diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php index b15a49c..e4dc7f6 100644 --- a/orga_mediawiki/LocalSettings.php +++ b/orga_mediawiki/LocalSettings.php @@ -160,7 +160,19 @@ wfLoadExtension( 'OpenIDConnect' ); wfLoadExtension( 'SemanticMediaWiki' ); enableSemantics( 'orgawiki.ctbk.de' ); -# Add more configuration options below. +wfLoadExtension( 'Lockdown' ); + +#### Namespace config +define('NS_FSCK', 100); +define('NS_FSCK_TALK', 101); +define('NS_VEREIN', 200); +define('NS_VEREIN_TALK', 201); +$wgExtraNamespaces[NS_FSCK] = 'FSCK'; +$wgExtraNamespaces[NS_FSCK_TALK] = 'FSCK_Diskussion'; +$wgExtraNamespaces[NS_VEREIN] = 'Verein'; +$wgExtraNamespaces[NS_VEREIN_TALK] = 'Verein_Diskussion'; + +#### Permissions # Disable account creation - we only use SSO accounts $wgGroupPermissions['*']['autocreateaccount'] = true; @@ -170,8 +182,60 @@ $wgGroupPermissions['sysop']['createaccount'] = true; # Also disable reading/editing by non-logged-in users, making the wiki properly private $wgGroupPermissions['*']['read'] = false; $wgGroupPermissions['*']['edit'] = false; +$wgGroupPermissions['*']['createpage'] = false; +$wgGroupPermissions['*']['createtalk'] = false; +# Remove tons of permissions from standard users +$wgGroupPermissions['user']['edit'] = false; +$wgGroupPermissions['user']['read'] = false; +$wgGroupPermissions['user']['createpage'] = false; +$wgGroupPermissions['user']['createtalk'] = false; +$wgGroupPermissions['user']['upload'] = false; +$wgGroupPermissions['user']['reupload'] = false; +$wgGroupPermissions['user']['reupload-shared'] = false; +$wgGroupPermissions['user']['movefile'] = false; +$wgGroupPermissions['user']['move-rootuserpages'] = false; +$wgGroupPermissions['user']['move-categorypages'] = false; +$wgGroupPermissions['user']['move-subpages'] = false; +$wgGroupPermissions['user']['move'] = false; +# give all the user groups basic rights -- taken away by Lockdown again mostly, but Lockdown cannot give permissions that don’t exist on the user +$wgGroupPermissions['orga-users']['edit'] = true; +$wgGroupPermissions['orga-users']['read'] = true; +$wgGroupPermissions['orga-users']['createpage'] = true; +$wgGroupPermissions['orga-fsck']['edit'] = true; +$wgGroupPermissions['orga-fsck']['read'] = true; +$wgGroupPermissions['orga-fsck']['createpage'] = true; +$wgGroupPermissions['orga-verein']['edit'] = true; +$wgGroupPermissions['orga-verein']['read'] = true; +$wgGroupPermissions['orga-verein']['createpage'] = true; -# SSO config +# sysop rights +$wgGroupPermissions['sysop']['edit'] = true; +$wgGroupPermissions['sysop']['read'] = true; +$wgGroupPermissions['sysop']['createpage'] = true; + +#### Lockdown configuration +$wgSpecialPageLockdown['Export'] = ['user']; +$wgSpecialPageLockdown['Recentchanges'] = ['user']; + +# remove most namespace permissions +$wgNamespacePermissionLockdown['*']['read'] = ['sysop']; +$wgNamespacePermissionLockdown['*']['edit'] = ['sysop']; +$wgNamespacePermissionLockdown['*']['createpage'] = ['sysop']; + +# limit template workaround +$wgNonincludableNamespaces[] = [ NS_MAIN, NS_PROJECT, NS_VEREIN, NS_FSCK ]; + +# FSCK namespace +$wgNamespacePermissionLockdown[NS_FSCK]['read'] = [ 'orga-fsck' ]; +$wgNamespacePermissionLockdown[NS_FSCK]['edit'] = [ 'orga-fsck' ]; +$wgNamespacePermissionLockdown[NS_FSCK]['createpage'] = [ 'orga-fsck' ]; + +# Verein namespace +$wgNamespacePermissionLockdown[NS_VEREIN]['read'] = [ 'orga-verein' ]; +$wgNamespacePermissionLockdown[NS_VEREIN]['edit'] = [ 'orga-verein' ]; +$wgNamespacePermissionLockdown[NS_VEREIN]['createpage'] = [ 'orga-verein' ]; + +#### SSO config # necessary to allow admin user(s) to login $wgPluggableAuth_EnableLocalLogin = true; $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ @@ -179,7 +243,21 @@ $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ 'data' => [ 'providerURL' => 'https://idp.ctbk.de/realms/ctbk/', 'clientID' => 'orga_mediawiki', + 'scope' => [ 'openid', 'profile', 'email', 'groups' ], 'clientsecret' => $ctbkClientSecret + ], + 'groupsyncs' => [ + [ + 'type' => 'mapped', + 'map' => [ + 'sysop' => [ 'groups' => '/mediawiki/admins' ], + 'bureaucrat' => [ 'groups' => '/mediawiki/admins' ], + 'interface-admin' => [ 'groups' => '/mediawiki/admins' ], + 'orga-users' => [ 'groups' => '/orgawiki/users' ], + 'orga-fsck' => [ 'groups' => '/todo-fsck-orga' ], + 'orga-verein' => [ 'groups' => '/todo-verein-orga' ] + ] + ] ] ]; @@ -195,6 +273,8 @@ $wgHideInterlanguageLinks = false; #$wgShowDBErrorBacktrace = true; $wgNamespacesWithSubpages[NS_MAIN] = true; +$wgNamespacesWithSubpages[NS_FSCK] = true; +$wgNamespacesWithSubpages[NS_VEREIN] = true; $wgNamespacesWithSubpages[NS_TEMPLATE] = true; # use proxy ip addresses -- we’re behind (at least) one reverse proxy that sets X-Forwarded-For diff --git a/orga_mediawiki/composer.local.json b/orga_mediawiki/composer.local.json index aa17e7b..725a8aa 100644 --- a/orga_mediawiki/composer.local.json +++ b/orga_mediawiki/composer.local.json @@ -3,7 +3,23 @@ { "type": "vcs", "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect" - } + }, + { + "type": "package", + "package": { + "name": "x-mediawiki/lockdown", + "version": "1.0.0", + "type": "mediawiki-extension", + "extra": { + "installer-name": "Lockdown" + }, + "source": { + "type": "git", + "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/Lockdown", + "reference": "REL1_39" + } + } + } ], "require": { "starcitizentools/citizen-skin": "^2.39", @@ -12,7 +28,8 @@ "mediawiki/semantic-compound-queries": "^2.2", "mediawiki/semantic-extra-special-properties": "^3", "mediawiki/semantic-media-wiki": "^4.2", - "mediawiki/semantic-result-formats": "^4.2" + "mediawiki/semantic-result-formats": "^4.2", + "x-mediawiki/lockdown": "^1" }, "config": { "preferred-install": "source",