ICT:Account protection: Difference between revisions
No edit summary |
No edit summary |
||
| Line 35: | Line 35: | ||
$wgNamespacePermissionLockdown[NS_TEMPLATE]['read'] = ['user', 'sysop']; | $wgNamespacePermissionLockdown[NS_TEMPLATE]['read'] = ['user', 'sysop']; | ||
$wgNamespacePermissionLockdown[NS_FORM]['read'] = ['user', 'sysop']; | $wgNamespacePermissionLockdown[NS_FORM]['read'] = ['user', 'sysop']; | ||
</syntaxhighlight> | |||
== 3. Page Forms & Cargo Interaction == | == 3. Page Forms & Cargo Interaction == | ||
Revision as of 18:33, 9 February 2026
Philosophy
This wiki is a Private Research Platform. To simplify management, we avoid "blacklisting" individual default namespaces. Instead, we use a "White-room" approach: everything is forbidden by default, and access is granted only to the specific functional layers required for research.
1. Global Restrictions
Applied in `LocalSettings.php` to ensure the wiki is invisible to the public and restricted for standard users.
# Full Privacy: Revoke read from all by default
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = false;
# Sysop Override: Ensure admins maintain full visibility
$wgGroupPermissions['sysop']['read'] = true;
# Essential Whitelist: Required for login and site rendering
$wgWhitelistRead = [
"Special:UserLogin",
"MediaWiki:Common.css",
"MediaWiki:Common.js"
];
2. Research Environment Exceptions
Using Extension:Lockdown, we grant the `user` group access to the specific namespaces required for the Dashboard, Cargo queries, and Page Forms.
# Research Namespaces
$wgNamespacePermissionLockdown[NS_RESEARCH]['read'] = ['user', 'sysop'];
$wgNamespacePermissionLockdown[NS_DASHBOARD]['read'] = ['user', 'sysop'];
# Supporting Infrastructure (Required for Dashboard rendering)
# Researchers need 'read' access to these so templates and forms function.
$wgNamespacePermissionLockdown[NS_TEMPLATE]['read'] = ['user', 'sysop'];
$wgNamespacePermissionLockdown[NS_FORM]['read'] = ['user', 'sysop'];
3. Page Forms & Cargo Interaction
The Dashboard utilizes `Template:EntityRow` for layout and queries the Cargo database.
- Note: If researchers can see the Dashboard but not the data results, ensure the Cargo-specific namespaces are also allowed.
- Editing: The `edit` permission is granted globally to the `user` group, but restricted by namespace via Lockdown.
4. Default System Accounts
- MediaWiki default: Internal system user. No password; no login allowed. Safe.
- Admin/Sysop: Full credentials required.
Successor Notes
- Adding Entities: When creating a new Research Entity, ensure the associated Template and Form are placed in the permitted namespaces.
- Testing Access: Always test new Dashboard sections with a non-admin "Fellow" account to ensure no "Permission Denied" errors occur during template transclusion.