diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php index e4dc7f6..b15a49c 100644 --- a/orga_mediawiki/LocalSettings.php +++ b/orga_mediawiki/LocalSettings.php @@ -160,19 +160,7 @@ wfLoadExtension( 'OpenIDConnect' ); wfLoadExtension( 'SemanticMediaWiki' ); enableSemantics( 'orgawiki.ctbk.de' ); -wfLoadExtension( 'Lockdown' ); - -#### Namespace config -define('NS_FSCK', 100); -define('NS_FSCK_TALK', 101); -define('NS_VEREIN', 200); -define('NS_VEREIN_TALK', 201); -$wgExtraNamespaces[NS_FSCK] = 'FSCK'; -$wgExtraNamespaces[NS_FSCK_TALK] = 'FSCK_Diskussion'; -$wgExtraNamespaces[NS_VEREIN] = 'Verein'; -$wgExtraNamespaces[NS_VEREIN_TALK] = 'Verein_Diskussion'; - -#### Permissions +# Add more configuration options below. # Disable account creation - we only use SSO accounts $wgGroupPermissions['*']['autocreateaccount'] = true; @@ -182,60 +170,8 @@ $wgGroupPermissions['sysop']['createaccount'] = true; # Also disable reading/editing by non-logged-in users, making the wiki properly private $wgGroupPermissions['*']['read'] = false; $wgGroupPermissions['*']['edit'] = false; -$wgGroupPermissions['*']['createpage'] = false; -$wgGroupPermissions['*']['createtalk'] = false; -# Remove tons of permissions from standard users -$wgGroupPermissions['user']['edit'] = false; -$wgGroupPermissions['user']['read'] = false; -$wgGroupPermissions['user']['createpage'] = false; -$wgGroupPermissions['user']['createtalk'] = false; -$wgGroupPermissions['user']['upload'] = false; -$wgGroupPermissions['user']['reupload'] = false; -$wgGroupPermissions['user']['reupload-shared'] = false; -$wgGroupPermissions['user']['movefile'] = false; -$wgGroupPermissions['user']['move-rootuserpages'] = false; -$wgGroupPermissions['user']['move-categorypages'] = false; -$wgGroupPermissions['user']['move-subpages'] = false; -$wgGroupPermissions['user']['move'] = false; -# give all the user groups basic rights -- taken away by Lockdown again mostly, but Lockdown cannot give permissions that don’t exist on the user -$wgGroupPermissions['orga-users']['edit'] = true; -$wgGroupPermissions['orga-users']['read'] = true; -$wgGroupPermissions['orga-users']['createpage'] = true; -$wgGroupPermissions['orga-fsck']['edit'] = true; -$wgGroupPermissions['orga-fsck']['read'] = true; -$wgGroupPermissions['orga-fsck']['createpage'] = true; -$wgGroupPermissions['orga-verein']['edit'] = true; -$wgGroupPermissions['orga-verein']['read'] = true; -$wgGroupPermissions['orga-verein']['createpage'] = true; -# sysop rights -$wgGroupPermissions['sysop']['edit'] = true; -$wgGroupPermissions['sysop']['read'] = true; -$wgGroupPermissions['sysop']['createpage'] = true; - -#### Lockdown configuration -$wgSpecialPageLockdown['Export'] = ['user']; -$wgSpecialPageLockdown['Recentchanges'] = ['user']; - -# remove most namespace permissions -$wgNamespacePermissionLockdown['*']['read'] = ['sysop']; -$wgNamespacePermissionLockdown['*']['edit'] = ['sysop']; -$wgNamespacePermissionLockdown['*']['createpage'] = ['sysop']; - -# limit template workaround -$wgNonincludableNamespaces[] = [ NS_MAIN, NS_PROJECT, NS_VEREIN, NS_FSCK ]; - -# FSCK namespace -$wgNamespacePermissionLockdown[NS_FSCK]['read'] = [ 'orga-fsck' ]; -$wgNamespacePermissionLockdown[NS_FSCK]['edit'] = [ 'orga-fsck' ]; -$wgNamespacePermissionLockdown[NS_FSCK]['createpage'] = [ 'orga-fsck' ]; - -# Verein namespace -$wgNamespacePermissionLockdown[NS_VEREIN]['read'] = [ 'orga-verein' ]; -$wgNamespacePermissionLockdown[NS_VEREIN]['edit'] = [ 'orga-verein' ]; -$wgNamespacePermissionLockdown[NS_VEREIN]['createpage'] = [ 'orga-verein' ]; - -#### SSO config +# SSO config # necessary to allow admin user(s) to login $wgPluggableAuth_EnableLocalLogin = true; $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ @@ -243,21 +179,7 @@ $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ 'data' => [ 'providerURL' => 'https://idp.ctbk.de/realms/ctbk/', 'clientID' => 'orga_mediawiki', - 'scope' => [ 'openid', 'profile', 'email', 'groups' ], 'clientsecret' => $ctbkClientSecret - ], - 'groupsyncs' => [ - [ - 'type' => 'mapped', - 'map' => [ - 'sysop' => [ 'groups' => '/mediawiki/admins' ], - 'bureaucrat' => [ 'groups' => '/mediawiki/admins' ], - 'interface-admin' => [ 'groups' => '/mediawiki/admins' ], - 'orga-users' => [ 'groups' => '/orgawiki/users' ], - 'orga-fsck' => [ 'groups' => '/todo-fsck-orga' ], - 'orga-verein' => [ 'groups' => '/todo-verein-orga' ] - ] - ] ] ]; @@ -273,8 +195,6 @@ $wgHideInterlanguageLinks = false; #$wgShowDBErrorBacktrace = true; $wgNamespacesWithSubpages[NS_MAIN] = true; -$wgNamespacesWithSubpages[NS_FSCK] = true; -$wgNamespacesWithSubpages[NS_VEREIN] = true; $wgNamespacesWithSubpages[NS_TEMPLATE] = true; # use proxy ip addresses -- we’re behind (at least) one reverse proxy that sets X-Forwarded-For diff --git a/orga_mediawiki/composer.local.json b/orga_mediawiki/composer.local.json index 725a8aa..aa17e7b 100644 --- a/orga_mediawiki/composer.local.json +++ b/orga_mediawiki/composer.local.json @@ -3,23 +3,7 @@ { "type": "vcs", "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect" - }, - { - "type": "package", - "package": { - "name": "x-mediawiki/lockdown", - "version": "1.0.0", - "type": "mediawiki-extension", - "extra": { - "installer-name": "Lockdown" - }, - "source": { - "type": "git", - "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/Lockdown", - "reference": "REL1_39" - } - } - } + } ], "require": { "starcitizentools/citizen-skin": "^2.39", @@ -28,8 +12,7 @@ "mediawiki/semantic-compound-queries": "^2.2", "mediawiki/semantic-extra-special-properties": "^3", "mediawiki/semantic-media-wiki": "^4.2", - "mediawiki/semantic-result-formats": "^4.2", - "x-mediawiki/lockdown": "^1" + "mediawiki/semantic-result-formats": "^4.2" }, "config": { "preferred-install": "source", diff --git a/system/semantic-mediawiki-jobs@.service b/system/semantic-mediawiki-jobs@.service index c0b8181..ce8fcd9 100644 --- a/system/semantic-mediawiki-jobs@.service +++ b/system/semantic-mediawiki-jobs@.service @@ -11,6 +11,3 @@ PrivateDevices=true PrivateTmp=true ProtectHome=read-only -[Install] -WantedBy=default.target -