access configuration, Lockdown extension

orga_mediawiki/LocalSettings.php

@@ -160,7 +160,19 @@ wfLoadExtension( 'OpenIDConnect' );
 wfLoadExtension( 'SemanticMediaWiki' );
 enableSemantics( 'orgawiki.ctbk.de' );
 
-# Add more configuration options below.
+wfLoadExtension( 'Lockdown' );
+
+#### Namespace config
+define('NS_FSCK', 100);
+define('NS_FSCK_TALK', 101);
+define('NS_VEREIN', 200);
+define('NS_VEREIN_TALK', 201);
+$wgExtraNamespaces[NS_FSCK] = 'FSCK';
+$wgExtraNamespaces[NS_FSCK_TALK] = 'FSCK_Diskussion';
+$wgExtraNamespaces[NS_VEREIN] = 'Verein';
+$wgExtraNamespaces[NS_VEREIN_TALK] = 'Verein_Diskussion';
+
+#### Permissions
 
 # Disable account creation - we only use SSO accounts
 $wgGroupPermissions['*']['autocreateaccount'] = true;
@@ -170,8 +182,60 @@ $wgGroupPermissions['sysop']['createaccount'] = true;
 # Also disable reading/editing by non-logged-in users, making the wiki properly private
 $wgGroupPermissions['*']['read'] = false;
 $wgGroupPermissions['*']['edit'] = false;
+$wgGroupPermissions['*']['createpage'] = false;
+$wgGroupPermissions['*']['createtalk'] = false;
+# Remove tons of permissions from standard users
+$wgGroupPermissions['user']['edit'] = false;
+$wgGroupPermissions['user']['read'] = false;
+$wgGroupPermissions['user']['createpage'] = false;
+$wgGroupPermissions['user']['createtalk'] = false;
+$wgGroupPermissions['user']['upload'] = false;
+$wgGroupPermissions['user']['reupload'] = false;
+$wgGroupPermissions['user']['reupload-shared'] = false;
+$wgGroupPermissions['user']['movefile'] = false;
+$wgGroupPermissions['user']['move-rootuserpages'] = false;
+$wgGroupPermissions['user']['move-categorypages'] = false;
+$wgGroupPermissions['user']['move-subpages'] = false;
+$wgGroupPermissions['user']['move'] = false;
+# give all the user groups basic rights -- taken away by Lockdown again mostly, but Lockdown cannot give permissions that don’t exist on the user
+$wgGroupPermissions['orga-users']['edit'] = true;
+$wgGroupPermissions['orga-users']['read'] = true;
+$wgGroupPermissions['orga-users']['createpage'] = true;
+$wgGroupPermissions['orga-fsck']['edit'] = true;
+$wgGroupPermissions['orga-fsck']['read'] = true;
+$wgGroupPermissions['orga-fsck']['createpage'] = true;
+$wgGroupPermissions['orga-verein']['edit'] = true;
+$wgGroupPermissions['orga-verein']['read'] = true;
+$wgGroupPermissions['orga-verein']['createpage'] = true;
 
-# SSO config
+# sysop rights
+$wgGroupPermissions['sysop']['edit'] = true;
+$wgGroupPermissions['sysop']['read'] = true;
+$wgGroupPermissions['sysop']['createpage'] = true;
+
+#### Lockdown configuration
+$wgSpecialPageLockdown['Export'] = ['user'];
+$wgSpecialPageLockdown['Recentchanges'] = ['user'];
+
+# remove most namespace permissions
+$wgNamespacePermissionLockdown['*']['read'] = ['sysop'];
+$wgNamespacePermissionLockdown['*']['edit'] = ['sysop'];
+$wgNamespacePermissionLockdown['*']['createpage'] = ['sysop'];
+
+# limit template workaround
+$wgNonincludableNamespaces[] = [ NS_MAIN, NS_PROJECT, NS_VEREIN, NS_FSCK ];
+
+# FSCK namespace
+$wgNamespacePermissionLockdown[NS_FSCK]['read'] = [ 'orga-fsck' ];
+$wgNamespacePermissionLockdown[NS_FSCK]['edit'] = [ 'orga-fsck' ];
+$wgNamespacePermissionLockdown[NS_FSCK]['createpage'] = [ 'orga-fsck' ];
+
+# Verein namespace
+$wgNamespacePermissionLockdown[NS_VEREIN]['read'] = [ 'orga-verein' ];
+$wgNamespacePermissionLockdown[NS_VEREIN]['edit'] = [ 'orga-verein' ];
+$wgNamespacePermissionLockdown[NS_VEREIN]['createpage'] = [ 'orga-verein' ];
+
+#### SSO config
 # necessary to allow admin user(s) to login
 $wgPluggableAuth_EnableLocalLogin = true;
 $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [
@@ -179,7 +243,21 @@ $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [
     'data' => [
         'providerURL' => 'https://idp.ctbk.de/realms/ctbk/',
 	'clientID' => 'orga_mediawiki',
+	'scope' => [ 'openid', 'profile', 'email', 'groups' ],
         'clientsecret' => $ctbkClientSecret
+    ],
+    'groupsyncs' => [
+      [
+       'type' => 'mapped',
+       'map' => [
+         'sysop' => [ 'groups' => '/mediawiki/admins' ],
+         'bureaucrat' => [ 'groups' => '/mediawiki/admins' ],
+	 'interface-admin' => [ 'groups' => '/mediawiki/admins' ],
+	 'orga-users' => [ 'groups' => '/orgawiki/users' ],
+	 'orga-fsck' => [ 'groups' => '/todo-fsck-orga' ],
+	 'orga-verein' => [ 'groups' => '/todo-verein-orga' ]
+       ]
+      ]
     ]
 ];
 
@@ -195,6 +273,8 @@ $wgHideInterlanguageLinks = false;
 #$wgShowDBErrorBacktrace = true;
 
 $wgNamespacesWithSubpages[NS_MAIN] = true;
+$wgNamespacesWithSubpages[NS_FSCK] = true;
+$wgNamespacesWithSubpages[NS_VEREIN] = true;
 $wgNamespacesWithSubpages[NS_TEMPLATE] = true;
 
 # use proxy ip addresses -- we’re behind (at least) one reverse proxy that sets X-Forwarded-For

orga_mediawiki/composer.local.json

@@ -3,6 +3,22 @@
 		{
 			"type": "vcs",
 			"url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect"
+		},
+		{
+                        "type": "package",
+                        "package": {
+                                "name": "x-mediawiki/lockdown",
+                                "version": "1.0.0",
+				"type": "mediawiki-extension",
+				"extra": {
+					"installer-name": "Lockdown"
+				},
+                                "source": {
+                                        "type": "git",
+                                        "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/Lockdown",
+                                        "reference": "REL1_39"
+                                }
+                        }
                 }
 	],
 	"require": {
@@ -12,7 +28,8 @@
 		"mediawiki/semantic-compound-queries": "^2.2",
 		"mediawiki/semantic-extra-special-properties": "^3",
 		"mediawiki/semantic-media-wiki": "^4.2",
-		"mediawiki/semantic-result-formats": "^4.2"
+		"mediawiki/semantic-result-formats": "^4.2",
+		"x-mediawiki/lockdown": "^1"
 	},
 	"config": {
 		"preferred-install": "source",