Jump to content

ICT:Account protection: Difference between revisions

From Costa Sano MediaWiki
← Older editNewer edit →
Mngr (talk | contribs)
Bots, Bureaucrats, club, ict, Interface administrators, research, Suppressors, Administrators
1,027 edits
VisualWikitext
No edit summary
No edit summary
Line 1: Line 1:
{{DISPLAYTITLE:Access Control & Account Security}}
{{DISPLAYTITLE:Access Control: The "Lockdown" Model}}
__TOC__
__TOC__
== Infrastructure Overview ==
== Philosophy ==
This wiki is configured as a '''Private Research Platform'''. Access is managed via a "Deny-by-Default" policy, using MediaWiki core permissions for global locks and the [[Extension:Lockdown]] for granular namespace security.
This wiki operates on a '''Whitelist-only''' visibility model. By default, all namespaces (including Main, Category, and Help) are hidden from research fellows. Access is granted explicitly to specific project namespaces.


== 1. System Account Security ==
== 1. Global Lockdown (LocalSettings.php) ==
* '''MediaWiki default:'''
To prevent researchers from browsing default namespaces (Main, User, etc.), we first revoke read access from the standard 'user' group.
** Status: Internal System User.  
** Security: No password exists; interactive login is impossible.
** Role: Attributes automated software edits.
* '''Sysop Accounts:'''  
** Status: Human Administrators.
** Security: Password protected. Managed via [[Special:ListUsers/sysop]].


== 2. Global Hardening (LocalSettings.php) ==
<syntaxhighlight lang="php">
The following core settings enforce the private nature of the wiki:
# 1. Block everyone (including logged-in fellows) from reading by default
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = false;
 
# 2. Grant Sysops total access to override the block
$wgGroupPermissions['sysop']['read'] = true;
</syntaxhighlight>
 
== 2. Defining the "Exceptions" ==
We use [[Extension:Lockdown]] to open specific "windows" for the research fellows. This is much cleaner than manually locking every default namespace.


<syntaxhighlight lang="php">
<syntaxhighlight lang="php">
# Disable public access and registration
# Grant 'user' group access ONLY to these specific namespaces
$wgGroupPermissions['*']['read'] = false;
$wgNamespacePermissionLockdown[NS_RESEARCH]['read'] = ['user', 'sysop'];
$wgGroupPermissions['*']['edit'] = false;
$wgNamespacePermissionLockdown[NS_DASHBOARD]['read'] = ['user', 'sysop'];
$wgGroupPermissions['*']['createaccount'] = false;
 
# Ensure Cargo and Page Forms namespaces are accessible if needed for queries
$wgNamespacePermissionLockdown[NS_CARGO_SPECIAL]['read'] = ['user', 'sysop'];
</syntaxhighlight>
 
== 3. Handling the Whitelist ==
Because the wiki is private, certain technical pages must be "Whitelisted" so the browser can render the login screen and basic styles.


# The Whitelist: Essential for the Login Screen
<syntaxhighlight lang="php">
# Without these, the login page becomes inaccessible (Loop Error)
$wgWhitelistRead = [
$wgWhitelistRead = [
     "Special:UserLogin",
     "Special:UserLogin",  
     "MediaWiki:Common.css",
     "MediaWiki:Common.css",  
     "MediaWiki:Common.js"
     "MediaWiki:Common.js",
    "Main_Page" // Optional: if you want them to see the landing page before login
];
];
</syntaxhighlight>
</syntaxhighlight>


== 3. Namespace Lockdown Logic ==
== 4. System Account Security Reference ==
While `$wgGroupPermissions` locks the door, [[Extension:Lockdown]] manages the internal rooms.
* '''MediaWiki default:''' Internal system identity. No password, no login capability. Safe.
 
* '''Project Sysop:''' Full authority. Bypasses namespace restrictions to manage the ICT infrastructure.
* '''ICT: Namespace:''' Restricted to the `sysop` group.
* '''Research/Dashboard Namespaces:''' Access granted to `user` (fellows) and `sysop`.
* '''Sysop Rights:''' As per [https://www.mediawiki.org Lockdown documentation], sysops retain visibility across all restricted namespaces unless explicitly revoked.


== 4. Successor Checklist ==
== Successor Notes ==
# '''Emergency Access:''' If locked out, set `$wgGroupPermissions['*']['read'] = true;` temporarily in LocalSettings.php.
* '''The "Everything is Hidden" Trap:''' If a researcher cannot see a Cargo map or a Page Form, check if the namespace for that specific template or data table is included in the Lockdown exceptions.
# '''New Namespaces:''' Any new namespace created for research must be added to the Lockdown array to remain private.
* '''Testing:''' Use a "Fellow" test account to verify that namespaces like `Category:` or `File:` remain invisible.
# '''Auditing:''' Use [[Special:ListUsers]] monthly to ensure no "shadow" human accounts have been created.


[[Category:ICT Documentation]]
[[Category:ICT Documentation]]
[[Category:Security Operations]]
[[Category:Security Operations]]

Revision as of 18:26, 9 February 2026

Philosophy

This wiki operates on a Whitelist-only visibility model. By default, all namespaces (including Main, Category, and Help) are hidden from research fellows. Access is granted explicitly to specific project namespaces.

1. Global Lockdown (LocalSettings.php)

To prevent researchers from browsing default namespaces (Main, User, etc.), we first revoke read access from the standard 'user' group. 

# 1. Block everyone (including logged-in fellows) from reading by default
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = false;

# 2. Grant Sysops total access to override the block
$wgGroupPermissions['sysop']['read'] = true;

2. Defining the "Exceptions"

We use Extension:Lockdown to open specific "windows" for the research fellows. This is much cleaner than manually locking every default namespace. 

# Grant 'user' group access ONLY to these specific namespaces
$wgNamespacePermissionLockdown[NS_RESEARCH]['read'] = ['user', 'sysop'];
$wgNamespacePermissionLockdown[NS_DASHBOARD]['read'] = ['user', 'sysop'];

# Ensure Cargo and Page Forms namespaces are accessible if needed for queries
$wgNamespacePermissionLockdown[NS_CARGO_SPECIAL]['read'] = ['user', 'sysop'];

3. Handling the Whitelist

Because the wiki is private, certain technical pages must be "Whitelisted" so the browser can render the login screen and basic styles. 

$wgWhitelistRead = [
    "Special:UserLogin", 
    "MediaWiki:Common.css", 
    "MediaWiki:Common.js",
    "Main_Page" // Optional: if you want them to see the landing page before login
];

4. System Account Security Reference

  • MediaWiki default: Internal system identity. No password, no login capability. Safe.
  • Project Sysop: Full authority. Bypasses namespace restrictions to manage the ICT infrastructure.

Successor Notes

  • The "Everything is Hidden" Trap: If a researcher cannot see a Cargo map or a Page Form, check if the namespace for that specific template or data table is included in the Lockdown exceptions.
  • Testing: Use a "Fellow" test account to verify that namespaces like `Category:` or `File:` remain invisible.
Retrieved from "https://mwiki.costasano.club/index.php?title=ICT:Account_protection&oldid=525"