Help:Preventing access
For help customizing user rights, see Manual:User rights. This page contains examples useful for restricting access.
Most of the examples need changes to LocalSettings.php. Any snippets of code with no accompanying instructions must be added to that file to take effect. To add one or more lines to the file, follow these steps:
- If there is a
?>
at the end of the file, remove it. It's not necessary and just gets in the way. - Add the line to the bottom of a file, using a text editor. It doesn't matter if there are some blank lines around it. Do not use Windows Notepad, which may add a "Byte Order Mark" (BOM) and muck up the file. Typical symptoms of BOMs include white pages and errors about headers already being sent. To remove a BOM, you'll have to edit the file in a hex editor. Windows WordPad seems to work fine.
Contents
- 1 Simple private wiki
- 2 Restrict account creation
- 3 Restrict editing of all pages
- 4 Restrict editing of an entire namespace
- 5 Restrict editing of certain specific pages
- 6 Restrict editing of all but a few pages
- 7 Restrict editing for certain IP ranges
- 8 Restrict editing by a particular user
- 9 Restrict page creation
- 10 Restrict viewing of all pages
- 11 Restrict viewing of certain specific pages
- 12 Restricting viewing of pages to approved content
- 13 Restricting exporting
- 14 Other restrictions
- 15 See also
Simple private wiki
For the common use case of "a private wiki, for oneself and approved others", you need to:
- Consider whether MediaWiki is right for you. MediaWiki was not originally designed for private wikis, so other software may be more suitable. See Comparison of wiki software, List of content management systems, and opensourcecms.com for an overview.
- Restrict viewing
- Restrict editing
- Restrict account creation
Template:Warning See the warnings in the sections below; this is simple "general use" code, and may or may not match your requirements.
Pre-1.5
Template:MW 1.4 <source lang="php">
- Pages anonymous (not-logged-in) users may see
$wgWhitelistRead = array( "Special:Userlogin" );
- Disable anonymous editing
$wgWhitelistEdit = true;
- Prevent new user registrations except by sysops
$wgWhitelistAccount = array ( "user" => 0, "sysop" => 1, "developer" => 1 ); </source>
1.5 upwards
Template:MW 1.5 <source lang="php">
- Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;
- But allow them to access the login page or else there will be no way to log in!
- NOTE: You also need to provide access here to the .css and .js files that the
- allowed pages attempt to load; otherwise, users will get errors on the page
- when they attempt to load it (IE will complain about the errors;
- FF will show them in its error console)
- [You also might want to add access to "Main Page", "Wikipedia:Help", etc.)
$wgWhitelistRead = array ("Special:Userlogin", "MediaWiki:Common.css", "MediaWiki:Common.js", "MediaWiki:Monobook.css", "MediaWiki:Monobook.js", "-");
- Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;
- Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false; </source>
Restrict account creation
Pre-1.5
Template:MW 1.4 <source lang="php">
- Prevent new user registrations except by sysops
$wgWhitelistAccount = array ( "user" => 0, "sysop" => 1, "developer" => 1 ); </source> or <source lang="php">
- Prevent new user registrations by anyone
$wgWhitelistAccount = array ( "user" => 0, "sysop" => 0, "developer" => 0 ); </source>
1.5 upwards
Template:MW 1.5 <source lang="php">
- Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false; </source> Template:Note You can use the ConfirmAccount extension if you want to set up an account confirmation queue. (If not you may still proceed as follows.)
Template:Note New users will still be able to be created by sysops, in the following manner:
- Go to [[Special:Userlogin]], when logged in as a sysop.
- Click on "Create an account" to get to the account creation form.
- Enter a username and an email address, and click the "by email" button. Note need $wgEnableEmail=true or else the sysop must pick a password and send it to the user.
- The account will be created with a random password which is then emailed to the given address.
It may be appropriate to edit the text displayed when a non-user attempts to log in. This can be done at [[MediaWiki:Nosuchuser]], when logged in as a sysop. Use plain text without any special formatting, as the formatting is ignored and the text is literally rendered.
To prevent even sysops from creating accounts: <source lang="php">
- Prevent new user registrations by anyone
$wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['sysop']['createaccount'] = false; </source>
Restrict editing of all pages
Users will still be able to read pages with these modifications, and they can view the source by using Special:Export/Article name or other methods (see also bug 1859).
Pre-1.5
Template:MW 1.4 <source lang="php">
- Disable anonymous editing
$wgWhitelistEdit = true; </source>
1.5 upwards
See Help:User rights and Manual:$wgGroupPermissions. Some examples:
Restrict anonymous editing
<source lang="php"> $wgGroupPermissions['*']['edit'] = false; </source>
Restrict editing by all non-sysop users
<source lang="php"> $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['user']['edit'] = false; $wgGroupPermissions['sysop']['edit'] = true; </source>
Restrict editing by absolutely everyone
<source lang="php"> $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['user']['edit'] = false; $wgGroupPermissions['sysop']['edit'] = false; </source>
Restrict editing of an entire namespace
Pre-1.10
Template:MW 1.9 This functionality is not available before 1.10 in the core software. You will have to use a hack, such as meta:User:PyneJ/Hacks/PageWhiteList.
1.10 upwards
Template:MW 1.10 In MediaWiki 1.10, it is possible to protect entire namespaces using the $wgNamespaceProtection variable. Examples: <source lang="php">
- Only allow autoconfirmed users to edit Project namespace
$wgNamespaceProtection[NS_PROJECT] = array( 'autoconfirmed' );
- Don't allow anyone to edit non-talk pages until they've confirmed their
- e-mail address (assuming we have no custom namespaces and allow edits
- from non-emailconfirmed users to start with)
- Note for 1.13: emailconfirmed group and right were removed from default
- setup, if you want to use it, you'll have to re-enable it manually
$wgNamespaceProtection[NS_MAIN] = $wgNamespaceProtection[NS_USER] = $wgNamespaceProtection[NS_PROJECT] = $wgNamespaceProtection[NS_IMAGE] = $wgNamespaceProtection[NS_TEMPLATE] = $wgNamespaceProtection[NS_HELP] = $wgNamespaceProtection[NS_CATEGORY] = array( 'emailconfirmed' );
- Only allow sysops to edit "Policy" namespace
$wgGroupPermissions['sysop']['editpolicy'] = true;
$wgNamespaceProtection[NS_POLICY] = array( 'editpolicy' );
</source>
Note that in the last case it's assumed that a custom namespace exists and that NS_POLICY
is a defined constant equal to the namespace number. See Manual:Using custom namespaces.
Restrict editing of certain specific pages
Use the Protect feature. By default, any sysop can protect pages so only other sysops can edit them. In 1.9 and higher, by default they can also protect pages so only "autoconfirmed" users (with accounts older than a configured period) can edit them.
This does not require editing configuration files.
Restrict editing of all but a few pages
To impose a blanket restriction on editing for all pages, but allow a few (such as sandboxes, join request pages, etc.) to be more generously editable, you can use the EditSubpages extension. This may not fit too often, but you could also use the Restrict editing of parts of certain specific pages method mentioned above, with all name spaces protected, and only a special one editable by everyone which has all the pages you want editable.
Restrict editing for certain IP ranges
Schools and other institutions may want to block all edits not from a few specified IP address ranges. To do so, all other ranges must be blocked. The only way to do this at present without modifying the code is to go to Special:Blockip and systematically block every one of the 65,536 CIDR Class B ranges that you don't want to be able to edit. This will work for all future versions of MediaWiki. It will not work on a per-namespace basis.
Alternatively, it would be possible to hack the code to get it to do this more seamlessly, but that may or may not work indefinitely.
Restrict editing by a particular user
Use the user blocking functionality to deprive a user of all edit access. There is no way in the core software to restrict or allow particular users to edit particular pages, except by changing their usergroup.
Restrict page creation
Template:MW 1.5 <source lang="php">
- Anonymous users can't create pages
$wgGroupPermissions['*']['createpage'] = false;
- Only users with accounts four days old or older can create pages
- (like Wikipedia!). Requires MW 1.6 or higher.
$wgGroupPermissions['*' ]['createpage'] = false; $wgGroupPermissions['user' ]['createpage'] = false; $wgGroupPermissions['autoconfirmed']['createpage'] = true; $wgAutoConfirmAge = 86400 * 4; # Four days times 86400 seconds/day </source>
Restrict viewing of all pages
Template:Warning if you want anonymous users to be unable to view the wiki markup/code, you should not allow them to edit any page (see #Restrict editing of all pages above). If they can edit any page, they can use template inclusion to view even pages they can't edit. This may be possible to avoid in 1.10 by using $wgNonincludableNamespaces (or in earlier versions using the NonincludableNamespaces extension), but that may not have been extensively tested.
Template:Warning This method is probably best combined with #Restrict account creation above, unless you want any visitor to be able to view the wiki after creating an account.
Template:Warning Uploaded images will still be viewable to anyone who knows the image directory's name. Either point $wgUploadPath to the img_auth.php script and follow the instructions in Manual:Image Authorization, or use some external method to protect images, like .htaccess.
Template:Note If anonymous users can't view your page, neither can search engines. Your site will not be indexed on Google.
Pre-1.5
Template:MW 1.4 If you want anonymous users not to be able to read or edit your MediaWiki, add this line to your LocalSettings.php: <source lang="php">
- Pages anonymous (not-logged-in) users may see
$wgWhitelistRead = array( ":Main Page", "Special:Userlogin", "Wikipedia:Help" ); </source> This way anonymous users can only see the Main Page, the user login page and the help page. Caution: if your MediaWiki is in a language different than English, you need to translate the titles in the array. For instance, in Spanish the line will look like this one: <source lang="php"> $wgWhitelistRead = array (":Portada", "Especial:Userlogin", "MiWiki:Ayuda"); </source> For more esoteric languages, for which your editor and PHP parser might be in disagreement over file encoding, you could use the PHP urldecode() to input the page names. For example in Hebrew you could use: <source lang="php"> $wgWhitelistRead = array(
# "Special":Userlogin (in Hebrew) urldecode("%D7%9E%D7%99%D7%95%D7%97%D7%93:Userlogin"), # "MainPage" in Hebrew urldecode("%D7%A2%D7%9E%D7%95%D7%93_%D7%A8%D7%90%D7%A9%D7%99")
) ; </source> Also in some non-esoteric languages you might need to encode the special characters, like ő.
1.5 upwards
Edit this line to your LocalSettings.php file: Template:MW 1.5
<source lang="php">
- Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;
- But allow them to read e.g., these pages:
$wgWhitelistRead = array ( "Main Page", "Special:Userlogin", "Help:Contents");
- Like previous, but for French (be careful of encoding! save file as UTF-8!)
- $wgWhitelistRead = array( ":Page Principale", "Special:Userlogin", "Aide en français");
</source>
The $wgWhitelistRead
setting allows users to view the main page and log in. Without this line, no one can log in. If page names have more than one word, use a space " " between them, not an underscore "_".
In addition to the main page of such a private site, you could give access to the Recentchanges page (if you think that its content isn't private) for feed readers by adding "Special:Recentchanges" to $wgWhitelistRead.
If you need to protect even the sidebar, main page, or login screen for any reason, it's recommended that you use higher-level authentication such as .htpasswd or equivalent.
Restrict viewing of certain specific pages
Template:Page security extension disclaimer
To prevent anyone but sysops from viewing a page, it can simply be deleted. To prevent even sysops from viewing it, it can be removed more permanently with the Oversight extension. To completely destroy the text of the page, it can be manually removed from the database. In any case, the page cannot be edited while in this state, and for most purposes no longer exists.
To have a page act normally for some users but be invisible to others, as is possible for instance in most forum software, is a very different matter. MediaWiki is designed for two basic access modes:
- Everyone can view every single page on the wiki (with the possible exception of a few special pages). This is the mode used by Wikipedia and its sister projects.
- Anonymous users can only view the Main Page and login page, and cannot edit any page. This is basically the same as the above, in terms of technical implementation (just an extra check for every page view), which is why it exists. This is the mode of operation used by certain private wikis such as those used by various Wikimedia committees.
If you intend to have different view permissions than that, MediaWiki is not designed for your usage. (See bug 1924.) Data is not necessarily clearly delineated by namespace, page name, or other criteria, and there are a lot of leaks you'll have to plug if you want to make it so (see security issues with authorization extensions for a sample). Other wiki software may be more suitable for your purpose. You have been warned. If you must use MediaWiki, there are two basic possibilities:
- Set up separate wikis with a shared user database, configure one as viewable and one as unviewable (see above), and make interwiki links between them.
- Install a third-party hack or extension. You will have to reapply it every time you upgrade the software, and it may not be updated immediately when new security fixes or upgrades of MediaWiki are released. Third-party hacks are, of course, not supported by MediaWiki developers, and if you're having problems you shouldn't ask on MediaWiki-l, #mediawiki, or other official support channels. One hack for this is the hidden namespaces patch; a number of others are listed in Category:Page specific user rights extensions. Read about security issues with authorization extensions if you plan to use one of those.
Restricting viewing of pages to approved content
Normally, every time someone edits a page, the text of that revision is added to the database, and the page uses that as its source text. This means that any user can change the page at any time. All of the versions of the page are visible in the "page history".
To show certain "approved" revisions instead of the current revision, you will need the FlaggedRevs extension. Trusted users can review revisions of pages, and the text, templates, and images of the page revision shown at that time is recorded in the database. Recent changes can be patrolled in this fashion, and the approved versions are marked in the page histories.
Showing approved versions by default
With this extension, for non-users, unless the current or an old version was specifically requested, the newest approved version (called the "stable version") is selected and displayed. However, if there isn't one, then the current version is displayed with a disclaimer. This can be configured in a variety of ways to tailor to the needs of specific sites. See the extension documentation page for details.
Showing only approved versions
Template:Page security extension disclaimer
Once you have restricted viewing of all pages on your wiki (as described above), you can add an exception to allow readers to see the stable version of each page. Pages with no stable version cannot be viewed. As with any selected read restrictions, this is not recommended. Also, note that this will not work well if image authorization is enabled (readers may not see the images).
Template:Note Pages which are approved and use templates or images which are not approved will still show those templates and images.
Restricting exporting
- Chack also : Manual:Parameters_to_Special:Export
- by protecting pages
It is not possible to export the contents of a protected page since rev:19935.
- by modifying SpecialPage.php
Other restrictions
You may want to have pages editable only by their creator, or ban viewing of history, or any of a number of other things. None of these features are available in an unhacked version of MediaWiki. If you need more fine-grained permissions, see the #See also section for links to other wiki packages that are designed for this, as well as hacks that attempt to contort MediaWiki into something it's not designed to be but may work anyway.
See also
There are some related manual/help pages that may be of interest:
- Manual:LocalSettings.php
- Manual:$wgGroupPermissions
- Manual:$wgRestrictionTypes
- Manual:$wgRestrictionLevels
- Manual:$wgNamespaceProtection
- Manual:$wgEmailConfirmToEdit
- Manual:$wgNonincludableNamespaces
- Manual:User rights
- Manual:User rights management
- Help:Assigning permissions
other wiki software may have better support for fine-grained access control than MediaWiki:
- MoinMoin
- GroupWikiBase based on MediaWiki (limited documentation, small project)
- TWiki
- TikiWiki has fully configuable access control to features and permission levels.
If you want better access control but want to use MediaWiki, this is a list of extensions and hacks to allow restrictions not possible in the software proper. These hacks may be out-of-date (check the version they're for). Please don't ask in official MediaWiki support channels if something goes wrong with a third-party hack.
- Extension:NamespacePermissions
- Extension:NamespaceProtection
- Extension:Lockdown
- Extension:EditOwn
- Extension:PageSecurity
- Extension:Hierarchical Namespace Permissions
- Extension:BizzWiki
- Extension:GroupPermissionsManager
- Extension:AuthorProtect
- Extension:EditSubpages