ICT:Account protection

This wiki is configured as a Private Research Platform. Access is managed via a "Deny-by-Default" policy, using MediaWiki core permissions for global locks and the Extension:Lockdown for granular namespace security.

• MediaWiki default:
  • Status: Internal System User.
  • Security: No password exists; interactive login is impossible.
  • Role: Attributes automated software edits.
• Sysop Accounts:
  • Status: Human Administrators.
  • Security: Password protected. Managed via Special:ListUsers/sysop.

The following core settings enforce the private nature of the wiki:

# Disable public access and registration
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false;

# The Whitelist: Essential for the Login Screen
# Without these, the login page becomes inaccessible (Loop Error)
$wgWhitelistRead = [
    "Special:UserLogin",
    "MediaWiki:Common.css",
    "MediaWiki:Common.js"
];

While `$wgGroupPermissions` locks the door, Extension:Lockdown manages the internal rooms.

• ICT: Namespace: Restricted to the `sysop` group.
• Research/Dashboard Namespaces: Access granted to `user` (fellows) and `sysop`.
• Sysop Rights: As per Lockdown documentation, sysops retain visibility across all restricted namespaces unless explicitly revoked.

1. Emergency Access: If locked out, set `$wgGroupPermissions['*']['read'] = true;` temporarily in LocalSettings.php.
2. New Namespaces: Any new namespace created for research must be added to the Lockdown array to remain private.
3. Auditing: Use Special:ListUsers monthly to ensure no "shadow" human accounts have been created.