroupPermissions['*']['createpage']    = false;
 +
$wgGroupPermissions['*']['createpage']    = false;
 +
$wgGroupPermissions['*']['createtalk']   = false;
 +
$wgGroupPermissions['*']['createtalk']    = false;
 +
$wgGroupPermissions['*']['edit']    = false;
 +
$wgGroupPermissions['*']['edit']    = false;
 +
$wgGroupPermissions['*']['editcontentmodel']    = false;
 +
$wgGroupPermissions['*']['editcontentmodel']   = false;
 +
$wgGroupPermissions['*']['editmyoptions']    = false;
 +
$wgGroupPermissions['*']['editmyprivateinfo']    = false;
 
$wgGroupPermissions['*']['minoredit']    = false;
 
$wgGroupPermissions['*']['minoredit']    = false;
 +
$wgGroupPermissions['*']['move']    = false;
 +
$wgGroupPermissions['*']['move-categorypages']    = false;
 +
$wgGroupPermissions['*']['movefile']    = false;
 +
$wgGroupPermissions['*']['move-rootuserpages']    = false;
 +
$wgGroupPermissions['*']['move-subpages']    = false;
 +
$wgGroupPermissions['*']['override-export-depth']    = false;
 +
$wgGroupPermissions['*']['pagelang']    = false;
 +
$wgGroupPermissions['*']['patrolmarks']    = false;
 +
$wgGroupPermissions['*']['purge']    = false;
 +
$wgGroupPermissions['*']['read']    = false;
 +
$wgGroupPermissions['*']['readapi']    = false;
 +
$wgGroupPermissions['*']['readapi']    = false;
 +
$wgGroupPermissions['*']['reupload']    = false;
 +
$wgGroupPermissions['*']['reupload-own']    = false;
 +
$wgGroupPermissions['*']['reupload-shared']    = false;
 
$wgGroupPermissions['*']['sendemail']    = false;
 
$wgGroupPermissions['*']['sendemail']    = false;
$wgGroupPermissions['*']['changetags']    = false;
+
$wgGroupPermissions['*']['upload']    = false;
$wgGroupPermissions['*']['editcontentmodel']    = false;
+
$wgGroupPermissions['*']['viewmyprivateinfo']    = false;
$wgGroupPermissions['*']['editmyoptions']    = false;
+
$wgGroupPermissions['*']['viewmywatchlist']    = false;
$wgGroupPermissions['*']['editmyprivateinfo']    = false;
+
$wgGroupPermissions['*']['writeapi']    = false;
$wgGroupPermissions['*']['editmyusercss']    = false;
 
$wgGroupPermissions['*']['editmyuserjs']    = false;
 
$wgGroupPermissions['*']['editmyuserjson']    = false;
 
 
$wgGroupPermissions['*']['writeapi']    = false;
 
$wgGroupPermissions['*']['writeapi']    = false;
$wgGroupPermissions['*']['readapi']    = false;
+
# Registered user group
 
+
$wgGroupPermissions['user']['approverevision']    = false;
### same restrictions for user accounts but reading unprotected pages is allowed
+
$wgGroupPermissions['user']['approverevision']    = false;
#################################################################################
+
$wgGroupPermissions['user']['viewapprover']    = false;
$wgGroupPermissions['user']['read'] = true;
+
$wgGroupPermissions['user']['viewapprover']    = false;
$wgGroupPermissions['user']['upload'] = false;
+
$wgGroupPermissions['user']['viewlinktolatest']   = false;
$wgGroupPermissions['user']['createpage'] = false;
+
$wgGroupPermissions['user']['viewlinktolatest']   = false;
$wgGroupPermissions['user']['edit'] = false;
+
$wgGroupPermissions['user']['applychangetags']   = false;
$wgGroupPermissions['user']['viewlinktolatest'] = false;
+
$wgGroupPermissions['user']['changetags']   = false;
$wgGroupPermissions['user']['move'] = false;
+
$wgGroupPermissions['user']['changetags']   = false;
$wgGroupPermissions['user']['delete'] = false;
+
$wgGroupPermissions['user']['createaccount']   = false;
$wgGroupPermissions['user']['protect'] = false;
+
$wgGroupPermissions['user']['createpage']   = false;
$wgGroupPermissions['user']['createaccount'] = false;
+
$wgGroupPermissions['user']['createpage']   = false;
$wgGroupPermissions['user']['createtalk'] = false;
+
$wgGroupPermissions['user']['createtalk']   = false;
$wgGroupPermissions['user']['applychangetags'] = false;
+
$wgGroupPermissions['user']['createtalk']   = false;
$wgGroupPermissions['user']['editsemiprotected']    = false;
+
$wgGroupPermissions['user']['edit']    = false;
$wgGroupPermissions['user']['editprotected']    = false;
+
$wgGroupPermissions['user']['edit']    = false;
 +
$wgGroupPermissions['user']['editcontentmodel']    = false;
 +
$wgGroupPermissions['user']['editcontentmodel']   = false;
 +
$wgGroupPermissions['user']['editmyoptions']    = false;
 +
$wgGroupPermissions['user']['editmyprivateinfo']    = false;
 
$wgGroupPermissions['user']['minoredit']    = false;
 
$wgGroupPermissions['user']['minoredit']    = false;
 +
$wgGroupPermissions['user']['move']    = false;
 +
$wgGroupPermissions['user']['move-categorypages']    = false;
 +
$wgGroupPermissions['user']['movefile']    = false;
 +
$wgGroupPermissions['user']['move-rootuserpages']    = false;
 +
$wgGroupPermissions['user']['move-subpages']    = false;
 +
$wgGroupPermissions['user']['override-export-depth']    = false;
 +
$wgGroupPermissions['user']['pagelang']    = false;
 +
$wgGroupPermissions['user']['patrolmarks']    = false;
 +
$wgGroupPermissions['user']['purge']    = false;
 +
$wgGroupPermissions['user']['read']    = true; # Registered users can ready public files on the wiki.
 +
$wgGroupPermissions['user']['readapi']    = false;
 +
$wgGroupPermissions['user']['readapi']    = false;
 +
$wgGroupPermissions['user']['reupload']    = false;
 +
$wgGroupPermissions['user']['reupload-own']    = false;
 +
$wgGroupPermissions['user']['reupload-shared']    = false;
 
$wgGroupPermissions['user']['sendemail']    = false;
 
$wgGroupPermissions['user']['sendemail']    = false;
$wgGroupPermissions['user']['changetags']    = false;
+
$wgGroupPermissions['user']['upload']    = false;
$wgGroupPermissions['user']['editcontentmodel']    = false;
+
$wgGroupPermissions['user']['viewmyprivateinfo']    = false;
$wgGroupPermissions['user']['editmyoptions']    = true;
+
$wgGroupPermissions['user']['viewmywatchlist']    = false;
$wgGroupPermissions['user']['editmyprivateinfo']    = false; ### information is populated by the Active Directory
+
$wgGroupPermissions['user']['writeapi']    = false;
$wgGroupPermissions['user']['editmyusercss']    = false;
 
$wgGroupPermissions['user']['editmyuserjs']    = false;
 
$wgGroupPermissions['user']['editmyuserjson']    = false;
 
 
$wgGroupPermissions['user']['writeapi']    = false;
 
$wgGroupPermissions['user']['writeapi']    = false;
$wgGroupPermissions['user']['readapi']    = false;
 
  
 
### Specific permissions (sub-)linked to user groups
 
### Specific permissions (sub-)linked to user groups
$wgAllowImageMoving = true; // by default to registered user groups who do have the$
+
##### Image moving#####
$wgBlockDisablesLogin = true; // for sysop group
+
$wgAllowImageMoving = true; // by default to registered user groups who do have the $wgBlockDisablesLogin = true; // for sysop group
##### Read/Write API #####
+
 
$wgGroupPermissions['administrator']['readeapi'] = true;
+
##### applychangetags #####
$wgGroupPermissions['sysop']['readapi'] = true;
+
$wgGroupPermissions['administrator']['applychangetags'] = true;
$wgGroupPermissions['bot']['readapi'] = true;
+
$wgGroupPermissions['sysop']['applychangetags'] = true;
$wgGroupPermissions['Wiki-Admin']['readapi'] = true;
+
$wgGroupPermissions['Wiki-Editor']['applychangetags'] = true;
$wgGroupPermissions['Wiki-Editor']['readapi'] = true;
+
 
$wgGroupPermissions['user']['readapi']   = true;
+
#### REVISIONS ####
$wgGroupPermissions['administrator']['writeapi'] = true;
+
 
$wgGroupPermissions['sysop']['writeapi'] = true;
+
# enabling ApproveRevs extension
$wgGroupPermissions['bot']['writeapi'] = true;
+
        wfLoadExtension( 'ApprovedRevs' );
$wgGroupPermissions['Wiki-Admin']['writeapi'] = true;
+
        $wgGroupPermissions['*']['viewlinktolatest'] = false;
$wgGroupPermissions['Wiki-Editor']['writeapi'] = true;
+
        $wgGroupPermissions['sysop']['viewlinktolatest'] = true;
$wgGroupPermissions['user']['writeapi']   = true;
+
        $wgGroupPermissions['Wikidoc-Admin']['viewlinktolatest'] = true;
 +
        $wgGroupPermissions['Wikidoc-Admin-Rev']['viewlinktolatest'] = true;
 +
 
 +
//'approverevisions' is the permission to approve and unapprove revisions of pages.
 +
//      By default it is given to all members of the 'sysop' group
 +
//'viewlinktolatest' is the "permission" to see a note at the top of pages that have an approved revision,
 +
//      explaining that what the user is seeing is not necessarily the latest revision
 +
//'viewapprover' is the "permission" to see another note at the top of pages that have an approved revision,
 +
//      stating who last approved it. By default it is given to all members of the 'sysop' group
 +
##### Approve Revision #####
 +
        $wgGroupPermissions['administrator']['approverevisions'] = true;
 +
        $wgGroupPermissions['sysop']['approverevisions'] = true; ### this is normally by default
 +
        $wgGroupPermissions['Wikidoc-Admin-Rev']['approverevision'] = true;
 +
 
 +
##### View latest version link #####
 +
        $wgGroupPermissions['*']['viewlinktolatest'] = false;
 +
        $wgGroupPermissions['user']['viewlinktolatest'] = false;
 +
        $wgGroupPermissions['sysop']['viewlinktolatest'] = true;
 +
        $wgGroupPermissions['Wikidoc-Admin']['viewlinktolatest'] = true;
 +
        $wgGroupPermissions['Wikidoc-Admin-Rev']['viewlinktolatest'] = true;
 +
 
 +
##### View Approver #####
 +
        $wgGroupPermissions['user']['viewapprover'] = true;
 +
 
 +
##### Delete Revision #####
 +
        $wgGroupPermissions['administrator']['deleterevision'] = true;
 +
        $wgGroupPermissions['sysop']['deleterevision'] = true;
 +
        $wgGroupPermissions['Wikidoc-Admin-Rev']['deleterevision'] = true;
 +
 
 +
//automatic approvals by groups with approverevision true
 +
        $egApprovedRevsAutomaticApprovals = false;
 +
 
 +
//Displaying unapproved pages as blank
 +
        $egApprovedRevsBlankIfUnapproved = false; ### to be set to true for clean-up
 +
 
 +
//Indicating unapproved pages
 +
        $egApprovedRevsShowNotApprovedMessage = true;
 +
        $egApprovedRevsShowApproveLatest = true;
  
##### Account creation #####
+
##### ['autocreateaccount'] #####
$wgGroupPermissions['administrator']['createaccount'] = true;
+
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['sysop']['createaccount'] = true;
 
$wgGroupPermissions['bureaucrat']['createaccount'] = true;
 
$wgGroupPermissions['Wiki-Admin']['createaccount'] = true;
 
  
##### Account Edition #####
+
##### autopatrol #####
##### Required the EditAccount extension #####
+
$wgGroupPermissions['Wiki-Admin']['autopatrol'] = true;
# Enabling EditAccount
+
$wgGroupPermissions['Wiki-Moderator']['autopatrol'] = true;
#        wfLoadExtension( 'EditAccount' );
 
#        $wgGroupPermissions['bureaucrat']['editaccount'] = true;
 
#        $wgGroupPermissions['bureaucrat']['sysop'] = true;
 
  
##### User Merge #####
+
##### bigdelete #####
        wfLoadExtension( 'UserMerge' );
+
$wgGroupPermissions['sysop']['bigdelete'] = true;
        // By default nobody can use this function, enable for bureaucrat?
+
$wgGroupPermissions['Wiki-Admin']['bigdelete'] = true;
        $wgGroupPermissions['bureaucrat']['usermerge'] = true;
 
        $wgGroupPermissions['Wiki-Server-Admin']['usermerge'] = true;
 
        $wgGroupPermissions['sysop']['usermerge'] = true;
 
        // optional: default is array( 'sysop' )
 
        // $wgUserMergeProtectedGroups = array( 'groupname' );
 
  
##### Edit semi-protected pages ##### Edit pages protected as "Allow only autoconfirmed users" - without cascading protection
+
##### block #####
$wgGroupPermissions['administrator']['editsemiprotected'] = true;
+
$wgGroupPermissions['sysop']['block'] = true;
$wgGroupPermissions['sysop']['editsemiprotected'] = true;
+
$wgGroupPermissions['Linux-Admin']['block'] = true;
$wgGroupPermissions['Wiki-Admin']['editsemiprotected'] = true;
+
$wgGroupPermissions['Wiki-Admin']['block'] = true;
  
##### Mark edit as minor #####
+
##### blockemail #####
$wgGroupPermissions['administrator']['minoredit'] = true;
+
$wgGroupPermissions['sysop']['blockemail'] = true;
$wgGroupPermissions['sysop']['minoredit'] = true;
+
$wgGroupPermissions['Linux-Admin']['blockemail'] = true;
$wgGroupPermissions['Wiki-Admin']['minoredit'] = true;
+
$wgGroupPermissions['Wiki-Admin']['blockemail'] = true;
$wgGroupPermissions['Wiki-Editor']['minoredit'] = true;
+
$wgGroupPermissions['Wiki-Moderator']['blockemail'] = true;
  
##### Send Email ##### Send email to other users
+
##### browsearchive #####
$wgGroupPermissions['administrator']['sendemail'] = true;
+
$wgGroupPermissions['administrator']['browsearchive'] = true;
$wgGroupPermissions['sysop']['sendemail'] = true;
+
$wgGroupPermissions['sysop']['browsearchive'] = true;
$wgGroupPermissions['Wiki-Admin']['sendemail'] = true;
+
$wgGroupPermissions['Wiki-Admin']['browsearchive'] = true;
$wgGroupPermissions['Wiki-Editor']['sendemail'] = true;
+
$wgGroupPermissions['Wiki-Moderator']['browsearchive'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['browsearchive'] = true;
  
##### Edit content model ##### Edit the content model of a page
+
##### changetags #####
$wgGroupPermissions['administrator']['editcontentmodel'] = true;
+
$wgGroupPermissions['administrator']['changetags'] = true;
$wgGroupPermissions['sysop']['editcontentmodel'] = true;
+
$wgGroupPermissions['sysop']['changetags'] = true;
$wgGroupPermissions['Wiki-Admin']['editcontentmodel'] = true;
+
$wgGroupPermissions['Wiki-Admin']['changetags'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['changetags'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['changetags'] = true;
  
### Upload permissions
+
##### createaccount #####
######################
+
$wgGroupPermissions['administrator']['createaccount'] = true;
##### To enable image uploads, make sure the 'images' directory is writable (chmod777), the$
+
$wgGroupPermissions['sysop']['createaccount'] = true;
$wgEnableUploads = true;
+
$wgGroupPermissions['Bureaucrat']['createaccount'] = true;
#####  Upload permissions ##### restricted to groups (requires createpage permission as welll - each upload has one page create>
+
$wgGroupPermissions['Wiki-Admin']['createaccount'] = true;
$wgGroupPermissions['administrator']['upload'] = true;
 
$wgGroupPermissions['sysop']['upload'] = true;
 
$wgGroupPermissions['Wiki-Admin']['upload'] = true;
 
$wgGroupPermissions['Wiki-Editor']['upload'] = true;
 
  
##### Page creation #####
+
##### createpage #####
 
$wgGroupPermissions['administrator']['createpage'] = true;
 
$wgGroupPermissions['administrator']['createpage'] = true;
 
$wgGroupPermissions['sysop']['createpage'] = true;
 
$wgGroupPermissions['sysop']['createpage'] = true;
 
$wgGroupPermissions['Wiki-Admin']['createpage'] = true;
 
$wgGroupPermissions['Wiki-Admin']['createpage'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['createpage'] = true;
 
$wgGroupPermissions['Wiki-Editor']['createpage'] = true;
 
$wgGroupPermissions['Wiki-Editor']['createpage'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['createpage'] = true;
  
##### Page edition #####
+
##### createtalk #####
$wgGroupPermissions['administrator']['edit'] = true;
+
$wgGroupPermissions['administrator']['createtalk'] = true;
$wgGroupPermissions['sysop']['edit'] = true;
+
$wgGroupPermissions['sysop']['createtalk'] = true;
$wgGroupPermissions['Wiki-Admin']['edit'] = true;
+
$wgGroupPermissions['Wiki-Admin']['createtalk'] = true;
$wgGroupPermissions['Wiki-Editor']['edit'] = true;
 
 
 
##### Page Move #####
 
$wgGroupPermissions['administrator']['move'] = true;
 
$wgGroupPermissions['sysop']['move'] = true;
 
$wgGroupPermissions['Wiki-Admin']['move'] = true;
 
$wgGroupPermissions['Wiki-Editor']['move'] = true;
 
  
##### Page Delete #####
+
##### delete #####
 
$wgGroupPermissions['administrator']['delete'] = true;
 
$wgGroupPermissions['administrator']['delete'] = true;
 
$wgGroupPermissions['sysop']['delete'] = true;
 
$wgGroupPermissions['sysop']['delete'] = true;
$wgGroupPermissions['Wiki-Admin']['delete'] = true;
+
$wgGroupPermissions['Linux-Admin']['delete'] = true;
$wgGroupPermissions['Wiki-Editor']['delete'] = true; ### verify with Team Leaders for this
+
$wgGroupPermissions['Wiki-Admin']['delete'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['delete'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['delete'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['delete'] = true;
  
##### Page Protect #####
+
##### deletechangetags #####
$wgGroupPermissions['administrator']['protect'] = true;
+
$wgGroupPermissions['Wiki-Admin']['deletechangetags'] = true;
$wgGroupPermissions['sysop']['protect'] = true;
 
$wgGroupPermissions['Wiki-Admin']['protect'] = true;
 
$wgGroupPermissions['Wiki-Editor']['protect'] = true;
 
  
##### Deleted History ##### View deleted history entries, without their associated text
+
##### deletedhistory #####
$wgGroupPermissions['administrator']['deletedhistory'] = true;
+
$wgGroupPermissions['administrator']['deletedhistory'] = true;
 
$wgGroupPermissions['sysop']['deletedhistory'] = true;
 
$wgGroupPermissions['sysop']['deletedhistory'] = true;
$wgGroupPermissions['Wiki-Admin']['deletedhistory'] = true;
+
$wgGroupPermissions['Wiki-Admin']['deletedhistory'] = true;
$wgGroupPermissions['Wiki-Editor']['deletedhistory'] = true; ### verify with Team Leaders for this
+
$wgGroupPermissions['Wiki-Moderator']['deletedhistory'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['deletedhistory'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['deletedhistory'] = true;
  
##### Deteted text #####
+
##### deletedtext #####
$wgGroupPermissions['administrator']['deletedtext'] = true;
+
$wgGroupPermissions['administrator']['deletedtext'] = true;
 
$wgGroupPermissions['sysop']['deletedtext'] = true;
 
$wgGroupPermissions['sysop']['deletedtext'] = true;
#$wgGroupPermissions['Wiki-Admin']['deletedtext'] = true;
+
$wgGroupPermissions['Wiki-Admin']['deletedtext'] = true;
#$wgGroupPermissions['Wiki-Editor']['deletedtext'] = true; ### verify with Team Leaders for this
+
$wgGroupPermissions['Wiki-Moderator']['deletedtext'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['deletedtext'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['deletedtext'] = true;
  
##### Deteted log entry #####
+
##### deletelogentry #####
$wgGroupPermissions['administrator']['deletelogentry'] = true;
+
$wgGroupPermissions['administrator']['deletelogentry'] = true;
 
$wgGroupPermissions['sysop']['deletelogentry'] = true;
 
$wgGroupPermissions['sysop']['deletelogentry'] = true;
  
##### Undelete #####
+
##### deleterevision #####
$wgGroupPermissions['administrator']['undelete'] = true;
+
$wgGroupPermissions['administrator']['deleterevision'] = true;
$wgGroupPermissions['sysop']['undelete'] = true;
+
$wgGroupPermissions['sysop']['deleterevision'] = true;
$wgGroupPermissions['Wiki-Admin']['undelete'] = true;
+
$wgGroupPermissions['Wiki-Admin']['deleterevision'] = true;
$wgGroupPermissions['Wiki-Editor']['undelete'] = true; ### verify with Team Leaders for $
+
$wgGroupPermissions['Wiki-Moderator']['deleterevision'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['deleterevision'] = true;
 +
 
 +
 
 +
##### edit #####
 +
$wgGroupPermissions['administrator']['edit'] = true;
 +
$wgGroupPermissions['sysop']['edit'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['edit'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['edit'] = true;
 +
 
 +
##### editcontentmodel #####
 +
$wgGroupPermissions['administrator']['editcontentmodel'] = true;
 +
$wgGroupPermissions['sysop']['editcontentmodel'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['editcontentmodel'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['editcontentmodel'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['editcontentmodel'] = true;
 +
 
 +
##### editinterface #####
 +
$wgGroupPermissions['administrator']['editinterface'] = true;
 +
$wgGroupPermissions['sysop']['editinterface'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['editinterface'] = true;
 +
 
 +
##### editmyoptions #####
 +
$wgGroupPermissions['administrator']['editmyoptions'] = true;
 +
$wgGroupPermissions['sysop']['editmyoptions'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['editmyoptions'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['editmyoptions'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['editmyoptions'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['editmyoptions'] = true;
 +
 
 +
##### editmyprivateinfo #####
 +
$wgGroupPermissions['administrator']['editmyprivateinfo'] = true;
 +
$wgGroupPermissions['sysop']['editmyprivateinfo'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['editmyprivateinfo'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['editmyprivateinfo'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['editmyprivateinfo'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['editmyprivateinfo'] = true;
 +
 
 +
##### editmyusercss #####
 +
$wgGroupPermissions['user']['editmyusercss'] = true;
 +
 
 +
##### editmyuserjs #####
 +
$wgGroupPermissions['user']['editmyuserjs'] = true;
 +
 
 +
##### editmyuserjson #####
 +
$wgGroupPermissions['user']['editmyuserjson'] = true;
 +
 
 +
##### editmywatchlist #####
 +
$wgGroupPermissions['user']['editmywatchlist'] = true;
 +
 
 +
##### editprotected #####
 +
$wgGroupPermissions['administrator']['editprotected'] = true;
 +
$wgGroupPermissions['sysop']['editprotected'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['editprotected'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['editprotected'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['editprotected'] = true;
 +
 
 +
##### editsemiprotected #####
 +
$wgGroupPermissions['administrator']['editsemiprotected'] = true;
 +
$wgGroupPermissions['sysop']['editsemiprotected'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['editsemiprotected'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['editsemiprotected'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['editsemiprotected'] = true;
 +
 
 +
##### editsitecss #####
 +
$wgGroupPermissions['administrator']['editsitecss'] = true;
 +
$wgGroupPermissions['sysop']['editsitecss'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['editsitecss'] = true;
 +
 
 +
##### editsitejs #####
 +
$wgGroupPermissions['administrator']['editsitejs'] = true;
 +
$wgGroupPermissions['sysop']['editsitejs'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['editsitejs'] = true;
 +
 
 +
##### editsitejson #####
 +
$wgGroupPermissions['administrator']['editsitejson'] = true;
 +
$wgGroupPermissions['sysop']['editsitejson'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['editsitejson'] = true;
 +
 
 +
##### editusercss #####
 +
$wgGroupPermissions['administrator']['editusercss'] = true;
 +
$wgGroupPermissions['sysop']['editusercss'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['editusercss'] = true;
 +
 
 +
##### Extension EditUser #####
 +
        // Activation
 +
        wfLoadExtension( 'EditUser' );
 +
        // Configuration
 +
        $wgGroupPermissions['bureaucrat']['edituser'] = true;
 +
        $wgGroupPermissions['sysop']['edituser-exempt'] = true;
 +
$wgGroupPermissions['administrator']['edituser'] = true;
 +
 
 +
##### edituserjs #####
 +
$wgGroupPermissions['administrator']['edituserjs'] = true;
 +
$wgGroupPermissions['sysop']['edituserjs'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['edituserjs'] = true;
 +
 
 +
##### edituserjson  #####
 +
$wgGroupPermissions['administrator']['edituserjson'] = true;
 +
$wgGroupPermissions['sysop']['edituserjson'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['edituserjson'] = true;
 +
 
 +
##### hideuser #####
 +
$wgGroupPermissions['administrator']['hideuser'] = true;
 +
$wgGroupPermissions['sysop']['hideuser'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['hideuser'] = true; $wgGroupPermissions['Wiki-Moderator']['hideuser'] = true;
 +
 
 +
##### import #####
 +
$wgGroupPermissions['administrator']['import'] = true;
 +
$wgGroupPermissions['sysop']['import'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['import'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['import'] = true;
 +
 
 +
##### importupload #####
 +
$wgGroupPermissions['administrator']['importupload'] = true;
 +
$wgGroupPermissions['sysop']['importupload'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['importupload'] = true;
 +
 
 +
##### ipblock-exempt #####
 +
$wgGroupPermissions['administrator']['ipblock-exempt'] = true;
 +
$wgGroupPermissions['sysop']['ipblock-exempt'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['ipblock-exempt'] = true;
 +
 
 +
##### managechangetags #####
 +
$wgGroupPermissions['administrator']['managechangetags'] = true;
 +
$wgGroupPermissions['sysop']['managechangetags'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['managechangetags'] = true;
 +
 
 +
##### markbotedits #####
 +
$wgGroupPermissions['administrator']['markbotedits'] = true;
 +
$wgGroupPermissions['sysop']['markbotedits'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['markbotedits'] = true;
 +
 
 +
##### mergehistory #####
 +
$wgGroupPermissions['administrator']['mergehistory'] = true;
 +
$wgGroupPermissions['sysop']['mergehistory'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['mergehistory'] = true;
 +
 
 +
##### minoredit #####
 +
$wgGroupPermissions['administrator']['minoredit'] = true;
 +
$wgGroupPermissions['sysop']['minoredit'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['minoredit'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['minoredit'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['minoredit'] = true;
 +
 
 +
##### move #####
 +
$wgGroupPermissions['administrator']['move'] = true;
 +
$wgGroupPermissions['sysop']['move'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['move'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['move'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['move'] = true;
 +
 
 +
##### move-categorypages #####
 +
$wgGroupPermissions['administrator']['move-categorypages'] = true;
 +
$wgGroupPermissions['sysop']['move-categorypages'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['move-categorypages'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['move-categorypages'] = true;
 +
 
 +
##### movefile #####
 +
$wgGroupPermissions['administrator']['movefile'] = true;
 +
$wgGroupPermissions['sysop']['movefile'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['movefile'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['movefile'] = true;
 +
 
 +
##### move-rootuserpages #####
 +
$wgGroupPermissions['administrator']['move-rootuserpages'] = true;
 +
$wgGroupPermissions['sysop']['move-rootuserpages'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['move-rootuserpages'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['move-rootuserpages'] = true;
 +
 
 +
##### move-subpages #####
 +
$wgGroupPermissions['administrator']['move-subpages'] = true;
 +
$wgGroupPermissions['sysop']['move-subpages'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['move-subpages'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['move-subpages'] = true;
 +
 
 +
##### nominornewtalk #####
 +
 
 +
 
 +
##### noratelimit #####
 +
$wgGroupPermissions['administrator']['noratelimit'] = true;
 +
$wgGroupPermissions['sysop']['noratelimit'] = true;
 +
$wgGroupPermissions['Bureaucrat']['noratelimit'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['noratelimit'] = true;
 +
 
 +
##### override-export-depth #####
 +
$wgGroupPermissions['administrator']['override-export-depth'] = true;
 +
$wgGroupPermissions['sysop']['override-export-depth'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['override-export-depth'] = true;
  
##### Browse archive #### Search deleted pages - through Special:Undelete
+
##### pagelang #####
$wgGroupPermissions['administrator']['browsearchive'] = true;
+
$wgGroupPermissions['administrator']['pagelang'] = true;
$wgGroupPermissions['sysop']['browsearchive'] = true;
+
$wgGroupPermissions['sysop']['pagelang'] = true;
$wgGroupPermissions['Wiki-Admin']['browsearchive'] = true;
+
$wgGroupPermissions['Wiki-Admin']['pagelang'] = true;
$wgGroupPermissions['Wiki-Editor']['browsearchive'] = true;
 
  
#### REVISIONS ####
+
##### patrol #####
 +
$wgGroupPermissions['administrator']['patrol'] = true;
 +
$wgGroupPermissions['sysop']['patrol'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['patrol'] = true;
  
# enabling ApproveRevs extension
+
##### patrolmarks #####
        wfLoadExtension( 'ApprovedRevs' );
+
$wgGroupPermissions['administrator']['patrolmarks'] = true;
        $wgGroupPermissions['*']['viewlinktolatest'] = false;
+
$wgGroupPermissions['sysop']['patrolmarks'] = true;
        $wgGroupPermissions['sysop']['viewlinktolatest'] = true;
+
$wgGroupPermissions['Wiki-Admin']['patrolmarks'] = true;
        $wgGroupPermissions['Wikidoc-Admin']['viewlinktolatest'] = true;
+
$wgGroupPermissions['Wiki-Moderator']['patrolmarks'] = true;
        $wgGroupPermissions['Wikidoc-Admin-Rev']['viewlinktolatest'] = true;
 
  
//'approverevisions' is the permission to approve and unapprove revisions of pages.
+
##### protect #####
//      By default it is given to all members of the 'sysop' group
+
$wgGroupPermissions['administrator']['protect'] = true;
//'viewlinktolatest' is the "permission" to see a note at the top of pages that have an approved revision,
+
$wgGroupPermissions['sysop']['protect'] = true;
//      explaining that what the user is seeing is not necessarily the latest revision
+
$wgGroupPermissions['Wiki-Admin']['protect'] = true;
//'viewapprover' is the "permission" to see another note at the top of pages that have an approved revision,
+
$wgGroupPermissions['Wiki-Editor']['protect'] = true;
//      stating who last approved it. By default it is given to all members of the 'sysop' group
+
$wgGroupPermissions['Wiki-Updater']['protect'] = true;
##### Approve Revision #####
 
$wgGroupPermissions['administrator']['approverevisions'] = true;
 
$wgGroupPermissions['sysop']['approverevisions'] = true; ### this is normally by default
 
$wgGroupPermissions['Wikidoc-Admin-Rev']['approverevision'] = true;
 
  
##### View latest version link #####
+
##### purge #####
        $wgGroupPermissions['*']['viewlinktolatest'] = false;
+
$wgGroupPermissions['administrator']['purge'] = true;
        $wgGroupPermissions['user']['viewlinktolatest'] = false;
+
$wgGroupPermissions['sysop']['purge'] = true;
        $wgGroupPermissions['sysop']['viewlinktolatest'] = true;
+
$wgGroupPermissions['Wiki-Admin']['purge'] = true;
        $wgGroupPermissions['Wikidoc-Admin']['viewlinktolatest'] = true;
 
        $wgGroupPermissions['Wikidoc-Admin-Rev']['viewlinktolatest'] = true;
 
  
 +
##### read #####
 +
$wgGroupPermissions['user']['read'] = true;
  
##### View Approver #####
 
$wgGroupPermissions['user']['viewapprover'] = true;
 
  
##### Delete Revision #####
+
##### readapi #####
$wgGroupPermissions['administrator']['deleterevision'] = true;
+
$wgGroupPermissions['administrator']['readapi'] = true;
$wgGroupPermissions['sysop']['deleterevision'] = true;
+
$wgGroupPermissions['sysop']['readapi'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['deleterevision'] = true;
+
$wgGroupPermissions['Bot']['readapi'] = true;
 +
$wgGroupPermissions['Bureaucrat']['readapi'] = true;
 +
$wgGroupPermissions['Linux-Admin']['readapi'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['readapi'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['readapi'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['readapi'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['readapi'] = true;
  
//automatic approvals by groups with approverevision true
+
##### reupload #####
$egApprovedRevsAutomaticApprovals = false;
+
$wgGroupPermissions['administrator']['reupload'] = true;
 +
$wgGroupPermissions['sysop']['reupload'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['reupload'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['reupload'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['reupload'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['reupload'] = true;
  
//Displaying unapproved pages as blank
+
##### reupload-own #####
$egApprovedRevsBlankIfUnapproved = false; ### to be set to true for clean-up
+
$wgGroupPermissions['administrator']['reupload-own'] = true;
 +
$wgGroupPermissions['sysop']['reupload-own'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['reupload-own'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['reupload-own'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['reupload-own'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['reupload-own'] = true;
  
//Indicating unapproved pages
+
##### reupload-shared #####
$egApprovedRevsShowNotApprovedMessage = true;
+
$wgGroupPermissions['administrator']['reupload-shared'] = true;
$egApprovedRevsShowApproveLatest = true;
+
$wgGroupPermissions['sysop']['reupload-shared'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['reupload-shared'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['reupload-shared'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['reupload-shared'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['reupload-shared'] = true;
  
##### Rollback ##### Quickly rollback the edits of the last user who edited a particular pa$
+
##### rollback #####
 
$wgGroupPermissions['administrator']['rollback'] = true;
 
$wgGroupPermissions['administrator']['rollback'] = true;
 
$wgGroupPermissions['sysop']['rollback'] = true;
 
$wgGroupPermissions['sysop']['rollback'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['rollback'] = true;
+
$wgGroupPermissions['Wiki-Admin']['rollback'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['rollback'] = true;
  
##### Patrol ##### Mark others' edits as patrolled - $wgUseRCPatrol must be true
+
##### sendemail #####
$wgUseRCPatrol = true;
+
$wgGroupPermissions['administrator']['sendemail'] = true;
$wgGroupPermissions['administrator']['patrol'] = true;
+
$wgGroupPermissions['sysop']['sendemail'] = true;
$wgGroupPermissions['sysop']['patrol'] = true;
+
$wgGroupPermissions['Bureaucrat']['sendemail'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['patrol'] = true;
+
$wgGroupPermissions['Linux-Admin']['sendemail'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['sendemail'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['sendemail'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['sendemail'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['sendemail'] = true;
  
##### Suppress Revisions ##### View, hide and unhide specific revisions of pages from any u$
+
##### siteadmin #####
 +
$wgGroupPermissions['administrator']['siteadmin'] = true;
 +
$wgGroupPermissions['sysop']['siteadmin'] = true;
 +
$wgGroupPermissions['Linux-Admin']['siteadmin'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['siteadmin'] = true;
 +
 
 +
##### suppressionlog #####
 +
$wgGroupPermissions['administrator']['suppressionlog'] = true;
 +
$wgGroupPermissions['sysop']['suppressionlog'] = true;
 +
$wgGroupPermissions['Linux-Admin']['suppressionlog'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['suppressionlog'] = true;
 +
 
 +
##### suppressredirect #####
 +
$wgGroupPermissions['administrator']['suppressredirect'] = true;
 +
$wgGroupPermissions['sysop']['suppressredirect'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['suppressredirect'] = true;
 +
 
 +
##### suppressrevision #####
 
$wgGroupPermissions['administrator']['suppressrevision'] = true;
 
$wgGroupPermissions['administrator']['suppressrevision'] = true;
 
$wgGroupPermissions['sysop']['suppressrevision'] = true;
 
$wgGroupPermissions['sysop']['suppressrevision'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['suppressrevision'] = true;
+
$wgGroupPermissions['Wiki-Admin']['suppressrevision'] = true;
 +
 
 +
##### unblockself #####
 +
$wgGroupPermissions['administrator']['unblockself'] = true;
 +
$wgGroupPermissions['sysop']['unblockself'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['unblockself'] = true;
 +
 
 +
##### undelete #####
 +
$wgGroupPermissions['administrator']['undelete'] = true;
 +
$wgGroupPermissions['sysop']['undelete'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['undelete'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['undelete'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['undelete'] = true;
 +
 
 +
##### unwatchedpages #####
 +
$wgGroupPermissions['administrator']['unwatchedpages'] = true;
 +
$wgGroupPermissions['sysop']['unwatchedpages'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['unwatchedpages'] = true;
 +
 
 +
##### upload #####
 +
##### To enable image/file uploads, make sure the 'images' directory is writable (chmod777), and the $wgEnableUploads = true;
 +
#####  Upload permissions ##### restricted to groups (requires createpage permission as well - each upload has one page create>
 +
$wgEnableUploads = true; // Enable uploads
  
##### View suppression logs ##### View private logs
+
$wgGroupPermissions['administrator']['upload'] = true;
$wgGroupPermissions['administrator']['suppressionlog'] = true;
+
$wgGroupPermissions['sysop']['upload'] = true;
$wgGroupPermissions['sysop']['suppressionlog'] = true;
+
$wgGroupPermissions['Bureaucrat']['upload'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['suppressionlog'] = true;
+
$wgGroupPermissions['Linux-Admin']['upload'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['upload'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['upload'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['upload'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['upload'] = true;
 +
  # Configuration
 +
    #$wgUseImageMagick = true;
 +
    #$wgImageMagickConvertCommand = "/usr/bin/convert";
 +
    $wgEnableWriteAPI = true; // Enable the API
 +
    $wgAllowJavaUploads = true; // Solves problem with Office 2007 and newer files (docx, xlsx, etc.)
 +
    $wgFileExtensions = array('png','svg','gif','jpg','jpeg','doc','xls','pdf','ppt','tiff','bmp','docx','xlsx','pptx');
 +
 
 +
##### upload_by_url #####
 +
$wgGroupPermissions['sysop']['upload_by_url'] = true;
 +
$wgGroupPermissions['Linux-Admin']['upload_by_url'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['upload_by_url'] = true;
 +
 
 +
##### User Merge #####
 +
        wfLoadExtension( 'UserMerge' );
 +
        // By default nobody can use this function, enable for bureaucrat?
 +
        $wgGroupPermissions['bureaucrat']['usermerge'] = true;
 +
        $wgGroupPermissions['Wiki-Server-Admin']['usermerge'] = true;
 +
        $wgGroupPermissions['sysop']['usermerge'] = true;
 +
        // optional: default is array( 'sysop' )
 +
        // $wgUserMergeProtectedGroups = array( 'groupname' );
 +
 
 +
 
 +
##### userrights #####
 +
$wgGroupPermissions['administrator']['userrights'] = true;
 +
$wgGroupPermissions['sysop']['userrights'] = true;
 +
$wgGroupPermissions['Bureaucrat']['userrights'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['userrights'] = true;
 +
 
 +
##### userrights-interwiki #####
 +
$wgGroupPermissions['sysop']['userrights-interwiki'] = true;
 +
$wgGroupPermissions['Linux-Admin']['userrights-interwiki'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['userrights-interwiki'] = true;
 +
 
 +
##### viewmyprivateinfo #####
 +
$wgGroupPermissions['user']['viewmyprivateinfo'] = true;
 +
 
 +
##### viewmywatchlist #####
 +
$wgGroupPermissions['user']['viewmywatchlist'] = true;
 +
 
 +
##### viewsuppressed #####
 +
$wgGroupPermissions['administrator']['viewsuppressed'] = true;
 +
$wgGroupPermissions['sysop']['viewsuppressed'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['viewsuppressed'] = true;
  
##### Change Tags ##### Add and remove arbitrary tags on individual revisions and log entries - currently unused by extensions
+
##### writeapi #####  
$wgGroupPermissions['administrator']['changetags'] = true;
+
$wgGroupPermissions['administrator']['writeapi'] = true;
$wgGroupPermissions['sysop']['changetags'] = true;
+
$wgGroupPermissions['sysop']['writeapi'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['changetags'] = true;
+
$wgGroupPermissions['Bot']['writeapi'] = true;
 +
$wgGroupPermissions['Bureaucrat']['writeapi'] = true;
 +
$wgGroupPermissions['Linux-Admin']['writeapi'] = true;
 +
$wgGroupPermissions['Wiki-Admin']['writeapi'] = true;
 +
$wgGroupPermissions['Wiki-Moderator']['writeapi'] = true;
 +
$wgGroupPermissions['Wiki-Editor']['writeapi'] = true;
 +
$wgGroupPermissions['Wiki-Updater']['writeapi'] = true;
  
##### Apply change tags ##### Apply tags along with one's changes
 
$wgGroupPermissions['administrator']['applychangetags'] = true;
 
$wgGroupPermissions['sysop']['applychangetags'] = true;
 
$wgGroupPermissions['Wikidoc-Admin-Rev']['applychangetags'] = true;
 
  
##### View suppressed  ##### View revisions hidden from any user - i.e. a more narrow alternative to "suppressrevision"
 
                      ##### (note that this is not needed if the group already has the suppressrevision right)
 
$wgGroupPermissions['administrator']['applychangetags'] = true;
 
$wgGroupPermissions['sysop']['applychangetags'] = true;
 
$wgGroupPermissions['Wikidoc-Admin-Rev']['applychangetags'] = true;
 
  
 
##################################################################################
 
##################################################################################
Line 318: Line 889:
  
  
 +
</pre>
 +
|<strong><big>View of the detailed Mediawiki Security Configuration is restricted.</big></strong>
  
 
+
<br><br>[[#Top|Back to top of this page]]
</pre>
+
<br><br>[[English|Back to Welcome Page]] <br><br>
 +
}}
  
 
[[Category:Wiki Administration]]
 
[[Category:Wiki Administration]]

Latest revision as of 13:56, 14 April 2021

Source: DataSource
Language: English
Topic: Mediawiki
SubTopic: Security
Last Edit By: DochyJP
LastEdit: 2021-04-14
Document type: Documentation
Status: Active
Access: free

Micylou Standard Mediawiki Security Matrix

Defaults

Micylou builds a start-up solution based on the original Mediawiki LTS package and includes additional extensions to build its start-up solution.

Therefore, the roles and rights included in these extensions are taken into account, even if the extension is not activated.

Roles by groups

Source Permission Description By default As from * Reset * Granted User Reset User Granted sysop Granted Bot Granted Bureaucrat Granted Linux-Admin Granted Wiki-Admin Granted Wiki-Moderator Granted Wiki-Editor Granted Wiki-Updater Granted
Default Mediawiki apihighlimits Use higher limits in API queries bot, sysop 1.12+
Default Mediawiki applychangetags Apply tags along with one's changes user 1.25+ X X X X
Default Mediawiki autoconfirmed Not be affected by IP-based rate limits - used for the 'autoconfirmed' group, see the other table below for more information autoconfirmed, bot, sysop 1.6+
Default Mediawiki autocreateaccount Automatically log in with an external user account - a more limited version of createaccount 1.27+ X LDAP REQUIREMENT
Default Mediawiki autopatrol Have one's own edits automatically marked as patrolled - $wgUseRCPatrol must be true bot, sysop 1.9+ X X
Default Mediawiki bigdelete Delete pages with large histories (as determined by $wgDeleteRevisionsLimit) sysop 1.12+ X X
Default Mediawiki block Block other users from editing - Block options include preventing editing and registering new accounts, and autoblocking other users on the same IP address sysop 1.5+ X X X
Default Mediawiki blockemail Block a user from sending email - allows preventing use of the Special:Emailuser interface when blocking - requires the block right sysop 1.11+ X X X X
Default Mediawiki bot Be treated as an automated process - can optionally be viewed bot 1.5+
Default Mediawiki browsearchive Search deleted pages - through Special:Undelete sysop 1.13+ X X X X X
Default Mediawiki changetags Add and remove arbitrary tags on individual revisions and log entries - currently unused by extensions user 1.25+ X X X X X X X
Default Mediawiki createaccount Create new user accounts - register / registration *, sysop 1.5+ X X X X X
Default Mediawiki createpage Create pages (which are not discussion pages) - requires the edit right *, user 1.6+ X X X X X X X X
Default Mediawiki createtalk Create discussion pages - requires the edit right *, user 1.6+ X X X
Default Mediawiki delete allows the deletion or undeletion of pages. sysop 1.5+ X X X X X X X
Default Mediawiki deletechangetags Delete tags from the database - currently unused by extensions sysop 1.28+ X
Default Mediawiki deletedhistory View deleted history entries, without their associated text sysop 1.6+ X X X X X X
Default Mediawiki deletedtext View deleted text and changes between deleted revisions sysop X X X X X X
Default Mediawiki deletelogentry Delete and undelete specific log entries - allows deleting/undeleting information (action text, summary, user who made the action) of specific log entries - requires the deleterevision right (not available by default) sysop 1.20+ X X
Default Mediawiki deleterevision Delete and undelete specific revisions of pages - allows deleting/undeleting information (revision text, edit summary, user who made the edit) of specific revisions Split into deleterevision and deletelogentry in 1.20 (not available by default) sysop 1.6+ X X X X X
Default Mediawiki edit Edit pages *, user 1.5+ X X X X X X
Default Mediawiki editcontentmodel Edit the content model of a page user 1.23.7+ X X X X X X X
Default Mediawiki editinterface Edit the user interface - contains interface messages. For editing sitewide CSS/JSON/JS, there are now segregate rights, see below. sysop, interface-admin 1.5+ X X X
Default Mediawiki editmyoptions Edit your own preferences * 1.22+ X X X X X X X
Default Mediawiki editmyprivateinfo Edit your own private data (e.g. email address, real name) * 1.22+ X X X X X X X
Default Mediawiki editmyusercss Edit your own user CSS files - prior to 1.31 it was assigned to everyone (i.e. "*") (note that this is not needed if the group already has the editusercss right) user 1.22+ X
Default Mediawiki editmyuserjs Edit your own user JavaScript files - prior to 1.31 it was assigned to everyone (i.e. "*") (note that this is not needed if the group already has the edituserjs right) user 1.22+ X
Default Mediawiki editmyuserjson Edit your own user JSON files (note that this is not needed if the group already has the edituserjson right) user 1.31+ X
Default Mediawiki editmywatchlist Edit your own watchlist. Note some actions will still add pages even without this right. * 1.22+ X
Default Mediawiki editprotected Edit pages protected as "Allow only administrators" - without cascading protection sysop 1.13+ X X X X X
Default Mediawiki editsemiprotected Edit pages protected as "Allow only autoconfirmed users" - without cascading protection autoconfirmed, bot, sysop 1.22+ X X X X X
Default Mediawiki editsitecss Edit sitewide CSS interface-admin 1.32+ X X X
Default Mediawiki editsitejs Edit sitewide JavaScript interface-admin 1.32+ X X X
Default Mediawiki editsitejson Edit sitewide JSON sysop, interface-admin 1.32+ X X X
Default Mediawiki editusercss Edit other users' CSS files interface-admin 1.16+ X X X
Default Mediawiki edituserjs Edit other users' JavaScript files interface-admin 1.16+ X X X
Default Mediawiki edituserjson Edit other users' JSON files sysop, interface-admin 1.31+ X X X
Default Mediawiki hideuser Block a username, hiding it from the public - (not available by default) 1.10+ X X X X
Default Mediawiki import Import pages from other wikis - “transwiki” sysop 1.5+ X X X X
Default Mediawiki importupload Import pages from a file upload - This right was called 'importraw' in and before version 1.5 sysop 1.5+ X X X
Default Mediawiki ipblock-exempt Bypass IP blocks, auto-blocks and range blocks sysop 1.9+ X X X
Default Mediawiki managechangetags Create and (de)activate tags - currently unused by extensions sysop 1.25+ X X X
Default Mediawiki markbotedits Mark rolled-back edits as bot edits - see Manual:Administrators#Rollback sysop 1.12+ X X X
Default Mediawiki mergehistory Merge the history of pages sysop 1.12+ X X X
Default Mediawiki minoredit Mark edits as minor user 1.6+ X X X X X X
Default Mediawiki move Move pages - requires the edit right user, sysop 1.5+ X X X X X X
Default Mediawiki move-categorypages Move category pages - requires the move right user, sysop 1.25+ X X X X X
Default Mediawiki movefile Move files - requires the move right and $wgAllowImageMoving to be true user, sysop 1.14+ X X X X X
Default Mediawiki move-rootuserpages Move root user pages - requires the move right user, sysop 1.14+ X X X X X
Default Mediawiki move-subpages Move pages with their subpages - requires the move right user, sysop 1.13+ X X X X X
Default Mediawiki nominornewtalk Not have minor edits to discussion pages trigger the new messages prompt - requires the minor edit right bot 1.9+
Default Mediawiki noratelimit Not be affected by rate limits - not affected by rate limits (prior to the introduction of this right, the configuration variable $wgRateLimitsExcludedGroups was used for this purpose) sysop, bureaucrat 1.13+ X X X X
Default Mediawiki override-export-depth Export pages including linked pages up to a depth of 5 ? X X X X
Default Mediawiki pagelang Change page language - $wgPageLanguageUseDB must be true 1.24+ X X X X
Default Mediawiki patrol Mark others' edits as patrolled - $wgUseRCPatrol must be true sysop 1.5+ X X X
Default Mediawiki patrolmarks View recent changes patrol marks 1.16+ X X X X X
Default Mediawiki protect Change protection levels and edit cascade-protected pages sysop 1.5+ X X X X
Default Mediawiki purge Purge the site cache for a page - URL parameter "&action=purge" user 1.10+ X X X X
Default Mediawiki read Read pages - when set to false, override for specific pages with $wgWhitelistRead 1.5+ X X
Default Mediawiki readapi *, user, bot 1.13+ X X X X X X X X X X X
Default Mediawiki reupload Overwrite existing files - requires the upload right user, sysop 1.6+ X X X X X X X
Default Mediawiki reupload-own Overwrite existing files uploaded by oneself - requires the upload right (note that this is not needed if the group already has the reupload right) 1.11+ X X X X X X X
Default Mediawiki reupload-shared Override files on the shared media repository locally - (if one is set up) with local files (requires the upload right) user, sysop 1.6+ X X X X X X X
Default Mediawiki rollback Quickly rollback the edits of the last user who edited a particular page sysop 1.5+ X X X X
Default Mediawiki sendemail Send email to other users user 1.16+ X X X X X X X X X
Default Mediawiki siteadmin Lock and unlock the database - which blocks all interactions with the web site except viewing. (not available by default) 1.5+ X X X X
Default Mediawiki suppressionlog View private logs 1.6+ X X X X
Default Mediawiki suppressredirect Not create redirects from source pages when moving pages bot, sysop 1.12+ X X X
Default Mediawiki suppressrevision View, hide and unhide specific revisions of pages from any user - Prior to 1.13 this right was named hiderevision (not available by default) 1.6+ X X X
Default Mediawiki unblockself Unblock oneself - Without it, an administrator that has the capability to block cannot unblock themselves if blocked by another administrator sysop 1.17+ X X X
Default Mediawiki undelete Undelete a page - requires the deletedhistory right sysop 1.12+ X X X X X
Default Mediawiki unwatchedpages View a list of unwatched pages - lists pages that no user has watchlisted sysop 1.6+ X X X
Default Mediawiki upload Upload files - requires the edit right and $wgEnableUploads to be true user, sysop 1.5+ X X X X X X X X X
Default Mediawiki upload_by_url Upload files from a URL - requires the upload right (Prior to 1.20 it was given to sysops) 1.8+ X X X
Default Mediawiki userrights Edit all user rights - allows the assignment or removal of all* groups to any user. bureaucrat 1.5+ X X X X
Default Mediawiki userrights-interwiki Edit user rights of users on other wikis 1.12+ X X X
Default Mediawiki viewmyprivateinfo View your own private data (e.g. email address, real name) * 1.22+ X X
Default Mediawiki viewmywatchlist View your own watchlist * 1.22+ X X
Default Mediawiki viewsuppressed View revisions hidden from any user - i.e. a more narrow alternative to "suppressrevision" (note that this is not needed if the group already has the suppressrevision right) 1.24+ X X X
Default Mediawiki writeapi Use of the write API *, user, bot 1.13+ X X X X X X X X X X X
ExtensionRevsApprove $egApprovedRevsBlankIfUnapproved FALSE
ExtensionRevsApprove $egApprovedRevsShowApproveLatest TRUE
ExtensionRevsApprove $egApprovedRevsShowNotApprovedMessage TRUE
ExtensionRevsApprove approverevision X X X X X
ExtensionRevsApprove egApprovedRevsAuto$maticApprovals FALSE
ExtensionRevsApprove egApprovedRevsBlan$kIfUnapproved FALSE
ExtensionRevsApprove egApprovedRevsShowNotApprovedMessa$ge TRUE
ExtensionRevsApprove viewapprover X X X X X X X X X X X X
ExtensionRevsApprove viewlinktolatest X X X X X X
Extention UserMerge usermerge X X X X
Extension EditUser edituser X X X




Back to top of this page

Back to Welcome Page

Security matrix of our default solution set up in LocalSettings.php - restricted access

View of the detailed Mediawiki Security Configuration is restricted.



Back to top of this page

Back to Welcome Page