This document describes the namespace architecture and access control configuration of the Costa Sano MediaWiki installation.

It complements:

• Data model version 4.1
• Identifier and numbering policy
• Cargo + Page Forms implementation

This page is intended for:

• ICT successors
• system maintainers
• administrators

It explains:

• why namespaces exist
• which namespace is used for what
• which user groups may access each namespace
• how Lockdown protects content
• how this is configured in LocalSettings.php

The namespace design follows these rules:

1. One namespace per real-world entity type
2. Plain English names (no technical abbreviations)
3. Separation between documentation and research data
4. Sensitive technical content must never be transcludable
5. Simple, boring, maintainable configuration

Goals:

• clarity for non-technical users
• predictable URLs
• easy export and backup
• easy onboarding of successors
• minimal configuration complexity

Namespaces use full words instead of abbreviations.

Example:

• Asset: instead of DA:
• Heritage: instead of HO:

Reasons:

• self-explanatory
• easier for new users
• easier for successors
• avoids documentation overhead
• improves long-term maintainability

Namespaces map 1:1 to Cargo tables:

Each page in these namespaces represents exactly one database entity.

The page name normally equals the entity identifier.

Example:

Asset:CH03-ROM-0007  → DigitalAssets.identifier

The Lockdown extension restricts read/edit access per namespace.

Groups:

• research → user documentation only
• ict → system documentation only
• club → all research data
• sysop → full access

Policy:

• Research namespace → research group
• ICT namespace → ict group
• all research data namespaces → club group only

This ensures:

• technical information remains protected
• research data visible only to club members
• clear separation of responsibilities

MediaWiki allows pages to be embedded (transcluded) into other pages.

This can bypass read restrictions.

To prevent leakage of sensitive system information:

ICT: is marked non-includable

Configuration:

$wgNonincludableNamespaces[] = NS_ICT;

Other namespaces are intentionally includable because:

• research content may be reused
• templates and summaries are useful
• no sensitive information is stored there

Uploads are restricted globally.

Rules:

• normal users → cannot upload
• club members → upload allowed
• sysops → full rights

Rationale:

Digital files belong to DigitalAssets and must follow the identifier naming policy. Uploads are therefore limited to trained members.

The following block defines the namespaces and protection rules.

(Reference implementation – keep synchronized with this document.)

wfLoadExtension( 'Lockdown' );

# namespaces
define("NS_RESEARCH", 3000);
define("NS_ICT", 3002);
define("NS_CHAPTER", 3004);
define("NS_PLACE", 3006);
define("NS_ORGANISATION", 3008);
define("NS_PERSON", 3010);
define("NS_HERITAGE", 3012);
define("NS_ASSET", 3014);

# permissions and lockdown configured accordingly

See LocalSettings.php for the complete current configuration.

When changing namespaces:

1. update constants
2. update Lockdown rules
3. update VisualEditor namespace list
4. search for old namespace names
5. test with non-admin users

Never reuse old namespace IDs.