Help:User rights
From ThermoWiki
Help Contents → Moderators → User rights
To change the groups to which a user belongs, use Special:Userrights. Each group can be assigned a mixture of the following rights (permissions).
Contents |
Available rights
- read
- Allows users to read pages not in $wgWhitelistRead
- edit
- Allows editing of any page which is not protected
- createpage
- Allows creating normal pages
- createtalk
- Allows creating talk pages. Note that edit = false prevents creating talk page regardless of this setting.
- move
- Lets users change the title of a page by moving it
- delete
- Lets a user delete a page
- undelete
- Lets a user view deleted versions, undelete a previously deleted page, or undelete specific revisions of a deleted page
- protect
- Lets users lock a page (presumably only those with the ability to protect a page can edit a protected page)
- block
- Enables a user to block an IP address, user name, or range of IPs, from editing
- userrights
- Lets a user change the access levels of another user including de-sysopping. On wikipedia a Steward is required for this, but by default in mediawiki it requires only bureaucrat. Steward isn't a default group.
- createaccount
- Lets a user create a user account for another user, or for themselves
- upload
- Lets a user upload an image or other file to the wiki, or to overwrite an existing non-protected file
- rollback
- Gives a user a link to more easily revert a bad edit
- patrol
- Lets a user state that they have checked an edit that appeared in recent changes
- editinterface
- Lets users edit the MediaWiki namespace to affect the interface
- siteadmin
- Lets users lock and unlock the database (and possibly change other settings that affect the whole site)
- bot
- Edits by a user with this "right" (rather: property) by default do not show up in recent changes (usually only used for mass edits by bots)
- import
- Allows user to import pages via the transwiki interface.
- importupload
- Allows user to import pages which have been exported to a file
Via extension
These aren't available in the main MediaWiki codebase:
- asksql
- Lets a user query the database using SQL (currently disabled)
- checkuser
- Lets a user find all the IP addresses used by a particular logged in user, and to show all the contributions from a given IP address, including those made by logged in users
- makesysop
- On the Wikimedia sites, the bureaucrat group has a restricted Special:Makesysop interface, while the steward group has the full Special:Userrights interface and an extended version
- oversight
- Lets a user move single revisions from the revision table to a special hidden table to hide it.
- talk
- Makes the editing of talk pages a distinct action from the editing of articles. See Talkright extension
Tree
- autoconfirmed
- bot
- createaccount
- emailconfirmed
- proxyunbannable
- read
- block
- delete (delete pages)
- trackback
- deletedhistory
- delete (show/restore deleted pages)
- deleterevision
- edit
- createpage
- createtalk
- editinterface
- minoredit
- hiderevision
- import
- importupload
- move
- patrol
- protect
- rollback
- siteadmin
- unwatchedpages
- upload
- reupload
- reupload-shared
- upload_by_url
- userrights
Changing user groups manually in the database
The user rights are in a table called user_groups with two fields called ug_user and ug_group. There must be one row inserted for each group the user belongs to. You must know the user id number of the user from the users table. This sql query should do the trick. In the example below substitute 1 with the user ID number from the users table.
INSERT INTO user_groups (ug_user, ug_group) VALUES ('1', 'bureaucrat');
INSERT INTO user_groups (ug_user, ug_group) VALUES ('1', 'sysop');
Managing group rights
To change the access levels of existing groups or add new groups, you need to have shell/ftp access to the machine that MediaWiki is running on. You can add or remove permissions to a group with the following sample statements in LocalSettings.php.
To disable account creation by anonymous visitors (this replaces $wgWhitelistAccount from 1.4)
$wgGroupPermissions['*']['createaccount'] = false;
To require that users log in to edit (this replaces the $wgWhitelistEdit from 1.4):
$wgGroupPermissions['*']['edit'] = false;
It's worth noting that if you set this, you may also want to set
$wgShowIPinHeader = false; # For non-logged in users
This removes the link to the talk page in the header for non-logged in users, and hasn't changed from 1.4.
If $wgWhitelistRead is set, you must also disable the 'read' permission for it to take effect on anonymous users. Any CSS and JS pages used in the Main Page or Login Page should be accessible as well to avoid IE scripting error dialog box.
$wgWhitelistRead = array( "Main Page", "Special:Userlogin", "-", "MediaWiki:Monobook.css" ); $wgGroupPermissions['*']['read'] = false;
Main Page is not mandatory for this list. To avoid "login required" redirect page, you can change includes/OutputPage.php loginToUse():
function loginToUse() {
$titleObj = Title::makeTitle( NS_SPECIAL, "Userlogin" );
$this->redirect( $titleObj->getFullURL() );
}
You can define new groups as well, and then assign them to users through Special:Userrights:
$wgGroupPermissions['ninja']['delete'] = true; $wgGroupPermissions['ninja']['block'] = true; $wgGroupPermissions['ninja']['bot'] = true;
Defaults
For reference, here are the default group/permission assignments in 1.6.9, 1.8.2, 1.8.3, and 1.9.2 unless otherwise noted (found in includes/DefaultSettings.php):
/** * Permission keys given to users in each group. * All users are implicitly in the '*' group including anonymous visitors; * logged-in users are all implicitly in the 'user' group. These will be * combined with the permissions of all groups that a given user is listed * in in the user_groups table. * * Functionality to make pages inaccessible has not been extensively tested * for security. Use at your own risk! * * This replaces wgWhitelistAccount and wgWhitelistEdit */ $wgGroupPermissions = array(); // Implicit group for all anonymous $wgGroupPermissions['*' ]['createaccount'] = true; $wgGroupPermissions['*' ]['read'] = true; $wgGroupPermissions['*' ]['edit'] = true; $wgGroupPermissions['*' ]['createpage'] = true; $wgGroupPermissions['*' ]['createtalk'] = true; // Implicit group for all logged-in accounts $wgGroupPermissions['user' ]['move'] = true; $wgGroupPermissions['user' ]['read'] = true; $wgGroupPermissions['user' ]['edit'] = true; $wgGroupPermissions['user' ]['createpage'] = true; $wgGroupPermissions['user' ]['createtalk'] = true; $wgGroupPermissions['user' ]['upload'] = true; $wgGroupPermissions['user' ]['reupload'] = true; $wgGroupPermissions['user' ]['reupload-shared'] = true; $wgGroupPermissions['user' ]['minoredit'] = true; // Implicit group for accounts that pass $wgAutoConfirmAge $wgGroupPermissions['autoconfirmed']['autoconfirmed'] = true; // Implicit group for accounts with confirmed email addresses // This has little use when email address confirmation is off $wgGroupPermissions['emailconfirmed']['emailconfirmed'] = true; // not in version 1.6.9 // Users with bot privilege can have their edits hidden // from various log pages by default $wgGroupPermissions['bot' ]['bot'] = true; $wgGroupPermissions['bot' ]['autoconfirmed'] = true; $wgGroupPermissions['bot' ]['nominornewtalk'] = true; // not in version 1.6.9, 1.8.2, 1.8.3 // Most extra permission abilities go to this group $wgGroupPermissions['sysop']['block'] = true; $wgGroupPermissions['sysop']['createaccount'] = true; $wgGroupPermissions['sysop']['delete'] = true; $wgGroupPermissions['sysop']['deletedhistory'] = true; // can view deleted history entries, but not see or restore the text $wgGroupPermissions['sysop']['editinterface'] = true; $wgGroupPermissions['sysop']['import'] = true; $wgGroupPermissions['sysop']['importupload'] = true; $wgGroupPermissions['sysop']['move'] = true; $wgGroupPermissions['sysop']['patrol'] = true; $wgGroupPermissions['sysop']['autopatrol'] = true; // not in version 1.6.9, 1.8.2, 1.8.3 $wgGroupPermissions['sysop']['protect'] = true; $wgGroupPermissions['sysop']['proxyunbannable'] = true; //not in version 1.6.9 $wgGroupPermissions['sysop']['rollback'] = true; $wgGroupPermissions['sysop']['trackback'] = true; //not in version 1.6.9 $wgGroupPermissions['sysop']['upload'] = true; $wgGroupPermissions['sysop']['reupload'] = true; $wgGroupPermissions['sysop']['reupload-shared'] = true; $wgGroupPermissions['sysop']['unwatchedpages'] = true; $wgGroupPermissions['sysop']['autoconfirmed'] = true; $wgGroupPermissions['sysop']['upload_by_url'] = true; //not in version 1.6.9 $wgGroupPermissions['sysop']['ipblock-exempt'] = true; // not in version 1.6.9, 1.8.2, 1.8.3 // Permission to change users' group assignments $wgGroupPermissions['bureaucrat']['userrights'] = true;
