Jump to content

ICT:Account protection

From Costa Sano MediaWiki
Revision as of 18:30, 9 February 2026 by Mngr (talk | contribs)

Philosophy

This wiki is a Private Research Platform. To simplify management, we avoid "blacklisting" individual default namespaces. Instead, we use a "White-room" approach: everything is forbidden by default, and access is granted only to the specific functional layers required for research.

1. Global Restrictions

Applied in `LocalSettings.php` to ensure the wiki is invisible to the public and restricted for standard users. 

# Full Privacy: Revoke read from all by default
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = false; 

# Sysop Override: Ensure admins maintain full visibility
$wgGroupPermissions['sysop']['read'] = true;

# Essential Whitelist: Required for login and site rendering
$wgWhitelistRead = [
    "Special:UserLogin",
    "MediaWiki:Common.css",
    "MediaWiki:Common.js"
];

2. Research Environment Exceptions

Using Extension:Lockdown, we grant the `user` group access to the specific namespaces required for the Dashboard, Cargo queries, and Page Forms.

<syntaxhighlight lang="php">

  1. Research Namespaces

$wgNamespacePermissionLockdown[NS_RESEARCH]['read'] = ['user', 'sysop']; $wgNamespacePermissionLockdown[NS_DASHBOARD]['read'] = ['user', 'sysop'];

  1. Supporting Infrastructure (Required for Dashboard rendering)
  2. Researchers need 'read' access to these so templates and forms function.

$wgNamespacePermissionLockdown[NS_TEMPLATE]['read'] = ['user', 'sysop']; $wgNamespacePermissionLockdown[NS_FORM]['read'] = ['user', 'sysop']; $syntaxhighlight>

3. Page Forms & Cargo Interaction

The Dashboard utilizes `Template:EntityRow` for layout and queries the Cargo database.

  • Note: If researchers can see the Dashboard but not the data results, ensure the Cargo-specific namespaces are also allowed.
  • Editing: The `edit` permission is granted globally to the `user` group, but restricted by namespace via Lockdown.

4. Default System Accounts

  • MediaWiki default: Internal system user. No password; no login allowed. Safe.
  • Admin/Sysop: Full credentials required.

Successor Notes

  • Adding Entities: When creating a new Research Entity, ensure the associated Template and Form are placed in the permitted namespaces.
  • Testing Access: Always test new Dashboard sections with a non-admin "Fellow" account to ensure no "Permission Denied" errors occur during template transclusion.
Retrieved from "https://mwiki.costasano.club/index.php?title=ICT:Account_protection&oldid=526"