Mediawiki Security Matrix

From Micylou WIKI
Revision as of 13:31, 16 February 2021 by DochyJP (talk | contribs) (Page creation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Security matrix sample to set up in LocalSettings.php 

# Security settings
###########################################
# Group restricted categories added by JP #
###########################################
# Activation of the extension             ############################################################
require_once "$IP/extensions/RestrictAccessByCategoryAndGroup/RestrictAccessByCategoryAndGroup.php"; #
######################################################################################################
# PRIVATE GROUPS WITH RESTRICTED ACCESS #
#########################################
$wgGroupPermissions['Linux-Admin']['private'] = true;
$wgGroupPermissions['Wiki-Admin']['private'] = true;
$wgGroupPermissions['TKI-Restricted']['private'] = true;
$wgGroupPermissions['NTRK-Restricted']['private'] = true;
$wgGroupPermissions['Process-Restricted']['private'] = true;
$wgGroupPermissions['Wiki-Admin']['private'] = true;

# add an additional protection level restricting edit/move/etc.
        $wgRestrictionLevels[] = 'Process-Editor';
        $wgGroupPermissions['sysop']['Process-Editor'] = true;
        $wgGroupPermissions['Process-Restricted']['Process-Editor'] = true;
        $wgGroupPermissions['administrator']['Process-Editor'] = true;
        $wgGroupPermissions['Wiki-Admin']['Process-Editor'] = true;
        $wgGroupPermissions['Wiki-Admin']['Semantic-DBA'] = true;

##################################
# GLOBAL Group permissions reset # other default permissions remain unchanged
#############################################################################
$wgGroupPermissions['*']['read']    = false;
$wgGroupPermissions['*']['upload'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['viewlinktolatest'] = false;
$wgGroupPermissions['*']['move'] = false;
$wgGroupPermissions['*']['delete'] = false;
$wgGroupPermissions['*']['protect'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['createtalk'] = false;
$wgGroupPermissions['*']['applychangetags'] = false;
$wgGroupPermissions['*']['editsemiprotected']    = false;
$wgGroupPermissions['*']['editprotected']    = false;
$wgGroupPermissions['*']['minoredit']    = false;
$wgGroupPermissions['*']['sendemail']    = false;
$wgGroupPermissions['*']['changetags']    = false;
$wgGroupPermissions['*']['editcontentmodel']    = false;
$wgGroupPermissions['*']['editmyoptions']    = false;
$wgGroupPermissions['*']['editmyprivateinfo']    = false;
$wgGroupPermissions['*']['editmyusercss']    = false;
$wgGroupPermissions['*']['editmyuserjs']    = false;
$wgGroupPermissions['*']['editmyuserjson']    = false;
$wgGroupPermissions['*']['writeapi']    = false;
$wgGroupPermissions['*']['readapi']    = false;

### same restrictions for user accounts but reading unprotected pages is allowed
#################################################################################
$wgGroupPermissions['user']['read'] = true;
$wgGroupPermissions['user']['upload'] = false;
$wgGroupPermissions['user']['createpage'] = false;
$wgGroupPermissions['user']['edit'] = false;
$wgGroupPermissions['user']['viewlinktolatest'] = false;
$wgGroupPermissions['user']['move'] = false;
$wgGroupPermissions['user']['delete'] = false;
$wgGroupPermissions['user']['protect'] = false;
$wgGroupPermissions['user']['createaccount'] = false;
$wgGroupPermissions['user']['createtalk'] = false;
$wgGroupPermissions['user']['applychangetags'] = false;
$wgGroupPermissions['user']['editsemiprotected']    = false;
$wgGroupPermissions['user']['editprotected']    = false;
$wgGroupPermissions['user']['minoredit']    = false;
$wgGroupPermissions['user']['sendemail']    = false;
$wgGroupPermissions['user']['changetags']    = false;
$wgGroupPermissions['user']['editcontentmodel']    = false;
$wgGroupPermissions['user']['editmyoptions']    = true;
$wgGroupPermissions['user']['editmyprivateinfo']    = false; ### information is populated by the Active Directory
$wgGroupPermissions['user']['editmyusercss']    = false;
$wgGroupPermissions['user']['editmyuserjs']    = false;
$wgGroupPermissions['user']['editmyuserjson']    = false;
$wgGroupPermissions['user']['writeapi']    = false;
$wgGroupPermissions['user']['readapi']    = false;

### Specific permissions (sub-)linked to user groups
$wgAllowImageMoving = true; // by default to registered user groups who do have the$
$wgBlockDisablesLogin = true; // for sysop group
##### Read/Write API #####
$wgGroupPermissions['administrator']['readeapi'] = true;
$wgGroupPermissions['sysop']['readapi'] = true;
$wgGroupPermissions['bot']['readapi'] = true;
$wgGroupPermissions['Wiki-Admin']['readapi'] = true;
$wgGroupPermissions['Wiki-Editor']['readapi'] = true;
$wgGroupPermissions['user']['readapi']    = true;
$wgGroupPermissions['administrator']['writeapi'] = true;
$wgGroupPermissions['sysop']['writeapi'] = true;
$wgGroupPermissions['bot']['writeapi'] = true;
$wgGroupPermissions['Wiki-Admin']['writeapi'] = true;
$wgGroupPermissions['Wiki-Editor']['writeapi'] = true;
$wgGroupPermissions['user']['writeapi']    = true;

##### Account creation #####
$wgGroupPermissions['administrator']['createaccount'] = true;
$wgGroupPermissions['sysop']['createaccount'] = true;
$wgGroupPermissions['bureaucrat']['createaccount'] = true;
$wgGroupPermissions['Wiki-Admin']['createaccount'] = true;

##### Account Edition #####
##### Required the EditAccount extension #####
# Enabling EditAccount
#        wfLoadExtension( 'EditAccount' );
#        $wgGroupPermissions['bureaucrat']['editaccount'] = true;
#        $wgGroupPermissions['bureaucrat']['sysop'] = true;

##### User Merge #####
        wfLoadExtension( 'UserMerge' );
        // By default nobody can use this function, enable for bureaucrat?
        $wgGroupPermissions['bureaucrat']['usermerge'] = true;
        $wgGroupPermissions['Wiki-Server-Admin']['usermerge'] = true;
        $wgGroupPermissions['sysop']['usermerge'] = true;
        // optional: default is array( 'sysop' )
        // $wgUserMergeProtectedGroups = array( 'groupname' );

##### Edit semi-protected pages ##### Edit pages protected as "Allow only autoconfirmed users" - without cascading protection
$wgGroupPermissions['administrator']['editsemiprotected'] = true;
$wgGroupPermissions['sysop']['editsemiprotected'] = true;
$wgGroupPermissions['Wiki-Admin']['editsemiprotected'] = true;

##### Mark edit as minor #####
$wgGroupPermissions['administrator']['minoredit'] = true;
$wgGroupPermissions['sysop']['minoredit'] = true;
$wgGroupPermissions['Wiki-Admin']['minoredit'] = true;
$wgGroupPermissions['Wiki-Editor']['minoredit'] = true;

##### Send Email ##### Send email to other users
$wgGroupPermissions['administrator']['sendemail'] = true;
$wgGroupPermissions['sysop']['sendemail'] = true;
$wgGroupPermissions['Wiki-Admin']['sendemail'] = true;
$wgGroupPermissions['Wiki-Editor']['sendemail'] = true;

##### Edit content model ##### Edit the content model of a page
$wgGroupPermissions['administrator']['editcontentmodel'] = true;
$wgGroupPermissions['sysop']['editcontentmodel'] = true;
$wgGroupPermissions['Wiki-Admin']['editcontentmodel'] = true;

### Upload permissions
######################
##### To enable image uploads, make sure the 'images' directory is writable (chmod777), the$
$wgEnableUploads = true;
#####  Upload permissions ##### restricted to groups (requires createpage permission as welll - each upload has one page create>
$wgGroupPermissions['administrator']['upload'] = true;
$wgGroupPermissions['sysop']['upload'] = true;
$wgGroupPermissions['Wiki-Admin']['upload'] = true;
$wgGroupPermissions['Wiki-Editor']['upload'] = true;

##### Page creation #####
$wgGroupPermissions['administrator']['createpage'] = true;
$wgGroupPermissions['sysop']['createpage'] = true;
$wgGroupPermissions['Wiki-Admin']['createpage'] = true;
$wgGroupPermissions['Wiki-Editor']['createpage'] = true;

##### Page edition #####
$wgGroupPermissions['administrator']['edit'] = true;
$wgGroupPermissions['sysop']['edit'] = true;
$wgGroupPermissions['Wiki-Admin']['edit'] = true;
$wgGroupPermissions['Wiki-Editor']['edit'] = true;

##### Page Move #####
$wgGroupPermissions['administrator']['move'] = true;
$wgGroupPermissions['sysop']['move'] = true;
$wgGroupPermissions['Wiki-Admin']['move'] = true;
$wgGroupPermissions['Wiki-Editor']['move'] = true;

##### Page Delete #####
$wgGroupPermissions['administrator']['delete'] = true;
$wgGroupPermissions['sysop']['delete'] = true;
$wgGroupPermissions['Wiki-Admin']['delete'] = true;
$wgGroupPermissions['Wiki-Editor']['delete'] = true;  ### verify with Team Leaders for this

##### Page Protect #####
$wgGroupPermissions['administrator']['protect'] = true;
$wgGroupPermissions['sysop']['protect'] = true;
$wgGroupPermissions['Wiki-Admin']['protect'] = true;
$wgGroupPermissions['Wiki-Editor']['protect'] = true;

##### Deleted History ##### View deleted history entries, without their associated text
$wgGroupPermissions['administrator']['deletedhistory'] = true;
$wgGroupPermissions['sysop']['deletedhistory'] = true;
$wgGroupPermissions['Wiki-Admin']['deletedhistory'] = true;
$wgGroupPermissions['Wiki-Editor']['deletedhistory'] = true; ### verify with Team Leaders for this

##### Deteted text #####
$wgGroupPermissions['administrator']['deletedtext'] = true;
$wgGroupPermissions['sysop']['deletedtext'] = true;
#$wgGroupPermissions['Wiki-Admin']['deletedtext'] = true;
#$wgGroupPermissions['Wiki-Editor']['deletedtext'] = true; ### verify with Team Leaders for this

##### Deteted log entry #####
$wgGroupPermissions['administrator']['deletelogentry'] = true;
$wgGroupPermissions['sysop']['deletelogentry'] = true;

##### Undelete #####
$wgGroupPermissions['administrator']['undelete'] = true;
$wgGroupPermissions['sysop']['undelete'] = true;
$wgGroupPermissions['Wiki-Admin']['undelete'] = true;
$wgGroupPermissions['Wiki-Editor']['undelete'] = true; ### verify with Team Leaders for $

##### Browse archive #### Search deleted pages - through Special:Undelete
$wgGroupPermissions['administrator']['browsearchive'] = true;
$wgGroupPermissions['sysop']['browsearchive'] = true;
$wgGroupPermissions['Wiki-Admin']['browsearchive'] = true;
$wgGroupPermissions['Wiki-Editor']['browsearchive'] = true;

#### REVISIONS ####

# enabling ApproveRevs extension
        wfLoadExtension( 'ApprovedRevs' );
        $wgGroupPermissions['*']['viewlinktolatest'] = false;
        $wgGroupPermissions['sysop']['viewlinktolatest'] = true;
        $wgGroupPermissions['Wikidoc-Admin']['viewlinktolatest'] = true;
        $wgGroupPermissions['Wikidoc-Admin-Rev']['viewlinktolatest'] = true;

//'approverevisions' is the permission to approve and unapprove revisions of pages.
//       By default it is given to all members of the 'sysop' group
//'viewlinktolatest' is the "permission" to see a note at the top of pages that have an approved revision,
//       explaining that what the user is seeing is not necessarily the latest revision
//'viewapprover' is the "permission" to see another note at the top of pages that have an approved revision,
//       stating who last approved it. By default it is given to all members of the 'sysop' group
##### Approve Revision #####
$wgGroupPermissions['administrator']['approverevisions'] = true;
$wgGroupPermissions['sysop']['approverevisions'] = true; ### this is normally by default
$wgGroupPermissions['Wikidoc-Admin-Rev']['approverevision'] = true;

##### View latest version link #####
        $wgGroupPermissions['*']['viewlinktolatest'] = false;
        $wgGroupPermissions['user']['viewlinktolatest'] = false;
        $wgGroupPermissions['sysop']['viewlinktolatest'] = true;
        $wgGroupPermissions['Wikidoc-Admin']['viewlinktolatest'] = true;
        $wgGroupPermissions['Wikidoc-Admin-Rev']['viewlinktolatest'] = true;


##### View Approver #####
$wgGroupPermissions['user']['viewapprover'] = true;

##### Delete Revision #####
$wgGroupPermissions['administrator']['deleterevision'] = true;
$wgGroupPermissions['sysop']['deleterevision'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['deleterevision'] = true;

//automatic approvals by groups with approverevision true
$egApprovedRevsAutomaticApprovals = false;

//Displaying unapproved pages as blank
$egApprovedRevsBlankIfUnapproved = false; ### to be set to true for clean-up

//Indicating unapproved pages
$egApprovedRevsShowNotApprovedMessage = true;
$egApprovedRevsShowApproveLatest = true;

##### Rollback ##### Quickly rollback the edits of the last user who edited a particular pa$
$wgGroupPermissions['administrator']['rollback'] = true;
$wgGroupPermissions['sysop']['rollback'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['rollback'] = true;

##### Patrol ##### Mark others' edits as patrolled - $wgUseRCPatrol must be true
$wgUseRCPatrol = true;
$wgGroupPermissions['administrator']['patrol'] = true;
$wgGroupPermissions['sysop']['patrol'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['patrol'] = true;

##### Suppress Revisions ##### View, hide and unhide specific revisions of pages from any u$
$wgGroupPermissions['administrator']['suppressrevision'] = true;
$wgGroupPermissions['sysop']['suppressrevision'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['suppressrevision'] = true;

##### View suppression logs ##### View private logs
$wgGroupPermissions['administrator']['suppressionlog'] = true;
$wgGroupPermissions['sysop']['suppressionlog'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['suppressionlog'] = true;

##### Change Tags ##### Add and remove arbitrary tags on individual revisions and log entries - currently unused by extensions
$wgGroupPermissions['administrator']['changetags'] = true;
$wgGroupPermissions['sysop']['changetags'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['changetags'] = true;

##### Apply change tags ##### Apply tags along with one's changes
$wgGroupPermissions['administrator']['applychangetags'] = true;
$wgGroupPermissions['sysop']['applychangetags'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['applychangetags'] = true;

##### View suppressed  ##### View revisions hidden from any user - i.e. a more narrow alternative to "suppressrevision"
                       ##### (note that this is not needed if the group already has the suppressrevision right)
$wgGroupPermissions['administrator']['applychangetags'] = true;
$wgGroupPermissions['sysop']['applychangetags'] = true;
$wgGroupPermissions['Wikidoc-Admin-Rev']['applychangetags'] = true;

##################################################################################
#
# END OF THE PERMISSION SET UP
#
##################################################################################


# Extension RightFunctions
        // Activation
        require_once "$IP/extensions/RightFunctions/RightFunctions.php";

# Extension RestrictAccessByCategoryAndGroup
        // Activation
        require_once "$IP/extensions/RestrictAccessByCategoryAndGroup/RestrictAccessByCategoryAndGroup.php";
        $wgGroupPermissions['Financial no public data']['*'] = true;
        $wgGroupPermissions['Financial private data']['private'] = true;

# Extension EditUser
        // Activation
        wfLoadExtension( 'EditUser' );
        // Configuration
        $wgGroupPermissions['bureaucrat']['edituser'] = true;
        $wgGroupPermissions['sysop']['edituser-exempt'] = true;
Retrieved from "https://wiki.micylou.com/index.php?title=Mediawiki_Security_Matrix&oldid=240"