Open main menu

lensowiki β

Help:User rights

Revision as of 07:01, 7 June 2007 by Lensovet (talk | contribs)

  Template:MW 1.5

A new feature of MediaWiki, which is available in the 1.5 versions allows user groups to be created and modified. To change the groups to which a user belongs, use Special:Userrights. Each group can be assigned a mixture of the following rights (permissions). If you are using 1.3 or 1.4, have a look at setting user rights in MediaWiki instead.

Available rights

read
Allows users to read pages not in $wgWhitelistRead
edit
Allows editing of any page which is not protected
createpage
Allows creating normal pages
createtalk
Allows creating talk pages. Note that edit = false prevent creating talk page regardless of this setting.
move
Lets users change the title of a page by moving it
delete
Lets a user delete a page
undelete
Lets a user view deleted versions, undelete a previously deleted page, or undelete specific revisions of a deleted page
protect
Lets users lock a page (presumably only those with the ability to protect a page can edit a protected page)
block
Enables a user to block an IP address, user name, or range of IPs, from editing
userrights
Lets a user change the access levels of another user
createaccount
Lets a user create a user account for another user, or for themselves
upload
Lets a user upload an image or other file to the wiki, or to overwrite an existing non-protected file
rollback
Gives a user a link to more easily revert a bad edit
patrol
Lets a user state that they have checked an edit that appeared in recent changes
editinterface
Lets users edit the MediaWiki namespace to affect the interface
siteadmin
Lets users lock and unlock the database (and possibly change other settings that affect the whole site)
bot
Lets users edit without their edits showing up in recent changes (usually only used for mass edits by bots)

Via extension

These aren't available in the main MediaWiki codebase:

asksql
Lets a user query the database using SQL (currently disabled)
checkuser
Lets a user find all the IP addresses used by a particular logged in user, and to show all the contributions from a given IP address, including those made by logged in users
makesysop
On the Wikimedia sites, the bureaucrat group has a restricted Special:Makesysop interface, while the steward group has the full Special:Userrights interface and an extended version

Changing user groups manually in the database

The user rights are in a table called user_groups with two fields called ug_user and ug_group. There must be one row inserted for each group the user belongs to. You must know the user id number of the user from the users table. This sql query should do the trick. In the example below substitute 1 with the user ID number from the users table.

INSERT INTO user_groups (ug_user, ug_group) VALUES ('1', 'bureaucrat'); 
INSERT INTO user_groups (ug_user, ug_group) VALUES ('1', 'sysop');

Managing group rights

To change the access levels of existing groups or add new groups, you need to have shell/file access to the machine that MediaWiki is running on. You can add or remove permissions to a group with statements in LocalSettings.php.

To disable account creation by anonymous visitors (this replaces $wgWhitelistAccount from 1.4)

 $wgGroupPermissions['*']['createaccount'] = false;

To require that users log in to edit (this replaces the $wgWhitelistEdit from 1.4):

 $wgGroupPermissions['*']['edit'] = false;

It's worth noting that if you set this, you may also want to set

$wgShowIPinHeader = false; # For non-logged in users

This removes the link to the talk page in the header for non-logged in users, and hasn't changed from 1.4.

If $wgWhitelistRead is set, you must also disable the 'read' permission for it to take effect on anonymous users. Any CSS and JS pages used in the Main Page or Login Page should be accessible as well to avoid IE scripting error dialog box.

 $wgWhitelistRead = array( "Main Page", "Special:Userlogin", "-", "MediaWiki:Monobook.css" );
 $wgGroupPermissions['*']['read'] = false;

Main Page is not mandatory for this list. To avoid "login required" redirect page, you can change includes/OutputPage.php loginToUse():

function loginToUse() {
    $titleObj = Title::makeTitle( NS_SPECIAL, "Userlogin" );
    $this->redirect( $titleObj->getFullURL() );
}

You can define new groups as well, and then assign them to users through Special:Userrights:

 $wgGroupPermissions['ninja']['delete'] = true;
 $wgGroupPermissions['ninja']['block'] = true;
 $wgGroupPermissions['ninja']['bot'] = true;

Defaults

For reference, here are the default group/permission assignments in 1.6 (found in includes/DefaultSettings.php):

$wgGroupPermissions['*'    ]['createaccount']   = true;
$wgGroupPermissions['*'    ]['read']            = true;
$wgGroupPermissions['*'    ]['edit']            = true;
$wgGroupPermissions['*'    ]['createpage']      = true;
$wgGroupPermissions['*'    ]['createtalk']      = true;
$wgGroupPermissions['user' ]['move']            = true;
$wgGroupPermissions['user' ]['read']            = true;
$wgGroupPermissions['user' ]['edit']            = true;
$wgGroupPermissions['user' ]['createpage']      = true;
$wgGroupPermissions['user' ]['createtalk']      = true;
$wgGroupPermissions['user' ]['upload']          = true;
$wgGroupPermissions['user' ]['reupload']        = true;
$wgGroupPermissions['user' ]['reupload-shared'] = true;
$wgGroupPermissions['user' ]['minoredit']       = true;
$wgGroupPermissions['autoconfirmed']['autoconfirmed'] = true;
$wgGroupPermissions['bot'  ]['bot']             = true;
$wgGroupPermissions['bot'  ]['autoconfirmed']   = true;
$wgGroupPermissions['sysop']['block']           = true;
$wgGroupPermissions['sysop']['createaccount']   = true;
$wgGroupPermissions['sysop']['delete']          = true;
$wgGroupPermissions['sysop']['deletedhistory']  = true;
$wgGroupPermissions['sysop']['editinterface']   = true;
$wgGroupPermissions['sysop']['import']          = true;
$wgGroupPermissions['sysop']['importupload']    = true;
$wgGroupPermissions['sysop']['move']            = true;
$wgGroupPermissions['sysop']['patrol']          = true;
$wgGroupPermissions['sysop']['protect']         = true;
$wgGroupPermissions['sysop']['rollback']        = true;
$wgGroupPermissions['sysop']['upload']          = true;
$wgGroupPermissions['sysop']['reupload']        = true;
$wgGroupPermissions['sysop']['reupload-shared'] = true;
$wgGroupPermissions['sysop']['unwatchedpages']  = true;
$wgGroupPermissions['sysop']['autoconfirmed']   = true;
$wgGroupPermissions['bureaucrat']['userrights'] = true;

Questions

  • Where are these and how does one change them?
Configuration_settings
  • How do you restrict access to and download for images?
  • How do i protect a certain namespace from being viewed by * and user?
Preventing Access#Setting permissions for a Group on a whole new Namespace
  • How do I change user permissions?
To change which groups a user belongs to, a 'bureaucrat' should visit Special:Specialpages and click the link to 'User Rights Management' on the very bottom of the list which will bring them to Special:Userrights and follow the on-screen instructions.
This will only work for a bureaucrat unless you have changed your settings to function otherwise.
  • On some pages in MediaWiki project (www.mediawiki.org), I seen that: non-logged users cannot edit pages ("view source"), but can edit discussion pages. How to do it in my wiki?
There's a hack shown at Mediawiki:Help:$wgWhitelistEdit, but it doesn't seem to work in version 1.6.5. I've been using the following hack. It goes in the file includes/User.php, in the function isAllowed($action=). Here's the complete modified code for the function:
function isAllowed($action='') {
	if ( $action === '' )
		// In the spirit of DWIM
		return true;
	
	/* Special Cases */
	global $wgTitle;		
	//Allow them to edit talk pages
	if ($wgTitle->isTalkPage() && strcmp("edit", $action) == 0)
		return true;
	
	//No special cases relevant. Use established rules stored in DB.
	$this->loadFromDatabase();
	return in_array( $action , $this->mRights );
}
All the usual warnings and disclaimers about no gauruntees of safety or that it'll work. Do it at your own risk. In particular; the use of the string constant "edit" seems like a horrible mistake to me, but I haven't yet found any constants that define the word for this action. Bmearns 00:13, 19 May 2006 (UTC)
(For global restrictions, this is should be done like that: $wgGroupPermissions['*' ]['editpage'] = false; and $wgGroupPermissions['*' ]['edittalk'] = true; ...but it is not implemented :( )
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['read'] = true;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['talk'] = true;
works fine for me.
works for me too, except, non-logged in users still can't edit discussion pages!
  • Is it possible to create Group Administrators, i.e. make a user or a different group that can add and delete members of a specific group?
  • Is it possible to create a privlidge so that only the page creator can edit their own pages within a given namespace/prevent all modifications to pages within a given namespace?
  • Is it possible, (using ParserFunctions, perhaps) to have a page display different content for users who are logged-in vs. those not logged-in? I'm trying to create a page for my group where Main_Page is rather bland and uninformative for those without an account, but interesting for those that are.
  • I want to provide a wiki in different languages and I want to create users with "steward"-rights so they can make users to sysops / bureaucrats and the other way round in all languages. The structure is the same as wikipedia's (a subdomain per language and a "commons"-wiki, every wiki can access the other's database-tables and files). How do I have to set-up the wiki for featuring stewards?
  • Is it possible to define the inactivity timeout for users logged in?
You can define session timeouts by adding the following entry in a .htaccess file in your directory:
php_value session.gc_maxlifetime 14400
where the number is the amount of seconds before timing out.