Jump to content

ICT:Account protection: Difference between revisions

From Costa Sano MediaWiki
← Older editNewer edit →
Mngr (talk | contribs)
Bots, Bureaucrats, club, ict, Interface administrators, research, Suppressors, Administrators
1,027 edits
VisualWikitext
No edit summary
No edit summary
Line 2: Line 2:
__TOC__
__TOC__
== Philosophy ==
== Philosophy ==
This wiki operates on a '''Whitelist-only''' visibility model. By default, all namespaces (including Main, Category, and Help) are hidden from research fellows. Access is granted explicitly to specific project namespaces.
This wiki is a '''Private Research Platform'''. To simplify management, we avoid "blacklisting" individual default namespaces. Instead, we use a "White-room" approach: everything is forbidden by default, and access is granted only to the specific functional layers required for research.


== 1. Global Lockdown (LocalSettings.php) ==
== 1. Global Restrictions ==
To prevent researchers from browsing default namespaces (Main, User, etc.), we first revoke read access from the standard 'user' group.
Applied in `LocalSettings.php` to ensure the wiki is invisible to the public and restricted for standard users.


<syntaxhighlight lang="php">
<syntaxhighlight lang="php">
# 1. Block everyone (including logged-in fellows) from reading by default
# Full Privacy: Revoke read from all by default
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = false;
$wgGroupPermissions['user']['read'] = false;  


# 2. Grant Sysops total access to override the block
# Sysop Override: Ensure admins maintain full visibility
$wgGroupPermissions['sysop']['read'] = true;
$wgGroupPermissions['sysop']['read'] = true;
# Essential Whitelist: Required for login and site rendering
$wgWhitelistRead = [
    "Special:UserLogin",
    "MediaWiki:Common.css",
    "MediaWiki:Common.js"
];
</syntaxhighlight>
</syntaxhighlight>


== 2. Defining the "Exceptions" ==
== 2. Research Environment Exceptions ==
We use [[Extension:Lockdown]] to open specific "windows" for the research fellows. This is much cleaner than manually locking every default namespace.
Using [[Extension:Lockdown]], we grant the `user` group access to the specific namespaces required for the Dashboard, Cargo queries, and Page Forms.


<syntaxhighlight lang="php">
<syntaxhighlight lang="php">
# Grant 'user' group access ONLY to these specific namespaces
# Research Namespaces
$wgNamespacePermissionLockdown[NS_RESEARCH]['read'] = ['user', 'sysop'];
$wgNamespacePermissionLockdown[NS_RESEARCH]['read'] = ['user', 'sysop'];
$wgNamespacePermissionLockdown[NS_DASHBOARD]['read'] = ['user', 'sysop'];
$wgNamespacePermissionLockdown[NS_DASHBOARD]['read'] = ['user', 'sysop'];


# Ensure Cargo and Page Forms namespaces are accessible if needed for queries
# Supporting Infrastructure (Required for Dashboard rendering)
$wgNamespacePermissionLockdown[NS_CARGO_SPECIAL]['read'] = ['user', 'sysop'];
# Researchers need 'read' access to these so templates and forms function.
</syntaxhighlight>
$wgNamespacePermissionLockdown[NS_TEMPLATE]['read'] = ['user', 'sysop'];
$wgNamespacePermissionLockdown[NS_FORM]['read']     = ['user', 'sysop'];
$syntaxhighlight>


== 3. Handling the Whitelist ==
== 3. Page Forms & Cargo Interaction ==
Because the wiki is private, certain technical pages must be "Whitelisted" so the browser can render the login screen and basic styles.
The Dashboard utilizes `Template:EntityRow` for layout and queries the Cargo database.  
 
* '''Note:''' If researchers can see the Dashboard but not the data results, ensure the Cargo-specific namespaces are also allowed.
<syntaxhighlight lang="php">
* '''Editing:''' The `edit` permission is granted globally to the `user` group, but restricted by namespace via Lockdown.
$wgWhitelistRead = [
    "Special:UserLogin",  
    "MediaWiki:Common.css",
    "MediaWiki:Common.js",
    "Main_Page" // Optional: if you want them to see the landing page before login
];
</syntaxhighlight>


== 4. System Account Security Reference ==
== 4. Default System Accounts ==
* '''MediaWiki default:''' Internal system identity. No password, no login capability. Safe.
* '''MediaWiki default:''' Internal system user. No password; no login allowed. Safe.
* '''Project Sysop:''' Full authority. Bypasses namespace restrictions to manage the ICT infrastructure.
* '''Admin/Sysop:''' Full credentials required.


== Successor Notes ==
== Successor Notes ==
* '''The "Everything is Hidden" Trap:''' If a researcher cannot see a Cargo map or a Page Form, check if the namespace for that specific template or data table is included in the Lockdown exceptions.
* '''Adding Entities:''' When creating a new Research Entity, ensure the associated Template and Form are placed in the permitted namespaces.
* '''Testing:''' Use a "Fellow" test account to verify that namespaces like `Category:` or `File:` remain invisible.
* '''Testing Access:''' Always test new Dashboard sections with a non-admin "Fellow" account to ensure no "Permission Denied" errors occur during template transclusion.


[[Category:ICT Documentation]]
[[Category:ICT Documentation]]
[[Category:Security Operations]]
[[Category:Security Operations]]

Revision as of 18:30, 9 February 2026

Philosophy

This wiki is a Private Research Platform. To simplify management, we avoid "blacklisting" individual default namespaces. Instead, we use a "White-room" approach: everything is forbidden by default, and access is granted only to the specific functional layers required for research.

1. Global Restrictions

Applied in `LocalSettings.php` to ensure the wiki is invisible to the public and restricted for standard users. 

# Full Privacy: Revoke read from all by default
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = false; 

# Sysop Override: Ensure admins maintain full visibility
$wgGroupPermissions['sysop']['read'] = true;

# Essential Whitelist: Required for login and site rendering
$wgWhitelistRead = [
    "Special:UserLogin",
    "MediaWiki:Common.css",
    "MediaWiki:Common.js"
];

2. Research Environment Exceptions

Using Extension:Lockdown, we grant the `user` group access to the specific namespaces required for the Dashboard, Cargo queries, and Page Forms.

<syntaxhighlight lang="php">

  1. Research Namespaces

$wgNamespacePermissionLockdown[NS_RESEARCH]['read'] = ['user', 'sysop']; $wgNamespacePermissionLockdown[NS_DASHBOARD]['read'] = ['user', 'sysop'];

  1. Supporting Infrastructure (Required for Dashboard rendering)
  2. Researchers need 'read' access to these so templates and forms function.

$wgNamespacePermissionLockdown[NS_TEMPLATE]['read'] = ['user', 'sysop']; $wgNamespacePermissionLockdown[NS_FORM]['read'] = ['user', 'sysop']; $syntaxhighlight>

3. Page Forms & Cargo Interaction

The Dashboard utilizes `Template:EntityRow` for layout and queries the Cargo database.

  • Note: If researchers can see the Dashboard but not the data results, ensure the Cargo-specific namespaces are also allowed.
  • Editing: The `edit` permission is granted globally to the `user` group, but restricted by namespace via Lockdown.

4. Default System Accounts

  • MediaWiki default: Internal system user. No password; no login allowed. Safe.
  • Admin/Sysop: Full credentials required.

Successor Notes

  • Adding Entities: When creating a new Research Entity, ensure the associated Template and Form are placed in the permitted namespaces.
  • Testing Access: Always test new Dashboard sections with a non-admin "Fellow" account to ensure no "Permission Denied" errors occur during template transclusion.
Retrieved from "https://mwiki.costasano.club/index.php?title=ICT:Account_protection&oldid=526"