From 98259437f0ee17aba05daefb069660ad19dc7bd9 Mon Sep 17 00:00:00 2001
From: Pyjacpp <pyjacpp@crans.org>
Date: Fri, 15 May 2026 22:41:29 +0200
Subject: [PATCH] Ajout category lockdown

---
 hosts/vm/mediakiwi/category-lockdown.patch | 90 ++++++++++++++++++++++
 hosts/vm/mediakiwi/mediawiki.nix           | 45 ++++++++---
 2 files changed, 126 insertions(+), 9 deletions(-)
 create mode 100644 hosts/vm/mediakiwi/category-lockdown.patch

diff --git a/hosts/vm/mediakiwi/category-lockdown.patch b/hosts/vm/mediakiwi/category-lockdown.patch
new file mode 100644
index 0000000..3a2b092
--- /dev/null
+++ b/hosts/vm/mediakiwi/category-lockdown.patch
@@ -0,0 +1,90 @@
+diff --git a/CategoryLockdown.php b/CategoryLockdown.php
+index 1e17ec7..caa13c1 100644
+--- a/CategoryLockdown.php
++++ b/CategoryLockdown.php
+@@ -16,6 +16,8 @@ class CategoryLockdown {
+ 	 */
+ 	public static function onGetUserPermissionsErrors( $title, $user, $action, &$result ) {
+ 		global $wgCategoryLockdown;
++		global $wgCategoryGroupLockdown;
++		global $wgCategoryLockdownWhitelist;
+ 
+ 		$explicitGroups = MediaWikiServices::getInstance()->getUserGroupManager()->getUserGroups( $user );
+ 		$implicitGroups = MediaWikiServices::getInstance()->getUserGroupManager()->getUserImplicitGroups( $user );
+@@ -26,6 +28,11 @@ class CategoryLockdown {
+ 			return;
+ 		}
+ 
++		// Rules doesn’t apply to the whitelist
++		if ( in_array( $title, $wgCategoryLockdownWhitelist ) ) {
++			return;
++		}
++
+ 		$categories = array_keys( $title->getParentCategories() );
+ 
+ 		// Apply rules to the category page itself
+@@ -33,16 +40,11 @@ class CategoryLockdown {
+ 			$categories[] = $title->getFullText();
+ 		}
+ 
++		// Support "Category:Top_secret", "Category:Top secret", "Top_secret" and "Top secret"
++		$categories = array_map( fn($c) => str_replace( '_', ' ', substr( $c, strpos( $c, ':' ) + 1 ) ), $categories );
+ 		$combinedGroups = [];
+ 		foreach ( $categories as $category ) {
+-			// Support "Category:Top_secret", "Category:Top secret", "Top_secret" and "Top secret"
+-			$category = substr( $category, strpos( $category, ':' ) + 1 );
+-			$category = str_replace( '_', ' ', $category );
+ 			$permissions = $wgCategoryLockdown[ $category ] ?? null;
+-			if ( !$permissions ) {
+-				$category = str_replace( ' ', '_', $category );
+-				$permissions = $wgCategoryLockdown[ $category ] ?? null;
+-			}
+ 			if ( !$permissions ) {
+ 				continue;
+ 			}
+@@ -57,15 +59,40 @@ class CategoryLockdown {
+ 				$combinedGroups[] = $allowedGroup;
+ 			}
+ 		}
+-		if ( $combinedGroups ) {
+-			foreach ( $userGroups as $userGroup ) {
+-				if ( in_array( $userGroup, $combinedGroups ) ) {
+-					return;
+-				}
++
++		$allow = false;
++		foreach ( $userGroups as $userGroup ) {
++			if ( in_array( $userGroup, $combinedGroups ) ) {
++				$allow = true;
++				break;
+ 			}
++		}
++		if ( $combinedGroups && !$allow ) {
+ 			$result = [ 'categorylockdown-error', implode( ', ', $combinedGroups ) ];
+ 			return false;
+ 		}
++
++		$allow = true;
++		foreach ( $wgCategoryGroupLockdown as $group => $groupCategories ) {
++			if ( str_starts_with( $group, "!") ?
++					    in_array( substr($group, 1), $userGroups ) :
++						!in_array( $group, $userGroups ) ) {
++				continue; # Skip if this group rule doesn’t match the user
++			}
++
++			$requiredCat = $groupCategories[$action] ?? [];
++			$groupLocked = true;
++			foreach ( $requiredCat as $c ) {
++				if ( in_array( $c, $categories ) ) {
++					$groupLocked = false;
++					break; # One of the category is present, we can grant this action.
++				}
++			}
++			if ( $groupLocked ) {
++				$result = [ 'categorylockdown-error', implode( ', ', $requiredCat ) ];
++				return false; # This group of users need a category from groupCategories on this page to perform $action
++			}
++		}
+ 	}
+ 
+ 	/**
diff --git a/hosts/vm/mediakiwi/mediawiki.nix b/hosts/vm/mediakiwi/mediawiki.nix
index acf8cad..1c6b622 100644
--- a/hosts/vm/mediakiwi/mediawiki.nix
+++ b/hosts/vm/mediakiwi/mediawiki.nix
@@ -133,11 +133,20 @@ in
       $wgLocaltimezone = 'Europe/Paris';
       $wgDefaultUserOptions['timecorrection'] = 'ZoneInfo|0|' . $wgLocaltimezone;
 
-      # Disable anonymous editing
-      $wgGroupPermissions['*']['edit'] = false;
-      $wgGroupPermissions['*']['read'] = false;
+      # Access Control
+      $wgGroupPermissions['*']['edit'] = false; # Restrict edition for anonymous user
+      $wgGroupPermissions['*']['createaccount'] = false; # Restrict the creation of account to sysop only
 
-      # Extensions
+      $wgCategoryLockdownWhitelist = [
+        "Spécial:Connexion",
+        "Spécial:Connexion/return",
+        "Spécial:PluggableAuthLogin",
+        "Spécial:Recherche",
+        "MediaWiki:Common.css",
+        "MediaWiki:Common.js"
+      ];
+
+      $wgCategoryGroupLockdown["!user"]["read"] = [ "Page Publique" ]; # Restrict read for non-user (i.e. anonymous) on execpt for Page Publique      # Extensions
       $wgWikiEditorRealtimePreview = true;
       $wgCiteBookReferencing = true;
       $wgPdfProcessor = '${ pkgs.ghostscript }/bin/gs';
@@ -216,7 +225,24 @@ in
       VisualEditor = null; # pour éditer visuellement les pages
       WikiEditor = null; # pour éditer le code wiki des pages
 
-      # Bundled with next version, put as null in the next update
+      CategoryLockdown = pkgs.applyPatches {
+        src = pkgs.fetchFromGitHub {
+          name = "CategoryLockdown";
+          owner = "wikimedia";
+          repo = "mediawiki-extensions-CategoryLockdown";
+          rev = "REL" + major + "_" + minor;
+          # Le SHA doit être changé à chaque nouveau commit de traduction.
+          # Pas de meilleure solution à ma connaissance pour suivre les releases.
+          sha256 = "sha256-WEg0QP4QXt89uvZCZvkfpycoZGBP640aTpaxbl5jsZs=";
+        };
+        patches = [
+          # Cette extension s’occupe des du contrôle d’accès du Wiki
+          # et a été beaucoup patché. Pensez à vérifier les changements
+          # et révisez le patch le cas échéant.
+          "${./category-lockdown.patch}"
+        ];
+      };
+
       TemplateStyles = pkgs.fetchFromGitHub {
         name = "TemplateStyles";
         owner = "wikimedia";
@@ -266,14 +292,15 @@ in
         # Pas de meilleure solution à ma connaissance pour suivre les releases.
         sha256 = "sha256-oi5rliHb4KnLbvQxO7MGuLp/FEucoGR/Z0NP1gmbgMc=";
       };
-      WSOAuth = pkgs.fetchFromGitHub {
+      WSOAuth = pkgs.fetctFromGitlab {
+        domain = "gitlab.crans.org";
         name = "WSOAuth";
         owner = "pyjacpp";
-        repo = "WSOAuth";
-        rev = "REL" + major + "_" + minor;
+        repo = "wsoauth";
+        rev = "master";
         # Le SHA doit être changé à chaque nouveau commit de traduction.
         # Pas de meilleure solution à ma connaissance pour suivre les releases.
-        sha256 = "sha256-G2C/KuSgfWWftpHHhOABwFcOEb1zB8qmHi9KgrC6Jrc=";
+        sha256 = "sha256-8jrRuHcJZc+YNnfyYkNLwF4PEIiHfd27YnTVAZcxgoc=";
       };
       WSONoteKfetAuth = "${./WSONoteKfetAuth}";
     };