Jump to content

ICT:Account protection: Difference between revisions

From Costa Sano MediaWiki
← Older edit
Mngr (talk | contribs)
Bots, Bureaucrats, club, ict, Interface administrators, research, Suppressors, Administrators
1,027 edits
VisualWikitext
No edit summary
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{DISPLAYTITLE:Account Protections & System Users}}
{{DISPLAYTITLE:Access Control: The "Lockdown" Model}}
__TOC__
__TOC__
== Overview ==
== Philosophy ==
This document outlines the security profile of default system accounts and the hardening configurations applied to this MediaWiki instance (v1.45) to restrict access and visibility.
This wiki is a '''Private Research Platform'''. To simplify management, we avoid "blacklisting" individual default namespaces. Instead, we use a "White-room" approach: everything is forbidden by default, and access is granted only to the specific functional layers required for research.


== Default System Accounts ==
== 1. Global Restrictions ==
Upon initialization, MediaWiki creates or reserves specific identities.  
Applied in `LocalSettings.php` to ensure the wiki is invisible to the public and restricted for standard users.


=== MediaWiki default ===
<syntaxhighlight lang="php">
* '''Type:''' Virtual/System User.
# Full Privacy: Revoke read from all by default
* '''Password Protection:''' This account '''does not have a password''' and is blocked from web-based login.
$wgGroupPermissions['*']['read'] = false;
* '''Function:''' It acts as a placeholder for automated interface updates and system-generated edits.
$wgGroupPermissions['user']['read'] = false;  
* '''Security Status:''' Safe; cannot be compromised via brute force.


=== Initial Admin (Sysop) ===
# Sysop Override: Ensure admins maintain full visibility
* '''Type:''' Human Administrator.
$wgGroupPermissions['sysop']['read'] = true;
* '''Security:''' Protected by a salted hash password.
* '''Audit Path:''' Check rights via [[Special:UserRights]] or the [[Special:ListUsers/sysop|Sysop List]].


== Applied Hardening (LocalSettings.php) ==
# Essential Whitelist: Required for login and site rendering
The following configurations are implemented in the server's configuration file to secure the environment.
$wgWhitelistRead = [
    "Special:UserLogin",
    "MediaWiki:Common.css",
    "MediaWiki:Common.js"
];
</syntaxhighlight>
 
== 2. Research Environment Exceptions ==
Using [[Extension:Lockdown]], we grant the `user` group access to the specific namespaces required for the Dashboard, Cargo queries, and Page Forms.


=== 1. Registration Lock ===
Prevents the "Create Account" option from appearing to anonymous visitors.
<syntaxhighlight lang="php">
<syntaxhighlight lang="php">
$wgGroupPermissions['*']['createaccount'] = false;
# Research Namespaces
$wgNamespacePermissionLockdown[NS_RESEARCH]['read'] = ['user', 'sysop'];
$wgNamespacePermissionLockdown[NS_DASHBOARD]['read'] = ['user', 'sysop'];
 
# Supporting Infrastructure (Required for Dashboard rendering)
# Researchers need 'read' access to these so templates and forms function.
$wgNamespacePermissionLockdown[NS_TEMPLATE]['read'] = ['user', 'sysop'];
$wgNamespacePermissionLockdown[NS_FORM]['read']     = ['user', 'sysop'];
</syntaxhighlight>
</syntaxhighlight>


=== 2. Write Protection ===
== 3. Page Forms & Cargo Interaction ==
Disables anonymous editing to ensure only identified users can modify content.
The Dashboard utilizes `Template:EntityRow` for layout and queries the Cargo database.
<syntaxhighlight lang="php">
* '''Note:''' If researchers can see the Dashboard but not the data results, ensure the Cargo-specific namespaces are also allowed.
$wgGroupPermissions['*']['edit'] = false;
* '''Editing:''' The `edit` permission is granted globally to the `user` group, but restricted by namespace via Lockdown.
</syntaxhighlight>
 
== 4. Default System Accounts ==
* '''MediaWiki default:''' Internal system user. No password; no login allowed. Safe.
* '''Admin/Sysop:''' Full credentials required.
 
== Successor Notes ==
* '''Adding Entities:''' When creating a new Research Entity, ensure the associated Template and Form are placed in the permitted namespaces.
* '''Testing Access:''' Always test new Dashboard sections with a non-admin "Fellow" account to ensure no "Permission Denied" errors occur during template transclusion.
 
{{DISPLAYTITLE:User Experience & Stealth Configuration}}
__TOC__
== Strategy: Forbidden by Default ==
To prevent "clutter" and spying, the wiki uses a **Negative Lockdown** model. Users are explicitly denied access to all default MediaWiki namespaces.
 
== Configuration Implementation ==
=== 1. Namespace Stealth ===
The following namespaces are hidden from the Search bar and 'All Pages' list for standard members to prevent them from seeing technical infrastructure:
* {{ns:ICT}} (ID: 3000)
* {{ns:Template}} (ID: 10)
* {{ns:Form}} (ID: 106)


=== 3. Private Wiki Configuration (Optional/Full Privacy) ===
=== 2. Functional Access ===
To prevent any unauthorized viewing of the wiki content, the following settings hide all pages from logged-out users, except for the login interface.
Members are restricted to the following functional "Safe Zones":
* '''Dashboard:''' Entry point for all research.
* '''Research:''' The data repository.


<syntaxhighlight lang="php">
=== 3. Maintenance Logic ===
# Disable reading by anonymous users
Standard users (`group: user`) have had their global `['read']` permission revoked in [[LocalSettings.php]]. They only "see" what is explicitly whitelisted via the Lockdown extension.
$wgGroupPermissions['*']['read'] = false;


# Whitelist essential pages to allow users to log in
== Successor Warning ==
$wgWhitelistRead = array(
If a researcher reports a "Broken Template" error (e.g., seeing raw {{...}} code), it usually means a new Template was created in a namespace that isn't yet whitelisted for the `user` group.
    "Special:UserLogin",  
    "MediaWiki:Common.css",  
    "MediaWiki:Common.js"
);
</syntaxhighlight>


== Successor Maintenance Notes ==
# '''Audit:''' Regularly verify the user list via [[Special:ListUsers]].
# '''Updates:''' If a new system user appears after an upgrade or extension install, consult the [https://www.mediawiki.org MediaWiki System User Manual].
# '''Configuration:''' All changes above must be verified in an Incognito/Private browser window to ensure they are active.


[[Category:ICT Documentation]]
[[Category:ICT Documentation]]
[[Category:Security Operations]]
[[Category:Security Operations]]

Latest revision as of 18:40, 9 February 2026

Philosophy

This wiki is a Private Research Platform. To simplify management, we avoid "blacklisting" individual default namespaces. Instead, we use a "White-room" approach: everything is forbidden by default, and access is granted only to the specific functional layers required for research.

1. Global Restrictions

Applied in `LocalSettings.php` to ensure the wiki is invisible to the public and restricted for standard users. 

# Full Privacy: Revoke read from all by default
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = false; 

# Sysop Override: Ensure admins maintain full visibility
$wgGroupPermissions['sysop']['read'] = true;

# Essential Whitelist: Required for login and site rendering
$wgWhitelistRead = [
    "Special:UserLogin",
    "MediaWiki:Common.css",
    "MediaWiki:Common.js"
];

2. Research Environment Exceptions

Using Extension:Lockdown, we grant the `user` group access to the specific namespaces required for the Dashboard, Cargo queries, and Page Forms. 

# Research Namespaces
$wgNamespacePermissionLockdown[NS_RESEARCH]['read'] = ['user', 'sysop'];
$wgNamespacePermissionLockdown[NS_DASHBOARD]['read'] = ['user', 'sysop'];

# Supporting Infrastructure (Required for Dashboard rendering)
# Researchers need 'read' access to these so templates and forms function.
$wgNamespacePermissionLockdown[NS_TEMPLATE]['read'] = ['user', 'sysop'];
$wgNamespacePermissionLockdown[NS_FORM]['read']     = ['user', 'sysop'];

3. Page Forms & Cargo Interaction

The Dashboard utilizes `Template:EntityRow` for layout and queries the Cargo database.

  • Note: If researchers can see the Dashboard but not the data results, ensure the Cargo-specific namespaces are also allowed.
  • Editing: The `edit` permission is granted globally to the `user` group, but restricted by namespace via Lockdown.

4. Default System Accounts

  • MediaWiki default: Internal system user. No password; no login allowed. Safe.
  • Admin/Sysop: Full credentials required.

Successor Notes

  • Adding Entities: When creating a new Research Entity, ensure the associated Template and Form are placed in the permitted namespaces.
  • Testing Access: Always test new Dashboard sections with a non-admin "Fellow" account to ensure no "Permission Denied" errors occur during template transclusion.


Strategy: Forbidden by Default

To prevent "clutter" and spying, the wiki uses a **Negative Lockdown** model. Users are explicitly denied access to all default MediaWiki namespaces.

Configuration Implementation

1. Namespace Stealth

The following namespaces are hidden from the Search bar and 'All Pages' list for standard members to prevent them from seeing technical infrastructure:

  • ICT (ID: 3000)
  • Template (ID: 10)
  • Form (ID: 106)

2. Functional Access

Members are restricted to the following functional "Safe Zones":

  • Dashboard: Entry point for all research.
  • Research: The data repository.

3. Maintenance Logic

Standard users (`group: user`) have had their global `['read']` permission revoked in LocalSettings.php. They only "see" what is explicitly whitelisted via the Lockdown extension.

Successor Warning

If a researcher reports a "Broken Template" error (e.g., seeing raw Template:... code), it usually means a new Template was created in a namespace that isn't yet whitelisted for the `user` group.

Retrieved from "https://mwiki.costasano.club/index.php?title=ICT:Account_protection&oldid=528"