crans
/
nixos
mirror of https://gitlab.crans.org/nounous/nixos
19
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Ajout category lockdown

wiki
Pyjacpp 2026-05-15 22:41:29 +02:00
parent a4b467362d
commit 98259437f0
No known key found for this signature in database
GPG Key ID: ED479A5A26930939
2 changed files with 126 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
hosts/vm/mediakiwi/category-lockdown.patch 100644
View File

@ -0,0 +1,90 @@
diff --git a/CategoryLockdown.php b/CategoryLockdown.php
index 1e17ec7..caa13c1 100644
--- a/CategoryLockdown.php
+++ b/CategoryLockdown.php
@@ -16,6 +16,8 @@ class CategoryLockdown {
*/
public static function onGetUserPermissionsErrors( $title, $user, $action, &$result ) {
global $wgCategoryLockdown;
+ global $wgCategoryGroupLockdown;
+ global $wgCategoryLockdownWhitelist;
$explicitGroups = MediaWikiServices::getInstance()->getUserGroupManager()->getUserGroups( $user );
$implicitGroups = MediaWikiServices::getInstance()->getUserGroupManager()->getUserImplicitGroups( $user );
@@ -26,6 +28,11 @@ class CategoryLockdown {
return;
}
+ // Rules doesnt apply to the whitelist
+ if ( in_array( $title, $wgCategoryLockdownWhitelist ) ) {
+ return;
+ }
+
$categories = array_keys( $title->getParentCategories() );
// Apply rules to the category page itself
@@ -33,16 +40,11 @@ class CategoryLockdown {
$categories[] = $title->getFullText();
}
+ // Support "Category:Top_secret", "Category:Top secret", "Top_secret" and "Top secret"
+ $categories = array_map( fn($c) => str_replace( '_', ' ', substr( $c, strpos( $c, ':' ) + 1 ) ), $categories );
$combinedGroups = [];
foreach ( $categories as $category ) {
- // Support "Category:Top_secret", "Category:Top secret", "Top_secret" and "Top secret"
- $category = substr( $category, strpos( $category, ':' ) + 1 );
- $category = str_replace( '_', ' ', $category );
$permissions = $wgCategoryLockdown[ $category ] ?? null;
- if ( !$permissions ) {
- $category = str_replace( ' ', '_', $category );
- $permissions = $wgCategoryLockdown[ $category ] ?? null;
- }
if ( !$permissions ) {
continue;
}
@@ -57,15 +59,40 @@ class CategoryLockdown {
$combinedGroups[] = $allowedGroup;
}
}
- if ( $combinedGroups ) {
- foreach ( $userGroups as $userGroup ) {
- if ( in_array( $userGroup, $combinedGroups ) ) {
- return;
- }
+
+ $allow = false;
+ foreach ( $userGroups as $userGroup ) {
+ if ( in_array( $userGroup, $combinedGroups ) ) {
+ $allow = true;
+ break;
}
+ }
+ if ( $combinedGroups && !$allow ) {
$result = [ 'categorylockdown-error', implode( ', ', $combinedGroups ) ];
return false;
}
+
+ $allow = true;
+ foreach ( $wgCategoryGroupLockdown as $group => $groupCategories ) {
+ if ( str_starts_with( $group, "!") ?
+ in_array( substr($group, 1), $userGroups ) :
+ !in_array( $group, $userGroups ) ) {
+ continue; # Skip if this group rule doesnt match the user
+ }
+
+ $requiredCat = $groupCategories[$action] ?? [];
+ $groupLocked = true;
+ foreach ( $requiredCat as $c ) {
+ if ( in_array( $c, $categories ) ) {
+ $groupLocked = false;
+ break; # One of the category is present, we can grant this action.
+ }
+ }
+ if ( $groupLocked ) {
+ $result = [ 'categorylockdown-error', implode( ', ', $requiredCat ) ];
+ return false; # This group of users need a category from groupCategories on this page to perform $action
+ }
+ }
}
/**

45
hosts/vm/mediakiwi/mediawiki.nix
View File

@ -133,11 +133,20 @@ in
$wgLocaltimezone = 'Europe/Paris';
$wgDefaultUserOptions['timecorrection'] = 'ZoneInfo|0|' . $wgLocaltimezone;
# Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
# Access Control
$wgGroupPermissions['*']['edit'] = false; # Restrict edition for anonymous user
$wgGroupPermissions['*']['createaccount'] = false; # Restrict the creation of account to sysop only
# Extensions
$wgCategoryLockdownWhitelist = [
"Spécial:Connexion",
"Spécial:Connexion/return",
"Spécial:PluggableAuthLogin",
"Spécial:Recherche",
"MediaWiki:Common.css",
"MediaWiki:Common.js"
];
$wgCategoryGroupLockdown["!user"]["read"] = [ "Page Publique" ]; # Restrict read for non-user (i.e. anonymous) on execpt for Page Publique # Extensions
$wgWikiEditorRealtimePreview = true;
$wgCiteBookReferencing = true;
$wgPdfProcessor = '${ pkgs.ghostscript }/bin/gs';
@ -216,7 +225,24 @@ in
VisualEditor = null; # pour éditer visuellement les pages
WikiEditor = null; # pour éditer le code wiki des pages
# Bundled with next version, put as null in the next update
CategoryLockdown = pkgs.applyPatches {
src = pkgs.fetchFromGitHub {
name = "CategoryLockdown";
owner = "wikimedia";
repo = "mediawiki-extensions-CategoryLockdown";
rev = "REL" + major + "_" + minor;
# Le SHA doit être changé à chaque nouveau commit de traduction.
# Pas de meilleure solution à ma connaissance pour suivre les releases.
sha256 = "sha256-WEg0QP4QXt89uvZCZvkfpycoZGBP640aTpaxbl5jsZs=";
};
patches = [
# Cette extension soccupe des du contrôle daccès du Wiki
# et a été beaucoup patché. Pensez à vérifier les changements
# et révisez le patch le cas échéant.
"${./category-lockdown.patch}"
];
};
TemplateStyles = pkgs.fetchFromGitHub {
name = "TemplateStyles";
owner = "wikimedia";
@ -266,14 +292,15 @@ in
# Pas de meilleure solution à ma connaissance pour suivre les releases.
sha256 = "sha256-oi5rliHb4KnLbvQxO7MGuLp/FEucoGR/Z0NP1gmbgMc=";
};
WSOAuth = pkgs.fetchFromGitHub {
WSOAuth = pkgs.fetctFromGitlab {
domain = "gitlab.crans.org";
name = "WSOAuth";
owner = "pyjacpp";
repo = "WSOAuth";
rev = "REL" + major + "_" + minor;
repo = "wsoauth";
rev = "master";
# Le SHA doit être changé à chaque nouveau commit de traduction.
# Pas de meilleure solution à ma connaissance pour suivre les releases.
sha256 = "sha256-G2C/KuSgfWWftpHHhOABwFcOEb1zB8qmHi9KgrC6Jrc=";
sha256 = "sha256-8jrRuHcJZc+YNnfyYkNLwF4PEIiHfd27YnTVAZcxgoc=";
};
WSONoteKfetAuth = "${./WSONoteKfetAuth}";
};