Extension:SimpleSecurity

From Organic Design wiki
Revision as of 07:31, 15 October 2007 by Nad (talk | contribs) (4.0.6 - security info is hidden by default, page title prefixed with toggle if any security applies)

<?php

  1. Simple security extensionTemplate:Php
Info.svg These are the MediaWiki extensions we're using and/or developing. Please refer to the information on the mediawiki.org wiki for installation and usage details. Extensions here which have no corresponding mediawiki article are either not ready for use or have been superseded. You can also browse our extension code in our local Subversion repository or our GitHub mirror.
  1. - See http://www.mediawiki.org/Extension:Simple_Security for installation and usage details
  2. - Licenced under LGPL (http://www.gnu.org/copyleft/lesser.html)
  3. - Needs apache's mod-rewrite for security on images, see code comments below
  4. - Version 4.0.0 started 2007-10-11

if (!defined('MEDIAWIKI')) die('Not an entry point.');

define('SIMPLESECURITY_VERSION','4.0.6, 2007-10-15');

  1. Global security settings

$wgSecurityMagic = "security"; # the parser-function name for security directives $wgSecurityMagicIf = "ifusercan"; # the name for doing a permission-based conditional $wgSecurityMagicGroup = "ifgroup"; # the name for doing a group-based conditional $wgSecurityDenyTemplate = 'Template:Action not permitted'; # Template used for displaying error when user violates permissions $wgSecurityInfoTemplate = 'Template:Security info'; # Template used to layout the security information $wgSecuritySysops = array('sysop'); # the list of users or groups whose members bypass all security $wgSecurityLogActions = array('download'); # Actions that should be logged $wgSecurityDenyImage = "/skins/monobook/lock_icon.gif"; # the image returned in place of requested image if read access denied

array_unshift($wgExtensionFunctions,'wfSetupSimpleSecurity'); $wgHooks['LanguageGetMagic'][] = 'wfSimpleSecurityLanguageGetMagic'; $wgExtensionCredits['parserhook'][] = array( 'name' => "Simple Security", 'author' => 'User:Nad', 'description' => 'A simple to implement security extension', 'url' => 'http://www.mediawiki.org/wiki/Extension:Simple_Security', 'version' => SIMPLESECURITY_VERSION );

class SimpleSecurity {

var $info = false; var $processDirectives = false; var $directives = array();

# Constructor function SimpleSecurity() { global $wgParser,$wgHooks,$wgLogTypes,$wgLogNames,$wgLogHeaders,$wgLogActions, $wgSecurityMagic,$wgSecurityMagicIf,$wgSecurityMagicGroup;

# Add all our required event hooks $wgHooks['UserGetRights'][] = $this; $wgHooks['UserEffectiveGroups'][] = $this; $wgHooks['OutputPageBeforeHTML'][] = $this;

# Add our parser-hooks $wgParser->setFunctionHook($wgSecurityMagic,array($this,'processDirective')); $wgParser->setFunctionHook($wgSecurityMagicIf,array($this,'ifUserCan')); $wgParser->setFunctionHook($wgSecurityMagicGroup,array($this,'ifGroup'));

# Add a new log type $wgLogTypes[] = 'security'; $wgLogNames ['security'] = 'securitylogpage'; $wgLogHeaders['security'] = 'securitylogpagetext'; $wgLogActions['security/deny'] = 'securitylogentry'; }

# Enable/disable directive processing function setDirectiveProcessing($enabled = true) { $this->processDirectives = $enabled; if ($enabled) $this->directives = array(); }

# Process and store a security directive function processDirective(&$parser,$actions = ,$groups = ) { $parser->mOutput->mCacheTime = -1; if ($this->processDirectives && $actions && $groups) $this->directives[] = array($actions,$groups); $this->info .= "*$actions($groups)\n"; return ; }

# Process the ifUserCan conditional security directive function ifUserCan(&$parser,$action,$title,$then,$else = ) { return $this->validateTitle($action,Title::newFromText($title)) ? $then : $else; }

# Process the ifGroup conditional security directive # - evaluates to true if current uset belongs to any of the comma-separated users and/or groups in the first parameter function ifGroup(&$parser,$groups,$then,$else = ) { global $wgUser; $intersection = array_intersect(array_map('strtolower',split(',',$groups)),$wgUser->getEffectiveGroups()); return count($intersection) > 0 ? $then : $else; }

# Ensure all groups are lowercase and add the username with first letter capitalised function onUserEffectiveGroups(&$user,&$groups) { $groups = array_map('strtolower',$groups); $groups[] = ucfirst($user->getName()); return true; }

# Intercept the user rights and filter based on $wgGroupPermissions and $wgTitle function onUserGetRights(&$user,&$rights) { global $wgGroupPermissions,$wgTitle;

# The first time this is called we need to validate $wgTitle static $first = 0; if ($first++ == 0) {

# Process the directives in $wgTitle's content by expanding its templates $this->setDirectiveProcessing(true); $article = new Article($wgTitle); $parser = new Parser; $parser->preprocess($article->getContent(),$wgTitle,new ParserOptions()); $this->setDirectiveProcessing(false);

# todo: validate $wgTitle from directive state and $wgGroupPermissions

# todo: store the validation results to use for future calls }

# todo: filter $rights based on stored validation results

return true; }

# Render any security info as a SiteNotice function onOutputPageBeforeHTML(&$out,&$text) { global $wgUser,$wgTitle,$wgVersion,$wgSiteNotice,$wgScriptPath,$wgSecurityDenyImage;

# Add rules information for this article if any if ($this->info) {

# Parser the security info $info = $this->info; $this->info = false; $parser = new Parser; $info = $parser->parse($info,$wgTitle,ParserOptions::newFromUser($wgUser),true,true)->getText();

# Add some javascript to allow toggling the security-info $out->addScript("<script type='text/javascript'> function toggleSecurityInfo() { var info = document.getElementById('security-info'); info.style.display = info.style.display ?  : 'none'; } </script>");

# Add info-toggle before title and hidden info after title $pagetitle = $wgTitle->getText(); $toggle = "<img id='security-info-toggle' onClick='toggleSecurityInfo()' src='$wgScriptPath$wgSecurityDenyImage'>";

$info = "

";

$out->setPageTitle($toggle.$pagetitle.$info); $out->setHTMLTitle($pagetitle); }

return true; }

# validate an action against a title within the context of the current user function validateTitle($action,$title) { if ($action == 'view') $action = 'read'; # for backward compatibility with old SimpleSecurity calls return true; }

# Validate the passed database row and replace any invalidate content function validateDatabaseRow(&$row) { global $wgUser,$wgSecuritySysops;

# todo: find the current revision associated with the old_id

$this->setDirectiveProcessing(true); # todo: read and parse the revision text $this->setDirectiveProcessing(false);

# todo: validate the row and replace with wfMsg('securityreaddeny') if invalid

}

# Needed in some versions to prevent Special:Version from breaking function __toString() { return 'SimpleSecurity'; } }

  1. Adds UserGetRights and UserEffectiveGroups for MediaWiki versions prior to 1.11 which don't have them

function wfSimpleSecurityAddUserHooks() { global $wgVersion,$wgUser; if (version_compare($wgVersion,"1.11.0") <= 0) return;

# Create a new User class (User2) by extending the existing one with overridden methods class User2 extends User { function getRights() { parent::getRights(); wfRunHooks("UserGetRights",array($this,&$this->mRights)); } function getEffectiveGroups($recache = false) { $groups = parent::getEffectiveGroups($recache); wfRunHooks('UserEffectiveGroups',array(&$this,&$groups)); return $groups; } }

# If $wgUser is not of class User, it must be a StubUser which means we need to override _newObject to return a User2 instance $userclass = get_class($wgUser); if ($userclass != 'User') { class StubUser2 extends StubUser { function _newObject() { return wfCreateObject('User2',$this->mParams); } } }

# Replace $wgUser with a sub-classed replica $oldUser = $wgUser; $newclass = $userclass.'2'; $wgUser = new $newclass(); foreach (array_keys(get_class_vars($userclass)) as $k) $wgUser->$k = $oldUser->$k; }

  1. Hooks into Database::query and Database::fetchObject via the LoadBalancer class

function wfSimpleSecurityAddDatabaseHooks() { global $wgLoadBalancer,$wgDBtype;

# This ensures that $wgLoadBalancer is not a stub object when we subclass it # todo: this should be able to work in the case of it being a stub object wfGetDB();

# Create a replica of the Database class # - query method is overriden to ensure that old_id field is returned for all queries which read old_text field # - fetchObject method is overridden to validate row content based on old_id $type = ucfirst($wgDBtype); eval("class Database{$type}2 extends Database{$type}".' {

public function query($sql,$fname = "",$tempIgnore = false) { $sql = preg_replace_callback("/(?<=SELECT ).+?(?= FROM)/","wfSimpleSecurityPatchSQL",$sql,1); return parent::query($sql,$fname,$tempIgnore); }

function fetchObject(&$res) { global $wgSimpleSecurity; $row = parent::fetchObject($res); $wgSimpleSecurity->validateDatabaseRow($row); return $row; }

}');

# Create a replica of the LoadBalancer class which uses the new Database subclass for its connection objects class LoadBalancer2 extends LoadBalancer { function reallyOpenConnection(&$server) { $server['type'] .= '2'; $db =& parent::reallyOpenConnection($server); return $db; } }

# Replace the $wgLoadBalancer object with an identical instance of the new LoadBalancer2 class $wgLoadBalancer->closeAll(); # Close any open connections as they will be of the original Database class $oldLoadBalancer = $wgLoadBalancer; $wgLoadBalancer = new LoadBalancer2($oldLoadBalancer->mServers); foreach (array_keys(get_class_vars('LoadBalancer')) as $k) $wgLoadBalancer->$k = $oldLoadBalancer->$k;

}

  1. Patches SQL queries to ensure that the old_id field is present in all requests for the old_text field so permissions can be validated

function wfSimpleSecurityPatchSQL($match) { if (!preg_match("/old_text/",$match[0])) return $match[0]; $fields = str_replace(" ","",$match[0]); return ($fields == "*" || preg_match("/old_id/",$fields)) ? $fields : "$fields,old_id"; }

  1. Called from $wgExtensionFunctions array when initialising extensions

function wfSetupSimpleSecurity() { global $wgSimpleSecurity,$wgLanguageCode,$wgMessageCache;

# Hooks into Database::query and Database::fetchObject via the LoadBalancer class wfSimpleSecurityAddDatabaseHooks();

# Adds UserGetRights and UserEffectiveGroups for MediaWiki versions prior to 1.11 which don't have them wfSimpleSecurityAddUserHooks();

# Instantiate the SimpleSecurity singleton now that the environment is prepared $wgSimpleSecurity = new SimpleSecurity();

# Add the messages used by the specialpage if ($wgLanguageCode == 'en') { $wgMessageCache->addMessages(array( 'security' => "Security log", 'securitylogpage' => "Security log", 'securitylogpagetext' => "This is a log of actions blocked by the SimpleSecurity extension.", 'securitylogentry' => "", 'securityreaddeny' => "!!Permission denied!!", 'securitylogdeny' => "Attempt to $1 $2 was denied." )); } }

  1. Register magic words

function wfSimpleSecurityLanguageGetMagic(&$magicWords,$langCode = 0) { global $wgSecurityMagic,$wgSecurityMagicIf,$wgSecurityMagicGroup; $magicWords[$wgSecurityMagic] = array(0,$wgSecurityMagic); $magicWords[$wgSecurityMagicIf] = array(0,$wgSecurityMagicIf); $magicWords[$wgSecurityMagicGroup] = array(0,$wgSecurityMagicGroup); return true; } ?>

Retrieved from "https://organicdesign.nz/wiki/index.php?title=Extension:SimpleSecurity&oldid=78130"