For help customizing user rights, see Manual:User rights . This page contains examples useful for restricting access.
For information on how to edit LocalSettings.php, check Manual:LocalSettings.php .
For the common use case of "a private wiki, for oneself and approved others", you need to:
Warning: See the warnings in the sections below; this is simple "general use" code, and may or may not match your requirements.# Disable reading by anonymous users $wgGroupPermissions['*']['read'] = false; # Disable anonymous editing $wgGroupPermissions['*']['edit'] = false; # Prevent new user registrations except by sysops $wgGroupPermissions['*']['createaccount'] = false;
Depending on what extensions you have installed, you may want to whitelist more pages. For example if you are using the Extension:ConfirmAccount extension, you probably want Special:RequestAccount whitelisted. If the content language of your wiki is not English, you may have to use the translated name of the special pages in question.
Restrict account creationTo restrict account creation, you need to edit LocalSettings.php in the root path of your MediaWiki installation.
# Prevent new user registrations except by sysops $wgGroupPermissions['*']['createaccount'] = false;
You can use the
ConfirmAccountextension if you want to set up an account confirmation queue. (If not you may still proceed as follows.)
New users will still be able to be created by sysops, in the following manner:
You may also modify the contents of the email sent to new users by editing the page MediaWiki:Createaccount-text.
To prevent even sysops from creating accounts:
# Prevent new user registrations by anyone $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['sysop']['createaccount'] = false;
To add a message on top of the login form, modify MediaWiki:Loginprompt.
Restrict editing Restrict editing of all pagesUsers will still be able to read pages with these modifications, and they can view the source by using Special:Export/Article name or other methods. See also bug 1859.
See Help:User rights and Manual:$wgGroupPermissions . If you use Extension:AbuseFilter , any wiki admin can also put various restrictions in place.
Some examples of how to protect all pages from editing (not reading) by certain classes of users:
Restrict anonymous editingRequires that a user be registered before they can edit.
$wgGroupPermissions['*']['edit'] = false;Restrict editing by all non-sysop users
Requires that a user be a member of the administrators (sysop) usergroup.
$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['user']['edit'] = false; $wgGroupPermissions['sysop']['edit'] = true;Restrict editing by absolutely everyone
$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['user']['edit'] = false; $wgGroupPermissions['sysop']['edit'] = false;Restrict editing of an entire namespace MediaWiki version:
≥ 1.10
Starting from MediaWiki version 1.10, it is possible to protect entire namespaces using the $wgNamespaceProtection variable. Examples:
# Only allow autoconfirmed users to edit Project namespace $wgNamespaceProtection[NS_PROJECT] = array( 'autoconfirmed' ); # Don't allow anyone to edit non-talk pages until they've confirmed their email address (assuming we have no custom namespaces and allow edits from non-emailconfirmed users to start with) # Note for 1.13: emailconfirmed group and right were removed from default setup, if you want to use it, you'll have to re-enable it manually $wgNamespaceProtection[NS_MAIN] = $wgNamespaceProtection[NS_USER] = $wgNamespaceProtection[NS_PROJECT] = $wgNamespaceProtection[NS_IMAGE] = $wgNamespaceProtection[NS_TEMPLATE] = $wgNamespaceProtection[NS_HELP] = $wgNamespaceProtection[NS_CATEGORY] = array( 'emailconfirmed' ); # Only allow sysops to edit "Policy" namespace $wgGroupPermissions['sysop']['editpolicy'] = true; $wgNamespaceProtection[NS_POLICY] = array( 'editpolicy' );
Note that in the last case it's assumed that a custom namespace exists and that NS_POLICY is a defined constant equal to the namespace number. See Manual:Using custom namespaces and Manual:Namespace constants for a list of MediaWiki's core namespaces.
Use the Protect feature. By default, any sysop can protect pages so only other sysops can edit them. In 1.9 and higher, by default they can also protect pages so only "autoconfirmed" users (with accounts older than a configured period) can edit them. This does not require editing configuration files.
If you want to restrict editing to groups with specific permissions, edit $wgRestrictionLevels . To prevent actions other than edit and move, use $wgRestrictionTypes .
Restrict editing of all but a few pagesTo impose a blanket restriction on editing for all pages, but allow a few (such as sandboxes, join request pages, etc.) to be more generously editable, you can use the EditSubpages extension. This may not fit too often, but you could also use the Restrict editing of certain specific pages method mentioned above, with all name spaces protected, and only a special one editable by everyone which has all the pages you want editable.
Restrict editing for certain IP address rangesSchools and other institutions may want to block all edits not from a few specified IP address ranges. To do so, see Manual:Block and unblock . The only way to do this at present without modifying the code is to go to Special:Blockip and systematically rangeblock every one of the address ranges that you don't want to be able to edit. This will work for all future versions of MediaWiki. It will not work on a per-namespace basis.
Restrict editing by a particular userUse the user blocking functionality to deprive a user of all edit access. MediaWiki does not include a possibility to give rights to separate users directly; instead rights are always given to a user group. There is no way in the core software to change permissions of particular users in order to restrict or allow editing particular pages, except by changing their usergroup.
Restrict creating of all pagesRevoking the edit right already prevents affected users from creating new pages and talk pages.
# Anonymous users can't create pages $wgGroupPermissions['*']['createpage'] = false; # Only users with accounts four days old or older can create pages # Requires MW 1.6 or higher. $wgGroupPermissions['*' ]['createpage'] = false; $wgGroupPermissions['user' ]['createpage'] = false; $wgGroupPermissions['autoconfirmed']['createpage'] = true;Restrict creating pages in certain namespaces
There are separate rights for creating talk pages (createtalk) and creating non-talk pages (createpage). If you need per-namespace control finer than that, it is not possible in core MediaWiki, and requires an extension such as Extension:Lockdown .
Restrict access to uploaded filesIf you have enabled the ability to upload files, these will be served directly by the underlying web server. As a result, account-based access to the file is unrestricted by default.
Warning: Setting the user rightread (allow viewing pages) to false will only protect wiki (article, talk, ...) pages, but uploaded files (images, files, docs... in the $wgUploadPath subdirectories) will always remain readable via direct access by default.
If sensitive files are uploaded to an internet-accessible wiki, you may wish to add restrictions on where these can be accessed from. On Apache, if your local network were 10.1.2.*, you could restrict serving files to local addresses with:
<Location /mediawiki/images>
Order deny,allow
Allow from 10.1.2.3
Deny from all
</Location>
Restrict viewing
Restrict viewing of all pages
Warning: This method allows any visitor to view the wiki after creating an account. You may wish to combine it with #Restrict account creation above. Warning: Uploaded images will still be viewable to anyone who knows the image directory's name. Either point $wgUploadPath to the img_auth.php script and follow the instructions in Manual:Image authorization , or use some external method to protect images, like .htaccess. Warning: Wiki pages like MediaWiki:Common.css and MediaWiki:Gadget-foo.css may be part of a public ResourceLoader module, and thus can have their source code exposed through load.php. Turn off $wgUseSiteJs and $wgUseSiteCss to disable this functionality.
If anonymous users can't view your page, neither can search engines. Your site will not be indexed on Google.
Add this line to your LocalSettings.php file:
# Disable reading by anonymous users $wgGroupPermissions['*']['read'] = false; # But allow them to read e.g., these pages: $wgWhitelistRead = [ "Main Page", "Help:Contents" ];
The $wgWhitelistRead setting allows users to view the main page. If page names have more than one word, use a space " " between them, not an underscore "_".
In addition to the main page of such a private site, you could give access to the Recentchanges page (if you think that its content isn't private) for feed readers by adding Special:Recentchanges to $wgWhitelistRead .
If you need to protect even the sidebar, main page, or login screen for any reason, it's recommended that you use higher-level authentication such as .htpasswd or equivalent.
Warning: MediaWiki versions 1.32 through 1.35.4, 1.36.2, and 1.37.0 contain a security issue that allow unprivileged editing of arbitrary pages and arbitrary JavaScript execution. If you are using one of these versions and can not upgrade to a newer version, please see 2021-12 security release/FAQ for a workaround. Restrict viewing of certain specific pagesTo prevent anyone but sysops from viewing a page, it can simply be deleted . To prevent even sysops from viewing it, it can be removed more permanently using Manual:RevisionDelete . To completely destroy the text of the page, it can be manually removed from the database. In any case, the page cannot be edited while in this state, and for most purposes no longer exists.
To have a page act normally for some users but be invisible to others, as is possible for instance in most forum software, is a very different matter. MediaWiki is designed for two basic access modes:
If you intend to have different view permissions than that, MediaWiki is not designed for your usage. (See T3924.) Data is not necessarily clearly delineated by namespace, page name, or other criteria, and there are a lot of leaks you'll have to plug if you want to make it so (see Security issues with authorization extensions for a sample). Other wiki software may be more suitable for your purpose. You have been warned. If you must use MediaWiki, there are three basic possibilities:
$wgWhitelistRead in the LocalSetting.php file. See the section above.See also: Manual:Parameters to Special:Export
It is not possible to export the contents of a page that cannot be read since r19935.
Removing the Login link from all pagesOne can remove the login/create-account link from the upper right corner of all pages, as users can still go to "Special:SpecialPages" → "Special:UserLogin" to log in.
In LocalSettings.php use (tested with MediaWiki 1.43.0 LTS):
$wgHooks['SkinTemplateNavigation::Universal'][] = function ( $skinTemplate, &$links ) {
unset( $links['user-menu']['createaccount'] );
unset( $links['user-menu']['login'] );
unset( $links['user-menu']['login-private'] );
unset( $links['user-menu']['anoncontribs'] );
};
Removing accounts
If you want to completely remove access to a user, e.g. on a simple private wiki, it's not possible to simply delete the account (unless no edits have been made ); you can block it, but the user will still be able to read pages (unless $wgBlockDisablesLogin is set). However, using User Merge and Delete extension you can merge the account in another one and delete the former; the original account will then "disappear". If you want to preserve history readability (i.e., to have edits from the user to be still shown under their name), you can create a new account e.g. with username "OriginalUserName (deactivated)" and then merge "OriginalUserName" into the former, or even use Renameuser extension to rename "OriginalUserName" into "AnotherUserName", then create an account under "OriginalUserName" and merge "AnotherUserName" into it: in this manner, "OriginalUserName" will be completely "usurped" (if you've set a non-null password).
You may want to have pages editable only by their creator, or ban viewing of history, or any of a number of other things. None of these features are available in an unhacked version of MediaWiki. If you need more fine-grained permissions, see the #See also section for links to other wiki packages that are designed for this, as well as hacks that attempt to contort MediaWiki into something it's not designed to be but may work anyway.
See alsoThere are some related manual/help pages that may be of interest:
Other wiki software may have better support for fine-grained access control than MediaWiki:
If you want better access control but want to use MediaWiki, this is a list of extensions and hacks to allow restrictions not possible in the software proper. These hacks may be out-of-date (check the version they're for). Please don't ask in official MediaWiki support channels if something goes wrong with a third-party hack.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4