Access control lists (ACLs)

From binaryoption
Jump to navigation Jump to search
Баннер1
  1. Access Control Lists (ACLs) in MediaWiki

Access Control Lists (ACLs) are a fundamental security mechanism in MediaWiki, governing which users and groups have permission to perform specific actions on pages and other wiki resources. Understanding ACLs is crucial for administrators and power users who need to control access to sensitive information, manage editing privileges, and maintain the integrity of their wiki. This article provides a comprehensive introduction to ACLs in MediaWiki 1.40, covering their concepts, syntax, practical applications, and troubleshooting tips.

    1. What are Access Control Lists?

At its core, an ACL defines *who* can do *what* to a specific wiki resource. Think of it like a security guard at a building. The guard (the ACL) checks the ID (the user or group) and verifies if they have permission to access certain areas (perform specific actions). Without ACLs, a wiki would be open to anyone, potentially leading to vandalism, data breaches, or unintended modifications.

In MediaWiki, rights are assigned to users and groups. Groups are collections of users, making it easier to manage permissions for multiple individuals simultaneously. ACLs then specify which users or groups have which rights on specific pages, categories, templates, or even the entire wiki (through the `*` wildcard).

    1. Key Concepts: Rights, Users, and Groups

Before diving into the syntax, let's define the key components of an ACL:

  • **Rights:** These are the specific actions a user or group can perform. Common rights include:
   * `read`:  Allows viewing the page.
   * `edit`: Allows editing the page.
   * `create`: Allows creating new pages within a namespace.
   * `delete`: Allows deleting pages.  (Generally restricted to administrators).
   * `move`: Allows moving pages to different namespaces.
   * `protect`: Allows protecting pages from editing.
   * `unprotect`: Allows removing protection from pages.
   * `viewhistory`: Allows viewing the page's history.
   * `browsearchive`: Allows browsing archived versions of the page.
   * `purge`: Allows purging the page cache.
   * `writeapi`: Allows accessing the API for writing operations.
   * `readapi`: Allows accessing the API for reading operations.
   * `email`: Allows sending emails from the wiki.
   * `upload`: Allows uploading files.
  • **Users:** Individual registered users of the wiki. Usernames are case-sensitive. For example, `User:JohnDoe`.
  • **Groups:** Collections of users that share common permissions. MediaWiki has several built-in groups:
   * `*`:  Everyone (anonymous and registered users).
   * `user`: All registered users.
   * `sysop`: Administrators.
   * `bureaucrat`: Super-administrators.
   * `moderator`: Users with moderation privileges (if enabled).
   * Custom groups can be created via the Special:UserGroups page.
    1. ACL Syntax

ACLs are defined in the `rights.php` file located in the `includes/` directory of your MediaWiki installation. This file is a PHP array. Each entry in the array represents a rule that defines permissions for a specific page or resource.

The basic syntax of an ACL rule is:

```php $wgACL['resource'] = array( 

   'right' => array(
       'user1',
       'group1',
       'user2',
       'group2',
   ),
   'another_right' => array(
       'user3',
       'group3',
   )

); ```

Let's break this down:

  • `$wgACL['resource']`: This defines the target resource. The `resource` is a string representing the page title, category name, or namespace. For example: `'Main Page'`, `'Category:Help'`, `'Template:Infobox'`. Use `'*'` to apply the rule to all pages. Use `'Namespace:Page'` to apply to a specific namespace and page.
  • `'right'`: This is the name of the right being granted or denied.
  • `array('user1', 'group1', 'user2', 'group2')`: This is an array of users and groups who are granted the specified `right`. Users and groups are listed as strings.
    • Denying Permissions:**

To *deny* a permission, use a hyphen (`-`) before the user or group name:

```php $wgACL['resource'] = array( 

   'edit' => array(
       '-user1',  // Deny user1 edit access
       'group1',   // Allow group1 edit access
   )

); ```

    1. Practical Examples

Let's illustrate with some practical examples:

    • 1. Restricting Editing of the Main Page:**

To prevent all but administrators from editing the Main Page:

```php $wgACL['Main Page'] = array( 

   'edit' => array(
       'sysop',
   )

); ```

    • 2. Allowing a Specific User to Edit a Template:**

To allow the user "JaneDoe" to edit the template "Template:MyTemplate":

```php $wgACL['Template:MyTemplate'] = array( 

   'edit' => array(
       'JaneDoe',
   )

); ```

    • 3. Protecting a Category from Creation by Anonymous Users:**

To prevent anonymous users from creating pages within the "Category:Private" category:

```php $wgACL['Category:Private'] = array( 

   'create' => array(
       '-*',  // Deny all users (anonymous and registered)
       'user', // Allow registered users
   )

); ```

    • 4. Granting View History Access to a Specific Group:**

To grant the "Researchers" group access to view the history of all pages:

```php $wgACL['*'] = array( 

   'viewhistory' => array(
       'Researchers',
   )

); ```

    • 5. Denying Upload Access to Anonymous Users:**

To prevent anonymous users from uploading files:

```php $wgACL['*'] = array( 

   'upload' => array(
       '-*',
       'user',
   )

); ```

    1. Advanced ACL Techniques
  • **Wildcards:** The `*` wildcard can be used to apply rules to all pages within a namespace. For example, `$wgACL['File:*']` applies to all files.
  • **Subpages:** You can use the `subpage` parameter to apply rules to all subpages of a given page. This requires careful consideration and might be better handled with Extension:PageForms.
  • **Regular Expressions (Regex):** While not directly supported in the basic ACL syntax, you can potentially achieve more complex filtering using extensions or custom code that parses page titles. However, this is significantly more advanced.
  • **Combining Rules:** Multiple rules can be applied to the same resource. MediaWiki evaluates these rules in order, and the last matching rule determines the final permission. This can create complex scenarios, so careful planning is essential.
    1. Best Practices
  • **Least Privilege:** Grant only the minimum necessary permissions. Avoid over-granting access.
  • **Group Management:** Utilize groups effectively to manage permissions for multiple users. This simplifies administration and reduces errors.
  • **Documentation:** Document all ACL rules clearly, explaining the purpose and rationale behind them. Use comments in the `rights.php` file.
  • **Testing:** Thoroughly test all ACL changes in a non-production environment before applying them to your live wiki.
  • **Regular Review:** Periodically review your ACLs to ensure they are still relevant and appropriate.
  • **Avoid Direct Editing:** Whenever possible, use the Special:UserRights page for granting and revoking permissions to individual users. Directly editing `rights.php` should be reserved for more complex scenarios or bulk changes.
    1. Troubleshooting ACL Issues
  • **Cache:** MediaWiki caches ACL information. After making changes to `rights.php`, you may need to purge the cache using the `Maintenance/rebuildacl.php` script (from the command line) or by purging the affected pages.
  • **Syntax Errors:** Incorrect syntax in `rights.php` can cause the wiki to malfunction. Check the MediaWiki error logs for PHP errors.
  • **Conflicting Rules:** Conflicting ACL rules can lead to unexpected behavior. Carefully review your rules to identify and resolve conflicts.
  • **User Group Membership:** Verify that users are members of the correct groups. Use the Special:UserGroups page.
  • **Permission Inheritance:** Understand how permissions are inherited from parent pages and categories.
    1. Related Articles
    1. Further Resources

Here are some resources for further learning about security and access control:

Start Trading Now

Sign up at IQ Option (Minimum deposit $10) Open an account at Pocket Option (Minimum deposit $5)

Join Our Community

Subscribe to our Telegram channel @strategybin to receive: ✓ Daily trading signals ✓ Exclusive strategy analysis ✓ Market trend alerts ✓ Educational materials for beginners

Баннер
Retrieved from "https://binaryoption.wiki/index.php?title=Access_control_lists_(ACLs)&oldid=35291"