Difference between revisions of "Extension:SimpleSecurity"
(Fetch hook working properly) |
(no need to disable db hook during validation because no read of old_text occurs in there) |
||
| Line 51: | Line 51: | ||
class SimpleSecurity { | class SimpleSecurity { | ||
| − | |||
| − | |||
/** | /** | ||
| Line 163: | Line 161: | ||
static function validateRow(&$row) { | static function validateRow(&$row) { | ||
global $wgUser, $wgSimpleSecurity; | global $wgUser, $wgSimpleSecurity; | ||
| − | |||
| − | |||
$groups = $wgUser->getEffectiveGroups(); | $groups = $wgUser->getEffectiveGroups(); | ||
if (in_array('sysop', $groups)) return; | if (in_array('sysop', $groups)) return; | ||
| Line 180: | Line 176: | ||
$row->old_text = wfMsg('badaccess-read'); | $row->old_text = wfMsg('badaccess-read'); | ||
} | } | ||
| − | |||
| − | |||
} | } | ||
| Line 210: | Line 204: | ||
eval("class Database{$type}2 extends Database{$type}".' { | eval("class Database{$type}2 extends Database{$type}".' { | ||
public function query($sql, $fname = "", $tempIgnore = false) { | public function query($sql, $fname = "", $tempIgnore = false) { | ||
| − | |||
$count = false; | $count = false; | ||
| − | + | $patched = preg_replace_callback("/(?<=SELECT ).+?(?= FROM)/", "SimpleSecurity::patchSQL", $sql, 1, $count); | |
| − | |||
return parent::query($count ? $patched : $sql, $fname, $tempIgnore); | return parent::query($count ? $patched : $sql, $fname, $tempIgnore); | ||
} | } | ||
function fetchObject(&$res) { | function fetchObject(&$res) { | ||
| − | |||
$row = parent::fetchObject($res); | $row = parent::fetchObject($res); | ||
| − | if ( | + | if (isset($row->old_text)) SimpleSecurity::validateRow($row); |
return $row; | return $row; | ||
} | } | ||
Revision as of 06:01, 21 July 2008
<?php /**
* Simple Security extensionTemplate:Php
|
* - Extends the MediaWiki article protection to allow restricting viewing of article content * - Also adds #ifusercan and #ifgroup parser functions for rendering restriction-based content * * See http://www.mediawiki.org/Extension:Simple_Security for installation and usage details * See http://www.organicdesign.co.nz/Extension_talk:SimpleSecurity4.php for development notes and disucssion * Version 4.0.0 started 2007-10-11 * Version 4.1.0 started 2008-06-12 (development funded for a slimmed down functional version) * * @package MediaWiki * @subpackage Extensions * @author Aran Dunkley User:Nad * @copyright © 2007 Aran Dunkley * @licence GNU General Public Licence 2.0 or later */
if (!defined('MEDIAWIKI')) die('Not an entry point.');
define('SIMPLESECURITY_VERSION', '4.1.1, 2008-07-21');
- Global security settings
$wgSecurityMagicIf = "ifusercan"; # the name for doing a permission-based conditional $wgSecurityMagicGroup = "ifgroup"; # the name for doing a group-based conditional $wgSecurityLogActions = array('edit', 'download'); # Actions that should be logged $wgSecurityUseDBHook = true; # Use the DatabaseFetchHook to validate database access $wgSecurityAllowUser = false; # Allow restrictions based on user not just group
- Extra actions to allow control over in protection form
$wgSecurityExtraActions = array( 'read' => 'Read', 'source' => 'Source', 'history' => 'History' ); $wgSecurityExtraActions = array('read' => 'Read');
- Extra groups available in protection form
$wgSecurityExtraGroups = array();
array_unshift($wgExtensionFunctions, 'wfSetupSimpleSecurity'); # Put SimpleSecurity's setup function before all others
$wgHooks['LanguageGetMagic'][] = 'wfSimpleSecurityLanguageGetMagic'; $wgExtensionCredits['parserhook'][] = array( 'name' => "SimpleSecurity", 'author' => 'User:Nad', 'description' => 'Extends the MediaWiki article protection to allow restricting viewing of article content', 'url' => 'http://www.mediawiki.org/wiki/Extension:Simple_Security', 'version' => SIMPLESECURITY_VERSION );
class SimpleSecurity {
/** * Constructor */ function __construct() { global $wgParser, $wgHooks, $wgLogTypes, $wgLogNames, $wgLogHeaders, $wgLogActions, $wgMessageCache, $wgSecurityMagicIf, $wgSecurityMagicGroup, $wgSecurityExtraActions, $wgSecurityExtraGroups, $wgRestrictionTypes, $wgRestrictionLevels, $wgGroupPermissions;
# $wgGroupPermissions has to have its default read entry removed because Title::userCanRead checks it directly if ($this->default_read = isset($wgGroupPermissions['*']['read']) && $wgGroupPermissions['*']['read']) $wgGroupPermissions['*']['read'] = false;
# Add our parser-hooks $wgParser->setFunctionHook($wgSecurityMagicIf, array($this, 'ifUserCan')); $wgParser->setFunctionHook($wgSecurityMagicGroup, array($this, 'ifGroup')); $wgHooks['UserGetRights'][] = $this;
# Add a new log type $wgLogTypes[] = 'security'; $wgLogNames ['security'] = 'securitylogpage'; $wgLogHeaders['security'] = 'securitylogpagetext'; $wgLogActions['security/deny'] = 'securitylogentry';
# Extend protection form groups, actions and messages $wgMessageCache->addMessages(array( 'protect-unchain' => "Modify actions individually" )); #$wgMessageCache->addMessages(array('loginreqpagetext' => "Sorry, you'll need to $1 to an account with sufficient permissions to view this page.")); foreach ($wgSecurityExtraActions as $k => $v) { if (empty($v)) $v = ucfirst($k); $wgRestrictionTypes[] = $k; $wgMessageCache->addMessages(array( "restriction-$k" => $v )); #$wgGroupPermissions['sysop'][$k] = true; # Ensure sysops have the right to perform this extra action }
foreach ($wgSecurityExtraGroups as $k => $v) { if (empty($v)) $v = ucfirst($k); $wgRestrictionLevels[] = $k; $wgMessageCache->addMessages(array( "protect-level-$k" => $v )); $wgGroupPermissions[$k]['not an action'] = true; # Ensure the new groups show up in rights management } }
/** * Process the ifUserCan conditional security directive */ public function ifUserCan(&$parser, $action, $title, $then, $else = ) { return $title->userCan($action) ? $then : $else; }
/** * Process the ifGroup conditional security directive * - evaluates to true if current uset belongs to any of the comma-separated users and/or groups in the first parameter */ public function ifGroup(&$parser, $groups, $then, $else = ) { global $wgUser; $intersection = array_intersect(array_map('strtolower', split(',', $groups)), $wgUser->getEffectiveGroups()); return count($intersection) > 0 ? $then : $else; }
/** * User::getRights returns a list of rights (allowed actions) based on the current users group membership * Title::getRestrictions returns a list of groups who can perform a particular action * So getRights should filter out any title-based restriction's actions which require groups that the user is not a member of * Allows sysop access */ public function onUserGetRights(&$user, &$rights, &$title = NULL) { global $wgGroupPermissions, $wgTitle, $wgRequest; if (!is_object($title)) $title = $wgTitle; $groups = $user->getEffectiveGroups();
# If current title is valid and we're not a sysop, process permissions if (is_object($title) && !in_array('sysop', $groups)) {
# Get list of groups required to read this title (empty list means no read restriction) $ns = $title->getNamespace(); if ($ns == NS_SPECIAL) {
# Ugly hack to prevent specialpage operations on unreadable pages list($name, $par) = explode('/', $title->getDBkey(), 2); if ($par) $t = Title::newFromText($par); elseif ($wgRequest->getVal('target')) $t = Title::newFromText($wgRequest->getVal('target')); elseif ($wgRequest->getVal('oldtitle')) $t = Title::newFromText($wgRequest->getVal('oldtitle')); if (is_object($t)) $restrictions = $t->getRestrictions('read'); } else $restrictions = $title->getRestrictions('read');
# If there are read restrictions in place, then check if we're a member of any groups required for read access if (count($restrictions) && count(array_intersect($restrictions, $groups)) < 1) foreach ($rights as $i => $right) if ($right == 'read' || $right == 'move') unset($rights[$i]); elseif ($this->default_read) $wgGroupPermissions['*']['read'] = $this->default_read; } return true; }
/** * Patches SQL queries to ensure that the old_id field is present in all requests for the old_text field so permissions can be validated */ static function patchSQL($match) { if (!preg_match("/old_text/", $match[0])) return $match[0]; $fields = str_replace(" ", "", $match[0]); return ($fields == "*" || preg_match("/old_id/", $fields)) ? $fields : "$fields,old_id"; }
/** * Validate the passed database row and replace any invalid content * - called from DatabaseFetchHook whenever a row contains old_text * - old_id is guaranteed to exist due to patchSQL method */ static function validateRow(&$row) { global $wgUser, $wgSimpleSecurity; $groups = $wgUser->getEffectiveGroups(); if (in_array('sysop', $groups)) return;
# Obtain a title object from the old_id $dbr =& wfGetDB(DB_SLAVE); $tbl = $dbr->tableName('revision'); $rev = $dbr->selectRow($tbl, 'rev_page', "rev_text_id = {$row->old_id}", __METHOD__); $title = Title::newFromID($rev->rev_page);
# Validate title if (is_object($title) && !in_array('sysop', $groups)) { $restrictions = $title->getRestrictions('read'); if (count($restrictions) && count(array_intersect($restrictions, $groups)) < 1) $row->old_text = wfMsg('badaccess-read'); } }
/** * Needed in some versions to prevent Special:Version from breaking */ public function __toString() { return __CLASS__; } }
/**
* Hooks into Database::query and Database::fetchObject via the LoadBalancer class * - this is a global because PHP doesn't like nested class definitions */
function wfAddDatabaseHooks() { global $wgLoadBalancer, $wgDBtype;
# This ensures that $wgLoadBalancer is not a stub object when we subclass it # todo: this should be able to work in the case of it being a stub object wfGetDB();
# Create a replica of the Database class # - query method is overriden to ensure that old_id field is returned for all queries which read old_text field # - fetchObject method is overridden to validate row content based on old_id # - the changes to this class are only active for SELECT statements and while not processing security directives $type = ucfirst($wgDBtype); eval("class Database{$type}2 extends Database{$type}".' { public function query($sql, $fname = "", $tempIgnore = false) { $count = false; $patched = preg_replace_callback("/(?<=SELECT ).+?(?= FROM)/", "SimpleSecurity::patchSQL", $sql, 1, $count); return parent::query($count ? $patched : $sql, $fname, $tempIgnore); } function fetchObject(&$res) { $row = parent::fetchObject($res); if (isset($row->old_text)) SimpleSecurity::validateRow($row); return $row; } }');
# Create a replica of the LoadBalancer class which uses the new Database subclass for its connection objects class LoadBalancer2 extends LoadBalancer { function reallyOpenConnection(&$server) { $server['type'] .= '2'; $db =& parent::reallyOpenConnection($server); return $db; } }
# Replace the $wgLoadBalancer object with an identical instance of the new LoadBalancer2 class $wgLoadBalancer->closeAll(); # Close any open connections as they will be of the original Database class $oldLoadBalancer = $wgLoadBalancer; $wgLoadBalancer = new LoadBalancer2($oldLoadBalancer->mServers); foreach (array_keys(get_class_vars('LoadBalancer')) as $k) $wgLoadBalancer->$k = $oldLoadBalancer->$k; }
/**
* Called from $wgExtensionFunctions array when initialising extensions */
function wfSetupSimpleSecurity() { global $wgSimpleSecurity, $wgLanguageCode, $wgMessageCache, $wgSecurityUseDBHook;
# Hooks into Database::query and Database::fetchObject via the LoadBalancer class if ($wgSecurityUseDBHook) wfAddDatabaseHooks();
# Instantiate the SimpleSecurity singleton now that the environment is prepared $wgSimpleSecurity = new SimpleSecurity();
# Add the messages used by the specialpage if ($wgLanguageCode == 'en') { $wgMessageCache->addMessages(array( 'security' => "Security log", 'securitylogpage' => "Security log", 'securitylogpagetext' => "This is a log of actions blocked by the SimpleSecurity extension.", 'securitylogentry' => "", 'securityinfotoggle' => "This article exhibits security restrictions. Click this icon for more detail.", 'badaccess-read' => "!!Permission denied!!", 'badaccess-special' => "You do not have permission to access or perform special page actions on $1" )); } }
/**
* Register magic words */
function wfSimpleSecurityLanguageGetMagic(&$magicWords, $langCode = 0) { global $wgSecurityMagicIf, $wgSecurityMagicGroup; $magicWords[$wgSecurityMagicIf] = array($langCode, $wgSecurityMagicIf); $magicWords[$wgSecurityMagicGroup] = array($langCode, $wgSecurityMagicGroup); return true; }
