ICT:Account protection

This wiki operates on a Whitelist-only visibility model. By default, all namespaces (including Main, Category, and Help) are hidden from research fellows. Access is granted explicitly to specific project namespaces.

To prevent researchers from browsing default namespaces (Main, User, etc.), we first revoke read access from the standard 'user' group.

# 1. Block everyone (including logged-in fellows) from reading by default
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = false;

# 2. Grant Sysops total access to override the block
$wgGroupPermissions['sysop']['read'] = true;

We use Extension:Lockdown to open specific "windows" for the research fellows. This is much cleaner than manually locking every default namespace.

# Grant 'user' group access ONLY to these specific namespaces
$wgNamespacePermissionLockdown[NS_RESEARCH]['read'] = ['user', 'sysop'];
$wgNamespacePermissionLockdown[NS_DASHBOARD]['read'] = ['user', 'sysop'];

# Ensure Cargo and Page Forms namespaces are accessible if needed for queries
$wgNamespacePermissionLockdown[NS_CARGO_SPECIAL]['read'] = ['user', 'sysop'];

Because the wiki is private, certain technical pages must be "Whitelisted" so the browser can render the login screen and basic styles.

$wgWhitelistRead = [
    "Special:UserLogin", 
    "MediaWiki:Common.css", 
    "MediaWiki:Common.js",
    "Main_Page" // Optional: if you want them to see the landing page before login
];

• MediaWiki default: Internal system identity. No password, no login capability. Safe.
• Project Sysop: Full authority. Bypasses namespace restrictions to manage the ICT infrastructure.

• The "Everything is Hidden" Trap: If a researcher cannot see a Cargo map or a Page Form, check if the namespace for that specific template or data table is included in the Lockdown exceptions.
• Testing: Use a "Fellow" test account to verify that namespaces like `Category:` or `File:` remain invisible.