From DIYinfo.org
 | Important note: When you edit any page, you agree to release your contribution into the [public domain]. If you don't want this or can't do this because of license restrictions, please don't edit. |
Contents |
User rights are specific access and ability permissions that can be assigned to customizable groups, which can then be assigned to (or removed from) users through the Special:Userrights interface. For example, the default bureaucrat group enables the use of the User rights interface.
This feature was introduced in MediaWiki 1.5; see setting user rights in MediaWiki on the Meta-wiki for earlier methods.
See Help:User rights management for information about managing and the assignment of user groups.
[edit] Changing group permissions
A default MediaWiki installation assigns certain rights to default groups (see below). You can change the default rights by editing the $wgGroupPermissions array in LocalSettings.php with the syntax <source lang="php">$wgGroupPermissions['group']['right'] = true /* or false */;</source>
If a member has multiple groups, they get the highest permission of any groups. All users, including anonymous users, are in the '*' group; all registered users are in the 'user' group. In addition to the default groups, you can arbitrarily create new groups using the same array.
[edit] Examples
This example will disable viewing of all pages not listed in $wgWhitelistRead, then re-enable for registered users only: <source lang="php"> $wgGroupPermissions['*']['read'] = false;
- The following line is not actually necessary, since it's in the defaults. Setting
- '*' to false doesn't disable rights for groups that have the right separately set
- to true!
$wgGroupPermissions['user']['read'] = true; </source>
This example will disable editing of all pages, then re-enable for users with confirmed e-mail addresses only: <source lang="php">
- Disable for everyone
$wgGroupPermissions['*']['edit'] = false;
- Disable for users, too: by default 'user' is allowed to edit, even if '*' is not.
$wgGroupPermissions['user']['edit'] = false;
- Finally, set it to true for the desired group.
$wgGroupPermissions['emailconfirmed']['edit'] = true; </source>
This example will create an arbitrary "ninja" group that can block users and delete pages, and whose edits are hidden by default in the recent changes log: <source lang="php"> $wgGroupPermissions['ninja']['bot'] = true; $wgGroupPermissions['ninja']['block'] = true; $wgGroupPermissions['ninja']['delete'] = true; </source>
[edit] List of Permissions
The following user rights are available in the latest version of DiyinfoWiki.
| Right | Description | Versions | |
|---|---|---|---|
| Reading | |||
| read | allows viewing pages (when set to false, override for specific pages with $wgWhitelistRead).
Warning Setting this to false will only protect pages in the wiki. Uploaded files will remain readable via direct access (e.g. $wgUploadPath/imageHashes/image.jpg). Make your upload directory name unguessable, and use .htaccess (disable directory listing) to protect it. | 1.5+ | |
| Editing | |||
| edit | allows editing unprotected pages. | 1.5+ | |
| createpage | allows the creation of new pages (requires the edit right). | 1.6+ | |
| createtalk | allows the creation of new talk pages (requires the edit right). | 1.6+ | |
| move | allows renaming the titles of unprotected pages. | 1.5+ | |
| createaccount | allows the creation of new user accounts. | 1.5+ | |
| upload | allows the creation of new images and files. | 1.5+ | |
| reupload | allows overwriting existing images and files. | 1.6+ | |
| reupload-shared | allows replacing images and files from a shared repository (if one is set up) with local files. | 1.6+ | |
| upload_by_url | allows uploading by entering the URL of an external image. | 1.8+ | |
| Management | |||
| delete | 1.5–1.11: allows the deletion or undeletion of pages. 1.12+: allows the deletion of pages. For undeletions, there is now the 'undelete' right, see below. | 1.5+ | |
| bigdelete | allows deletion of pages with larger than $wgDeleteRevisionsLimit revisions | 1.12+ | |
| deletedhistory | allows viewing deleted revisions, but not restoring. | 1.6+ | |
| undelete | allows the undeletion of pages. | 1.12+ | |
| mergehistory | allows access to Special:MergeHistory, to merge non-overlapping pages. Note: currently disabled by default, including on Wikimedia projects. | 1.12+ | |
| protect | allows locking a page to prevent edits and moves, and editing or moving locked pages. | 1.5+ | |
| block | allows the blocking of IP addresses, CIDR ranges, and registered users. Block options include preventing editing and registering new accounts, and autoblocking other users on the same IP address. | 1.5+ | |
| blockemail | allows preventing use of the Special:Emailuser interface when blocking. | 1.11+ | |
| hideuser | allows hiding the user/IP from the block log, active block list, and user list when blocking. (not available by default) | 1.10+ | |
| userrights | allows the use of the user rights interface, which allows the assignment or removal of all* groups to any user. * With $wgAddGroups and $wgRemoveGroups you can set the possibility to add/remove certain groups instead of all. | 1.5+ | |
| userrights-interwiki | allows changing user rights on other wikis. | 1.12+ | |
| rollback | allows one-click reversion of edits. | 1.5+ | |
| markbotedits | allows rollback to be marked as bot edits (see m:Help:Administration#Rollback). | 1.12+ | |
| patrol | allows marking edits as legitimate ($wgUseRCPatrol must be true). | 1.5+ | |
| editinterface | allows editing the MediaWiki namespace, which contains interface messages. | 1.5+ | |
| editusercssjs | allows editing user's own monobook.css, monobook.js, ... subpages. | 1.12+ | |
| hiderevision | allows preventing deleted revision information from being viewed by sysops and prevents sysops from undeleting the hidden info. (not available by default, experimental) | 1.6+ | |
| deleterevision | allows deleting/undeleting information (revision text, edit summary, user who made the edit) of specific revisions (not available by default, experimental) | 1.6+ | |
| Administration | |||
| siteadmin | allows locking and unlocking the database (which blocks all interactions with the web site except viewing). Deprecated by default. | 1.5+ | |
| import | allows user to import one page per time from another wiki ("transwiki"). | 1.5+ | |
| importupload | allows user to import several pages per time from XML files. This right was called 'importraw' in and before version 1.5. | 1.5+ | |
| trackback | allows removal of trackbacks (if $wgUseTrackbacks is true). | 1.7+ | |
| unwatchedpages | allows access to Special:Unwatchedpages, which lists pages that no user has watchlisted. | 1.6+ | |
| Technical | |||
| bot | hides edits from recent changes lists and watchlists by default (can optionally be viewed). | 1.5+ | |
| purge | allows purging a page without a confirmation step (URL parameter "&action=purge").
| 1.10+ | |
| minoredit | allows marking an edit as 'minor'. | 1.6+ | |
| nominornewtalk | blocks new message notification when making minor edits to user talk pages (requires minor edit right). | 1.9+ | |
| ipblock-exempt | makes user immune to blocks applied to his IP address or a range (CIDR) containing it. | 1.9+ | |
| proxyunbannable | makes user immune to the open proxy blocker, which is disabled by default ($wgBlockOpenProxies). | 1.7+ | |
| autopatrol | automatically marks all edits by the user as patrolled ($wgUseRCPatrol must be true). | 1.9+ | |
| apihighlimits | allows user to use higher limits for API queries | 1.12+ | |
| suppressredirect | Allows moving a page without automatically creating a redirect. | 1.12+ | |
| autoconfirmed | used for the 'autoconfirmed' group, see the other table below for more information. | 1.6+ | |
| emailconfirmed | used for the 'emailconfirmed' group, see the other table below for more information. | 1.7+ | |
[edit] List of Groups
The following groups are available in the latest version of DiyinfoWiki.
| Group | Description | Versions |
|---|---|---|
| * | all users (including anonymous). | 1.5+ |
| user | registered accounts. | 1.5+ |
| autoconfirmed | registered accounts at least as old as $wgAutoConfirmAge and having at least as many edits as $wgAutoConfirmCount. | 1.6+ |
| emailconfirmed | registered accounts with confirmed email addresses. | 1.7+ |
| bot | accounts with the bot right (intended for automated scripts). | 1.5+ |
| sysop | users who by default can delete and restore pages, block and unblock users, et cetera. | 1.5+ |
| bureaucrat | users who by default can change other users' rights. | 1.5+ |
| developer | A group for the 'siteadmin' right. The group is deprecated by default, as well as the right. | 1.5+ |
[edit] Default rights
The default rights are defined in DefaultSettings.php. /**
* Permission keys given to users in each group. * All users are implicitly in the '*' group including anonymous visitors; * logged-in users are all implicitly in the 'user' group. These will be * combined with the permissions of all groups that a given user is listed * in in the user_groups table. * * Note: Don't set $wgGroupPermissions = array(); unless you know what you're * doing! This will wipe all permissions, and may mean that your users are * unable to perform certain essential tasks or access new functionality * when new permissions are introduced and default grants established. * * Functionality to make pages inaccessible has not been extensively tested * for security. Use at your own risk! * * This replaces wgWhitelistAccount and wgWhitelistEdit */
$wgGroupPermissions = array();
// Implicit group for all visitors $wgGroupPermissions['*' ]['createaccount'] = true; $wgGroupPermissions['*' ]['read'] = true; $wgGroupPermissions['*' ]['edit'] = true; $wgGroupPermissions['*' ]['createpage'] = true; $wgGroupPermissions['*' ]['createtalk'] = true;
// Implicit group for all logged-in accounts $wgGroupPermissions['user' ]['move'] = true; $wgGroupPermissions['user' ]['read'] = true; $wgGroupPermissions['user' ]['edit'] = true; $wgGroupPermissions['user' ]['createpage'] = true; $wgGroupPermissions['user' ]['createtalk'] = true; $wgGroupPermissions['user' ]['upload'] = true; $wgGroupPermissions['user' ]['reupload'] = true; $wgGroupPermissions['user' ]['reupload-shared'] = true; $wgGroupPermissions['user' ]['minoredit'] = true; $wgGroupPermissions['user' ]['purge'] = true; // can use ?action=purge without clicking "ok"
// Implicit group for accounts that pass $wgAutoConfirmAge $wgGroupPermissions['autoconfirmed']['autoconfirmed'] = true;
// Implicit group for accounts with confirmed email addresses // This has little use when email address confirmation is off $wgGroupPermissions['emailconfirmed']['emailconfirmed'] = true;
// Users with bot privilege can have their edits hidden // from various log pages by default $wgGroupPermissions['bot' ]['bot'] = true; $wgGroupPermissions['bot' ]['autoconfirmed'] = true; $wgGroupPermissions['bot' ]['nominornewtalk'] = true; $wgGroupPermissions['bot' ]['autopatrol'] = true; $wgGroupPermissions['bot' ]['suppressredirect'] = true; $wgGroupPermissions['bot' ]['apihighlimits'] = true;
// Most extra permission abilities go to this group $wgGroupPermissions['sysop']['block'] = true; $wgGroupPermissions['sysop']['createaccount'] = true; $wgGroupPermissions['sysop']['delete'] = true; $wgGroupPermissions['sysop']['bigdelete'] = true; // can be separately configured for pages with > $wgDeleteRevisionsLimit revs $wgGroupPermissions['sysop']['deletedhistory'] = true; // can view deleted history entries, but not see or restore the text $wgGroupPermissions['sysop']['undelete'] = true; $wgGroupPermissions['sysop']['editinterface'] = true; $wgGroupPermissions['sysop']['editusercssjs'] = true; $wgGroupPermissions['sysop']['import'] = true; $wgGroupPermissions['sysop']['importupload'] = true; $wgGroupPermissions['sysop']['move'] = true; $wgGroupPermissions['sysop']['patrol'] = true; $wgGroupPermissions['sysop']['autopatrol'] = true; $wgGroupPermissions['sysop']['protect'] = true; $wgGroupPermissions['sysop']['proxyunbannable'] = true; $wgGroupPermissions['sysop']['rollback'] = true; $wgGroupPermissions['sysop']['trackback'] = true; $wgGroupPermissions['sysop']['upload'] = true; $wgGroupPermissions['sysop']['reupload'] = true; $wgGroupPermissions['sysop']['reupload-shared'] = true; $wgGroupPermissions['sysop']['unwatchedpages'] = true; $wgGroupPermissions['sysop']['autoconfirmed'] = true; $wgGroupPermissions['sysop']['upload_by_url'] = true; $wgGroupPermissions['sysop']['ipblock-exempt'] = true; $wgGroupPermissions['sysop']['blockemail'] = true; $wgGroupPermissions['sysop']['markbotedits'] = true; $wgGroupPermissions['sysop']['suppressredirect'] = true; $wgGroupPermissions['sysop']['apihighlimits'] = true;
- $wgGroupPermissions['sysop']['mergehistory'] = true;
// Permission to change users' group assignments $wgGroupPermissions['bureaucrat']['userrights'] = true;
// Experimental permissions, not ready for production use //$wgGroupPermissions['sysop']['deleterevision'] = true; //$wgGroupPermissions['bureaucrat']['hiderevision'] = true;
/**
* The developer group is deprecated, but can be activated if need be * to use the 'lockdb' and 'unlockdb' special pages. Those require * that a lock file be defined and creatable/removable by the web * server. */
- $wgGroupPermissions['developer']['siteadmin'] = true;
</source>
[edit] See also
- Help:User rights management - information about managing and the assignment of user groups.
