Laboratoire pédagogique du Greta du Velay

Laboratoire pédagogique du Greta du Velay

Restrict pages under MediaWiki

Temps de lecture estimé à 5 min. 30 sec.
(Voir le billet en français)

This patch is deprecated.

Here is a patch to enable article restriction under MediaWiki. Pages can be articles or categories. It adds a new |restrict| tab link allowing members of the group restrict to restrict pages. Users member of the group viewrestrict can read (and modify) the restricted pages. Others users cannot see, search, export, etc, the restricted pages. You can still |protect| them for editing. A restricted page is distinguished by a red background tab, and you have a special page (Special:Restrictedpages) to list the restricted pages. All restriction/unrestriction actions are loggued in the wiki log. It is also possible to restrict pages or namespaces by providing a regular expression array matching titles, and to restrict new pages by default. Optionaly the user's pages can be restricted to their owner. Currently it is localized in English, German, Dutch, Swedish, Catalan, Finnish, Russian, Hebrew, Polish, Czech, Spanish and French. This feature is mainly useful for intranet relying on WikiMedia as a non-encyclopedic content management system, like e-learning platforms or informational systems. To respect the wiki philosophy, it is not appropriate to use it to restrict public access! To install restriction-patch, download MediaWiki (do a security backup if you patch your own installation), or see below to dowload a pre-patched archive.

Apply patch

mv restriction-version.mediawiki-version.patch ./mediawiki-version cd ./mediawiki-version patch -p0 < restriction-version.mediawiki-version.patch

Configure

First, install MediaWiki as usual (to create the database and the LocalSettings.php file). Once your wiki works fine you have to enable restriction. It is disabled by default. So add in your ./LocalSettings.php file (at the bottom of the file) :
/**
  * If true, a new menu action allows to restrict pages access to 'restrict' group users.
  * If false, all previously restricted pages are accessible again.
  */
  $wgEnableRestrict = true;

  /**
  * If true, new pages are restricted by default for 'restrict' group users.
  */
  $wgRestrictNewPages = false;

  /**
  * If true restrict user pages to their owner (as well as viewrestrict/restrict members)
  */
  $wgUserPageRestrict = false;

  /**
  * when wgUserPageRestrict and this option are true, allows user pages to be read but not edited by others?
  * added to restrict version beta-0.8.2
  */
  $wgUserReadRestrict = false;

  /**
  * Regular expression array to restrict matching pages
  * eg. $wgRegexRestrict = array("^Secure:", "^Secret ");
  *     restrict all pages where title is like 'Secure:...' or 'Secret ...'
  * with restrict version beta-0.8.1 you can also use Inverse regex matching
  * eg. $wgRegexRestrict = array("!!Public.*", ".*");
  *     any pages starting with "Public" is un-restricted and all others are restricted.
  */
  $wgRegexRestrict = array();

  /**
   * If true do not add recent changes entry for restricted pages
   */
  $wgNoRecentChangesRestrict = true;

  /**
   * If true hide log entries related to restriction, except for 'restrict' or 'viewrestrict' users (Special:Log page)
   */
  $wgHideRestrictLog = true;

  /**
   * MediaWiki permissions setup
   */
  $wgGroupPermissions['restrict']['restrict'] = true;
  $wgGroupPermissions['restrict']['viewrestrict'] = true;
  $wgGroupPermissions['viewrestrict']['viewrestrict'] = true;
  // with restrict version beta-0.8.2 when $wgUserPageRestrict and $wgUserReadRestrict is true
  // 'authors' group members get 'edituser' rights and can edit other users pages and sub pages.
  $wgGroupPermissions['authors']['edituser'] = true;
By default nobody is able to restrict page. Go to the User rights management page (in special pages) and add users in group restrict (allow to view and restrict pages) or viewrestrict (allow only to view restricted pages). Here is a FAQ on metawiki. If $wgUserPageRestrict is true, user pages are restricted to their respective owner, as well as members of the viewrestrict group. Don't write sensible information in page titles, they could be retrieved in some cases. This is beta and GPL, test and feedback welcome !

Get the patch

Mailing list and contact

You can subscribe to the mailing list to discuss about this patch, receive news, etc. Send an empty mail to restrict-mediawiki-list-subscribe@... and reply to the confirmation mail. To contact me (no personal support, use this blog) : restrict-mediawiki/at/conseil-recherche-innovation.net (Jérôme Combaz)

Changelog

Version beta-0.72 for MW 1.6.6/1.6.7/1.6.8 (09-01-2006)
  • Spanish translation (thanks to Victor Fariña from Queres tecnologias)
  • Czech translation (thanks to Michal Ciza)
Version beta-0.71 for MW 1.6.6/1.6.7 (07-13-2006)
  • Two bugs in Articles.php and Skin.php (thanks to Owen, see here)
Version beta-0.70 for MW 1.6.6/1.6.7 (06-06-2006)
  • SQL requests are not modified anymore to check the restriction (better sustenability of the patch)
  • Now restricted pages and *regex* restricted pages are treated in the same way. So none of pages title should be listed whatever the protection mechanism choosed, nor during a search request
  • Regex restriction include the namespace, so it is now possible to restrict whole namespaces (eg. "^Talk:" restrict all talk pages)
  • Image partialy restricted (not listed but file accessible via HTTP)
  • The SpecialVersion page informs that MW is patched
  • Correction of text error on the unrestrict page (thanks to Mathaba)
  • Polish translation (thanks to Janusz 'Ency' Dorozynski)
Version beta-0.64 for MW 1.6.3 (05-01-2006)
  • Bug in SpecialCategories page (thanks to T O X I N)
  • Hebrew translation (thanks to Yuval Hager)
  • Bug in OutputPage.php (thanks again to Yuval Hager)
Version beta-0.63 for MW 1.6.3 (04-20-2006)
  • Upgrade for 1.6.3 (thanks to Anthony for his help)
  • Russian translation (thanks to T O X I N)
  • Finnish translation (thanks to Tuomas Helin)
Version beta-0.62 for MW 1.5.5/1.5.6 (02-13-2005)
  • Catalan translation (thanks to Pau Cabot)
  • Small mistake (comma) in swedish translation
Version beta-0.61 for MW 1.5.5/1.5.6 (01-18-2006)
  • Swedish translation (thanks to Samuel Lampa)
  • Dutch translation (thanks to Peter De Baets)
Version beta-0.6 for MW 1.5.3 (12-15-2005)
  • $wgHideRestrictLog option is back
Version beta-0.59 for MW 1.5.1/1.5.2 (10-31-2005)
  • Allow to restrict new pages by default ($wgRestrictNewPages option)
  • Bug : 'ArticleProtectComplete' hook function remplaced by 'ArticleRestrictComplete' (stupid mistake !)
Version beta-0.58 (10-07-2005)
  • Restriction by regular expression test on title.
  • Bug which avoided to view restricted pages in special pages (only 'restrict' group can see it, not possible to add 'viewrestrict' group) (thanks to Karen O'Flaherty)
  • German translation updated (thanks to Hugo Wirz)
  • French and english translations updated.
  • Bug in Broken Redirects special page SQL request
  • Categories special page hide restricted categories for non allowed users
  • No more modifications in monobook stylesheet than one style added (see bottom of /skins/monobook/main.css file).
Version beta-0.57 (09-18-2005)
  • Stupid cosmetic bug which avoid patch working if user page restriction enabled (thanks to Christophe Berger)
Version beta-0.56 (09-11-2005)
  • Bug "variables can be passed by reference in mediawiki\includes\Article.php on line 1703" with some PHP configurations (thanks to Chunho Lee)
Version beta-0.55 (09-07-2005)
  • First public release for MediaWiki 1.5

Commentaires

Okay... new install works beautifully...
BUT as soon as I switch to my old db it goes wrong again.

I'm open to suggestions...
BTW thanks for your quick response so far.. usually takes weeks for a developer to respond :-(

Try to empty the objectcache and querycache tables. Please give feedback if you find the answer :)

Jej

Nope, that didn't work either... I'll try to compare the two databases to see if there's a difference that might be the cause.

Okay... there's a lot of differences between the two, but nothing out of the ordinary... mostly extra tables which is to be exspected when comparing a empty wiki-db to a full wiki-db.

But now for the funny part; I changed the db params from the old db back to the freshly installed db, which now gives the same error.

I'm out of ideas here... I'll wrap it up for 2-day and will try again tomorrow (really looking forward to the possibilities of your extension)...

I'm not too well at home in php, but in the definition of the isRestricted() function, there's "getRestrictions("view")", but I can't find that function defined anywhere in MediaWiki.

Am I Chasing a wild goose here?

Bzz,

getRestrictions() is defined in Title.php (it's a genuine MW function). It's still very strange that from two functions defined in the same file, one is well recognized and one produces an error... I cannot understand that !

I updated just now an old wiki from 1.4 to 1.5 with upgrade1_5.php and update.php scripts and no problem was encountered. The patch works, user managment as well... So it's really difficult to help you more if it is an isolated problem. Try maybe to export/import articles instead of playing with DB convertion.

What I know is that during my tests, the cache often redirect me to an old url pointing to an old installation instead of using the current wiki path, and sometime I was confused as I did not noticed it and my modificaitions did not work. Maybe you encounter the same case, chect that.

Else... good luck :)

Jej

It's probably a fluke in my db. It's got 3 (!)wiki installs at the moment. All with different prefixes, but as you pointed out, the caching might be the thing thats bugging.

I'll just set up a new install (again) and import articles. Luckily there aren't that many articles yet.
Thnx for your help.

Do you believe it will be possible to create different groups and to restrict different pages to these different groups?
In my case, I work with 5 projects but it's not interesting for me to open 5 different Wikis.
I just want to have 5 groups, 1 for each project.
Excuse me for my poor English (I'm french), I only want that all people understand it...
Thanks for this great patch too...

Hi kent1,

For now not possible. As it is a recurrent request I will have a look. The problem is to implement that feature without too much hack of mediawiki (eg. no database scheme modification).

Then, keep in touch with the blog, and maybe one day you will have it :)

Jej

Bonjour,
can you give a small regexp example for the array $wgRegexRestrict ?
for example, how can I restrict all pages begining with 'myBrain:'
Thus [[myBrain:myIdea]] would be restricted.
Thanks

It should be :

$wgRegexRestrict = array( '^myBrain:' );

Is it ?

Jej

Ooops, becareful the Uppercase (Mediawiki uppercase the first letter in the title) :

$wgRegexRestrict = array( '^MyBrain:' );

Jej

ps: it works, tested.

Thanks for the example, for the feature, and for this great extension !
Merci!

Hello,

I tried your patch for page access restriction.I got this message on every page

Warning: Invalid argument supplied for foreach() in /www/htdocs/v147709/wiki/includes/Title.php on line 900

In the User rights management page I can't find a group named "special"

???

/include/defaultSettings.php was not patched .. i did it per hand ... works fine now

is it no longer possible to hide the restriction log (in the patch for version 1.5.2)?

// Hide restriction log entries for non-members users
$wgHideRestrictLog = true;

I've added this to LocalSettings.php but it makes no difference. People who are not in the viewrestrict group can still see the restriction log.

Hey man, great extension. I'm just wondering, for windows users, you provide the whole mediawiki installation, patched. But in my case, I already have everything installed, and configured, so I can't just overwrite my files. Any chance you could provide a package with only the files that are concerned by your extension ?

Cheers!

Karen,

ok, the option is back in version 0.6 (for 1.5.3). It was removed with the 1.5.x branch.

Jej

tof,

Here is the list of patched/new files, as you can see in the patch file:

./includes/Article.php
./includes/DefaultSettings.php
./includes/Defines.php
./includes/LogPage.php
./includes/OutputPage.php
./includes/Parser.php
./includes/QueryPage.php
./includes/SearchMySQL.php
./includes/Skin.php
./includes/SkinTemplate.php
./includes/SpecialAllpages.php
./includes/SpecialAncientpages.php
./includes/SpecialBrokenRedirects.php
./includes/SpecialCategories.php
./includes/SpecialContributions.php
./includes/SpecialDeadendpages.php
./includes/SpecialDisambiguations.php
./includes/SpecialDoubleRedirects.php
./includes/SpecialExport.php
./includes/SpecialLog.php
./includes/SpecialLonelypages.php
./includes/SpecialMostlinked.php
./includes/SpecialMovepage.php
./includes/SpecialNewpages.php
./includes/SpecialPage.php
./includes/SpecialPopularpages.php
./includes/SpecialRandompage.php
./includes/SpecialRecentchangeslinked.php
./includes/SpecialRestrictedpages.php
./includes/SpecialShortpages.php
./includes/SpecialUncategorizedpages.php
./includes/SpecialWhatlinkshere.php
./includes/Title.php
./index.php
./languages/LanguageDe.php
./languages/LanguageFr.php
./languages/Language.php
./README.restriction-patch
./skins/monobook/main.css

If you ask me now what are the modifications in these file, please have a look in the patch file :)

Jej

hi , i need to know -- how to install patch on window

You can find a port of the patch command for windows here : unxutils.sourceforge.net. Read also : this comment

No windows here so not tested :)

Jej

Hi!

I'm trying to restrict all Special:* pages using the following line within the LocalSettings.php:

$wgRegexRestrict = array("^Special:", "^Special ");

However, this does not work. It works with e.g. Test:* pages.

In fact, I like to restrict the user (or to be more precise a software agent) to grep all pages from the wiki.

Is there a possibility to restrict access to the Special pages?

Best regards

Martin

Mediawiki manages special pages access in a different way, so the restriction does not apply as normal pages.

I think native features could do the job. Look at this page : meta.wikimedia.org/wiki/P... (To prevent a special page from being listed at [[Special:Specialpages]], edit SpecialPage.php and change the relevant entry...)

Jej

Regarding message 71 "You can find a port of the patch command for windows here : unxutils.sourceforge.net":

This does work, but first you must re-save the patch file to add in CR/LF pairs, which the win32 version of patch requires.

Open the .patch with WordPad then save to add in the windows style new lines.

Dan East

Thanks for this info.

Jej

Hello,

Some questions about the patch you made.

1) I am working on vs. 1.5.4 of wikimedia. Does your patch also work for this release?

2) Do pictures on a page have the same protection as text?

3) What I want to do is make a site for diving-enthousisast. Every visitor has its own pages which he/she can edit, and the possiblity to upload his underwater-photo's and dive-statistics (depth, duration, etc). This must not be able to be changed by others (changed by owner only) but must be able to be viewed by everyone.

However, the user may also make pages on 'dive locations' and 'animal species description' which must be able to be edited by anyone (in the true wiki spirit).

With your patch is it possible to divide the wiki easlily in a 'personal part' and a 'public part'?

Looking forward to your reaction,
Edward Hage

Hi

Can someone help me?
How can i put New-Users by default to the group "viewrestrict"?

Thx :)

OK, I have read the long discussion about access control lists and all the related materials on MW FAQ site -- however I want to know if someone can provide step-by-step instructions to implement this patch BUT substitute student for restrict and studentview for viewrestrict?

IE, I want to expand the category groups. I tried setting up a student group but how can I restrict access to individual classes? IE, UserID studentA is allowed to view and/or edit class IT306 Software Application Programming?

I am sorry if this seems like a duplicate question but after all the reading and testing and troubling shooting I am totally confused.

Any help or insight would be most welcome and appreciated right about now.

Thx/Bill

Great Patch,

I'm having some difficulties with the wgNoRecentChangesRestrict option.

I've noted that it indeed does restrict changes from being listed in the recent changes page, however it doesn't remove the logs of the fact that the pages have been restricted.

I would like to remove all record of restricted pages from the log so that people can't view the titles of the pages

It's quite easy to implement through a new option. I add it to my TODO list.

But if you've time to do it you can submit a patch on the patch :)

Jej

Could you please post a update for 1.5.5, I can't get patch to work on my windows machine.

Thank You

The current patch (0.6) works greatly on 1.5.5. Check your windows :)

Jej

Denis (comments 80 and 81) : I'am totally stupid, the option already exists and was reintroduced in last version... just add $wgHideRestrictLog = true; in your config.

Becareful with sensible information in page titles. It's still unadvised.

Jej

Jerome,

We are using your RESTRICT extension on
MediaWiki: 1.5.0
PHP: 4.3.11 (apache2handler)
MySQL: 3.23.58

and it is working well. I was surprised that RESTRICTED pages are still shown in the list of all pages when this is displayed by a person who is not in the RESTRICT or VIEW RESTRICT group (the contents of the page is not visible to the person.

Is there a setting that hides the titles of RESTRICTED pages? Or is there a way to see a list of all pages that are NOT restricted so people can navigate around these pages.

Thanks for your excellent work.

Peter

Peter: That's the way it works ! The Special:Allpages page hides restricted titles for normal users and shows it for 'restrict' and 'viewrestrict' groups. Check that ./includes/SpecialAllpages.php is well patched.

Jej

I installed the restriction extension, everything works fine. Great work, thank you for your efforts.

One question: I would like to restrict basically all of the pages in my wiki. Do I have to restrict my pages now page by page or is there a shortcut?

Alex: thanks for your comment.

It's not possible to restrict all existing pages except for new pages ($wgRestrictNewPages option). Generally with this patch we need only some pages restricted. It you need all pages restricted maybe you have to rely on apache authentification or mediawiki features.

Jej

Most of the comments out there pertain to problems with this customization. I got it to work but by taking the list of files that Jerome listed and just overwriting them in the file server.

Thanks again.

Merci Jerome! Ca marche tres bien!
Voltaire

Thank you :)

jej

Jerome,

Thank you very much for the patch! It works exactly the way I needed it to.

Thank you too !

A nice day today :)

Jej

Hello,
after I have restricted an article I would expect a view=1 in the page table. The user are still allowed to view the acticle, but not allowed to edit them.
A would like that they not able to view the article.
Bernd

I encountered the following error upon installing the patch from the pre-patched archive:
Deny from all
Fatal error: Class languageutf8: Cannot inherit from undefined class language in /home/content/l/e/h/lehommenet/html/zenru/wiki/languages/LanguageUtf8.php on line 38

Sorry, small mistake in LanguageSv.php. Add a comma at the end of the line 892. Patch updated.

Jej

Hi,

i installed the patch with mediawiki 1.5.0. Now i'm using 1.5.6 without any patches. How do i remove the rest of the patch (there is still the 'button' restrict page, and the recent changes-pages doesn't work anymore....)

Jonathan

Just install 1.5.6 in a new directory...

Or replace all files modified (see comment 69) by the patch with the files from 1.5.6 version.

Jej

Hi,
I installed the patch and almost everything is working great, but pages that were restricted with a regular expression don't seem to be treated quite the same as pages that were directly marked as restricted (with action=restrict). For example:
$wgRegexRestrict = array("^A:");

pages:
B <- "testphrase"
Restricted:B <- "testphrase"
A:B <- "testphrase"

Say B was set to restricted with the "restrict" tab. Of course, the other two pages already show up as restricted pages.

If I search for "testphrase" as a user who doesn't have the "viewrestrict" right, the line in B will not show up, but the lines in Restricted:B and A:B will. I can't click on those pages, but I can still figure out lots of the content by guessing different words.

Looking in the database, B has "edit=:move=:view=1" in its page_restrictions field, but Restricted:B and A:B don't. If I force that field to be added by putting .../A:B?action=restrict in the address bar, then the restriction works and I can no longer search for the phrase.

What I've seen so far of this addon I love -- but I can't quite make it do what I was trying to do. Hopefully you guys can set me straight.

1) I'd like to restrict User pages to be editable only by their User -- I've figured out how to do this.
2) I'd like User pages to be *viewable* by anyone. -- I can't figure out how to do this.

Can anyone help me figure out how to set up this addon to do both 1) and 2) at the same time? Thanks in advance...

Hello, thanks for your patch.

I'm having trouble with recent changes. I have set $wgNoRecentChangesRestrict = true; but creation of pages restricted by $wgRegexRestrict still shows up in the recent changes log. Is this as inteded or is my setup faulty?

regards
Joel

Pages