Difference between revisions of "IntraACL"
Line 11: | Line 11: | ||
|authors=Vitaliy Filippov & Stas Fomin. Based on HaloACL by ontoprise GmbH, 2009. | |authors=Vitaliy Filippov & Stas Fomin. Based on HaloACL by ontoprise GmbH, 2009. | ||
}} | }} | ||
− | {{ | + | {{ExtensionFromInfo|lang=en|name=IntraACL}} |
+ | == Introduction == | ||
+ | |||
+ | === Overview of rights in MediaWiki === | ||
+ | |||
+ | <blockquote> | ||
+ | MediaWiki is not designed to be a CMS, or to protect sensitive data. To the contrary, it was designed to be as open as possible. Thus it does not inherently support full featured, air-tight protection of private content. But with the massive increase of MediaWiki use in corporate intranets and the many CMS-like features emerging, demand for tighter security is emerging. | ||
+ | </blockquote> | ||
+ | |||
+ | As you know, MediaWiki was designed as Wikipedia engine. Wikipedia is open and doesn't need access rights. Moreover, one of [[enpedia:Wiki|WikiWiki]] principles is to allow easy and fast editing for anyone, and of course, access must also be open. | ||
+ | |||
+ | This is why MediaWiki is not designed to protect anything from anyone, except anonymous editing. There is plenty of ways to break the read rights (page inclusion, recent changes and etc), especially when any of 1700+ MediaWiki extensions can use direct database access (if it couldn't, MediaWiki would probably be as fast as all other "global and stable ntrprise"). | ||
+ | |||
+ | Examples of such ways are described here: [[mediawikiwiki:Security issues with authorization extensions|Security issues with authorization extensions]] and here: [[mediawikiwiki:Category:Page_specific_user_rights_extensions|page with comparison of existing access control extensions]], from which we did know about HaloACL. | ||
+ | |||
+ | Original HaloACL already solves most of these problems, but when we tried to use it, we discovered many bugs, inconveniences, and slow interfaces (thanks YAHOO UI library). So we started to improve it, and then [[wikipedia:Fork_(software_development)|forked]] it and called IntraACL. | ||
+ | |||
+ | === IntraACL features === | ||
+ | |||
+ | * Interactive right editor (special page). | ||
+ | * Ability to create pages protected from beginning. | ||
+ | * Page protection. | ||
+ | * Category protection. | ||
+ | * Namespace protection. | ||
+ | * Right inclusions. | ||
+ | * Right definition using Wiki pages inside a special namespace. | ||
+ | * User groups, group-into-group inclusions - orthogonal to MediaWiki groups, also stored on wiki pages. | ||
+ | * Easy protection of content used on a page. | ||
+ | |||
+ | == Requirements == | ||
+ | |||
+ | The only requirement is MediaWiki of at least version 1.13.2. | ||
+ | If you want to use Semantic MediaWiki, its version must be at least 1.4.2. | ||
+ | |||
+ | == Installation == | ||
+ | |||
+ | <ul> | ||
+ | <li>Add the following lines into your LocalSettings.php: | ||
+ | <code-php> | ||
+ | require_once('extensions/IntraACL/includes/HACL_Initialize.php'); | ||
+ | enableIntraACL(); | ||
+ | </code-php></li> | ||
+ | <li>You can also add custom configuration options before enableIntraACL() call. For the option list, see extensions/IntraACL/includes/HACL_Initialize.php or this page.</li> | ||
+ | <li>Apply patches for appropriate version of MediaWiki: | ||
+ | <code-bash> | ||
+ | cd YOUR_WIKI_INSTALLATION_DIR | ||
+ | patch -p0 < patches/intraacl_mw_<YOUR_VERSION>.diff | ||
+ | </code-bash></li> | ||
+ | <li>Run MediaWiki database update tool: | ||
+ | <code-bash> | ||
+ | php maintenance/update.php | ||
+ | </code-bash></li> | ||
+ | <li>You should check all your extensions for compatibility with IntraACL because of possible security breaches.</li> | ||
+ | </ul> | ||
+ | |||
+ | The method of IntraACL installation via the super-duper-installer of Halo MediaWiki bundle is now removed as very non-standard. | ||
+ | |||
+ | == MediaWiki 4 Intranet == | ||
+ | |||
+ | You can also use Mediawiki4Intranet bundle. It already includes IntraACL and many other useful extensions which are made compatible with it. | ||
+ | |||
+ | See [[Mediawiki4Intranet]]. | ||
+ | |||
+ | == Patches == | ||
+ | |||
+ | Patches are in the repository under /patches. The latest supported MediaWiki is now 1.18.6. It’s not too complicated to make later versions also compatible, but it’s not done yet. |
Revision as of 15:35, 12 February 2013
IntraACL is a MediaWiki extension.
- Main purpose: Best page-specific rights extension for MediaWiki. It is based on HaloACL, correcting its endless bugs and inconveniences.
- Repository: https://github.com/mediawiki4intranet/IntraACL
- Homepage: http://wiki.4intra.net/IntraACL
- Compatible MediaWiki versions: guaranteed 1.19-1.25, maybe others
- Authors: Vitaliy Filippov & Stas Fomin. Based on HaloACL by ontoprise GmbH, 2009.
- License: GPLv3.0+
- Created: 2010-09-03
- Last version: 2.1.8
- Our rating: Definitely useful (5)
Status for Mediawiki4Intranet distribution:
- Inclusion date: 2010-09-03
- Included version: newest available
- Improvement status: Created by MediaWiki4Intranet project
Contents
Introduction
Overview of rights in MediaWiki
MediaWiki is not designed to be a CMS, or to protect sensitive data. To the contrary, it was designed to be as open as possible. Thus it does not inherently support full featured, air-tight protection of private content. But with the massive increase of MediaWiki use in corporate intranets and the many CMS-like features emerging, demand for tighter security is emerging.
As you know, MediaWiki was designed as Wikipedia engine. Wikipedia is open and doesn't need access rights. Moreover, one of WikiWiki principles is to allow easy and fast editing for anyone, and of course, access must also be open.
This is why MediaWiki is not designed to protect anything from anyone, except anonymous editing. There is plenty of ways to break the read rights (page inclusion, recent changes and etc), especially when any of 1700+ MediaWiki extensions can use direct database access (if it couldn't, MediaWiki would probably be as fast as all other "global and stable ntrprise").
Examples of such ways are described here: Security issues with authorization extensions and here: page with comparison of existing access control extensions, from which we did know about HaloACL.
Original HaloACL already solves most of these problems, but when we tried to use it, we discovered many bugs, inconveniences, and slow interfaces (thanks YAHOO UI library). So we started to improve it, and then forked it and called IntraACL.
IntraACL features
- Interactive right editor (special page).
- Ability to create pages protected from beginning.
- Page protection.
- Category protection.
- Namespace protection.
- Right inclusions.
- Right definition using Wiki pages inside a special namespace.
- User groups, group-into-group inclusions - orthogonal to MediaWiki groups, also stored on wiki pages.
- Easy protection of content used on a page.
Requirements
The only requirement is MediaWiki of at least version 1.13.2. If you want to use Semantic MediaWiki, its version must be at least 1.4.2.
Installation
- Add the following lines into your LocalSettings.php:
require_once('extensions/IntraACL/includes/HACL_Initialize.php'); enableIntraACL();
- You can also add custom configuration options before enableIntraACL() call. For the option list, see extensions/IntraACL/includes/HACL_Initialize.php or this page.
- Apply patches for appropriate version of MediaWiki:
cd YOUR_WIKI_INSTALLATION_DIR patch -p0 < patches/intraacl_mw_<YOUR_VERSION>.diff
- Run MediaWiki database update tool:
php maintenance/update.php
- You should check all your extensions for compatibility with IntraACL because of possible security breaches.
The method of IntraACL installation via the super-duper-installer of Halo MediaWiki bundle is now removed as very non-standard.
MediaWiki 4 Intranet
You can also use Mediawiki4Intranet bundle. It already includes IntraACL and many other useful extensions which are made compatible with it.
See Mediawiki4Intranet.
Patches
Patches are in the repository under /patches. The latest supported MediaWiki is now 1.18.6. It’s not too complicated to make later versions also compatible, but it’s not done yet.