Skip to content
Snippets Groups Projects
Normal view Permalink
default-permissions.php 4.33 KiB
Newer Older
Frank Duncan's avatar
Fix #59: Refactor roles from inline blocks to files
Frank Duncan committed
1 
<?php
Frank Duncan's avatar
Fix #62, Fix #64: Refactor permissions file  
Frank Duncan committed
2 3 
# Even if these groups aren't used in the wiki (no users assigned), this should be the
# master list of all groups enabled on the wiki
Frank Duncan's avatar
Fix #59: Refactor roles from inline blocks to files
Frank Duncan committed
4 5 6 7 8 
$wgGroupPermissions['LFCConsultingPartners']['read'] = true;
$wgGroupPermissions['LFCResearchPartners']['read'] = true;
$wgGroupPermissions['LFCEvaluators']['read'] = true;
$wgGroupPermissions['PseudoDecisionMakers']['read'] = true;
$wgGroupPermissions['DecisionMakers']['read'] = true;
Frank Duncan's avatar
Fix #62, Fix #64: Refactor permissions file  
Frank Duncan committed
9 10 11 12 13 14 
$wgGroupPermissions['OutsideReviewers']['read'] = true;

$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['bot']['protect'] = true;
$wgRestrictionLevels[] = 'generated';
$wgGroupPermissions['bot']['generated'] = true;
Frank Duncan's avatar
Fix #59: Refactor roles from inline blocks to files
Frank Duncan committed
15 16 17 18 19 

# Disable teamcomments for users on this wiki by default.
$wgGroupPermissions['*']['teamcomment'] = false;
$wgGroupPermissions['*']['teamcommentseeusernames'] = false;
Karl Fogel's avatar
Make a comment more accurate  
Karl Fogel committed
20 
# API-using groups
Frank Duncan's avatar
Update permissions to bring more in line with OTS standard  
Frank Duncan committed
21 22 
# These are local login users (as that's required to use api.php) and so
# will not have corresponding entries in the saml config
Frank Duncan's avatar
Add API users to default permissions set  
Frank Duncan committed
23 24 25 26 27 
$wgGroupPermissions['API_Candid']['read'] = true;
$wgGroupPermissions['API_ForumOne']['read'] = true;
$wgGroupPermissions['API_ScalingScience']['read'] = true;
$wgGroupPermissions['API_KFG']['read'] = true;
$wgGroupPermissions['API_OTS']['read'] = true;
Frank Duncan's avatar
Use the new refactored ansible with 100Change2020  
Frank Duncan committed
28
Frank Duncan's avatar
Fix #62, Fix #64: Refactor permissions file  
Frank Duncan committed
29 30 31 
# Log permissions (ability to see Special:Log)
$wgAvailableRights[] = 'view-special-log';
$wgGroupPermissions['*']['view-special-log'] = false;
Frank Duncan's avatar
Fix #59: Refactor roles from inline blocks to files
Frank Duncan committed
32
Frank Duncan's avatar
Fix #62, Fix #64: Refactor permissions file  
Frank Duncan committed
33 34 35 36 37 
# Configuration of different user groups
$wgGroupPermissions['sysop']['generated'] = true;
$wgGroupPermissions['sysop']['edittorqueconfig'] = true;
$wgGroupPermissions['sysop']['torquedataconnect-admin'] = true;
$wgGroupPermissions['sysop']['teamcomment'] = true;
Frank Duncan's avatar
Fix #59: Refactor roles from inline blocks to files
Frank Duncan committed
38 
$wgGroupPermissions['sysop']['teamcommentseeusernames'] = true;
Frank Duncan's avatar
Fix #62, Fix #64: Refactor permissions file  
Frank Duncan committed
39 40 41 
$wgGroupPermissions['sysop']['picksome'] = true;
$wgGroupPermissions['sysop']['picksome-admin'] = true;
$wgGroupPermissions['sysop']['view-special-log'] = true;
Frank Duncan's avatar
Two small fixes for edit interface  
Frank Duncan committed
42 
$wgGroupPermissions['sysop']['torquedataconnect-edit'] = true;
Frank Duncan's avatar
Fix #59: Refactor roles from inline blocks to files
Frank Duncan committed
43
Frank Duncan's avatar
Fix #62, Fix #64: Refactor permissions file  
Frank Duncan committed
44 45 
$wgGroupPermissions['DecisionMakers']['teamcomment'] = true;
$wgGroupPermissions['DecisionMakers']['teamcommentseeusernames'] = true;
Frank Duncan's avatar
Fix #59: Refactor roles from inline blocks to files
Frank Duncan committed
46 47 48 
$wgGroupPermissions['DecisionMakers']['picksome'] = true;
$wgGroupPermissions['DecisionMakers']['picksome-write'] = true;
Frank Duncan's avatar
Fix #62, Fix #64: Refactor permissions file  
Frank Duncan committed
49 50 51 52 53 54 55 56 
$wgGroupPermissions['PseudoDecisionMakers']['teamcomment'] = true;
$wgGroupPermissions['PseudoDecisionMakers']['teamcommentseeusernames'] = true;

$wgGroupPermissions['LFCConsultingPartners']['torquedataconnect-edit'] = true;

$wgGroupPermissions['LFCResearchPartners']['teamcomment'] = true;

$wgGroupPermissions['LFCEvaluators']['teamcomment'] = true;
Frank Duncan's avatar
Fix #59: Refactor roles from inline blocks to files
Frank Duncan committed
57 58 59 60 61 

# Disable Special:Log for groups that don't have view-special-log above
$wgHooks['SpecialPage_initList'][] = function ( &$list ) {
  global $wgUser;
Frank Duncan's avatar
Fix bug where user trying to load before user is ready  
Frank Duncan committed
62 
  if($wgUser->isSafeToLoad() && !$wgUser->isAllowed('view-special-log')) {
Frank Duncan's avatar
Fix #59: Refactor roles from inline blocks to files
Frank Duncan committed
63 64 65 66 
    unset( $list['Log'] );
  }
  return true;
};
Frank Duncan's avatar
Fix #62, Fix #64: Refactor permissions file  
Frank Duncan committed
67
Karl Fogel's avatar
Improve code comment about group mapping  
Karl Fogel committed
68 69 70 71 72 73 74 75 76 77 78 79 80 
# We have to convert incoming groups from SSO (e.g., MacFound Okta) to
# Mediawiki (SimpleSAMLphp) groups.  The incoming groups often have
# spaces in their names, to make them more readable to users, whereas
# MediaWiki groups can't have spaces.  Also, in some cases there are
# existing well-known MediaWiki groups (e.g., "sysop") that map pretty
# well to an incoming SSO group, even though the two names are
# unrelated, so in those cases we just convert the incoming group to
# the MediaWiki group.
#
# (For more information on SimpleSAML configuration in general, see
# https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp#Configuration.)
# 
# These are the MediaWiki Groups:
Frank Duncan's avatar
Fix #62, Fix #64: Refactor permissions file  
Frank Duncan committed
81 82 83 84 
$wgSimpleSAMLphp_SyncAllGroups_LocallyManaged = [
  "sysop",
  "bureaucrat",
  "interface-admin",
Frank Duncan's avatar
Use the new refactored ansible with 100Change2017  
Frank Duncan committed
85 
  "DecisionMakers",
Frank Duncan's avatar
Fix #62, Fix #64: Refactor permissions file  
Frank Duncan committed
86 87 88 89 90 
  "LFCConsultingPartners",
  "LFCResearchPartners",
  "LFCEvaluators",
  "PseudoDecisionMakers",
];
Karl Fogel's avatar
Improve code comment about group mapping  
Karl Fogel committed
91 92 93 
#
# And this is the mapping (MediaWiki on left, incoming SSO on right):
#
Frank Duncan's avatar
Fix #62, Fix #64: Refactor permissions file  
Frank Duncan committed
94 
$wgSimpleSAMLphp_GroupMap = [
Frank Duncan's avatar
Update permissions to bring more in line with OTS standard  
Frank Duncan committed
95 96 97 
  'sysop' => ['groups' => ['LFC Torque Admin', 'LFC Staff', 'LFC Admins']],
  'interface-admin' => ['groups' => ['LFC Torque Admin', 'LFC Staff', 'LFC Admins']],
  'bureaucrat' => ['groups' => ['LFC Torque Admin', 'LFC Staff', 'LFC Admins']],
Frank Duncan's avatar
Use the new refactored ansible with DemoView  
Frank Duncan committed
98 
  'DecisionMakers' => ['groups' => ['LFC Decision Makers', 'Board Members']],
Frank Duncan's avatar
Update permissions to bring more in line with OTS standard  
Frank Duncan committed
99 
  'PseudoDecisionMakers' => ['groups' => ['LFC Pseudo Decision Makers', 'Pseudo Board Members']],
Frank Duncan's avatar
Map LFC Consultants okta group to LFCConsultingPartners  
Frank Duncan committed
100 101 
  'LFCEvaluators' => ['groups' => ['LFC Evaluators']],
  'LFCConsultingPartners' => ['groups' => ['LFC Consultants']],
Frank Duncan's avatar
Use the new refactored ansible with 100Change2020  
Frank Duncan committed
102 
  'LFCResearchPartners' => ['groups' => ['LFC Research Partners']]
Frank Duncan's avatar
Fix #62, Fix #64: Refactor permissions file  
Frank Duncan committed
103 104 
];
Frank Duncan's avatar
Fix #59: Refactor roles from inline blocks to files
Frank Duncan committed
105 
?>