User rights management in mediawiki
While playing with the central configuration of mediawiki, I found that the workaround I have used to manage the user’s permissions was not working as I would have expected.
Actually, the $wgConf stuff gives preference on true upon false when merging arrays of booleans (special mention is made that this is because of user rights).
The prefered solution, instead of defined $wgGroupPermissions…. to false, is to define $wgRevokePermissions…. to true
BUT mediawiki handles this second variable in a different way than the first ! If user is member of groups A and B :
-
user is allowed to perform action if one of both groups has $wgGroupPermissions set to true for it
-
UNLESS one of the groups has $wgRevokePermissions set for the action, in which case it overrules the permissions
While this may seem to be fine in most cases, the problem is that every user is member of the group “*”, which also stands for unregistered and unlogged users. So if you prevent those users from writing by means of $wgRevokePermissions, it will have the consequence that all users of the wiki won’t be able to write as they all belong to this group.
I have written some small code that works around this by emulating the bahaviour of $wgRevokePermissions, but in the way that the keys of $wgGroupPermissions are set to false.
However, this sounds quite fishy…