Access Control Lists
- Access Control Lists (ACLs) on MediaWiki Servers
This article details Access Control Lists (ACLs) and how they function within a MediaWiki 1.40 server environment. ACLs provide granular control over who can perform what actions on your wiki, going beyond simple user groups. This is crucial for maintaining security and managing contributions, especially in larger or more sensitive wikis.
What are Access Control Lists?
Traditionally, MediaWiki permissions are managed through user groups (e.g., sysop, editor, reader). ACLs extend this system by allowing permissions to be assigned to *individual pages* or *namespaces*, and to specific *user accounts* or *groups* for those specific locations. Essentially, ACLs allow you to define exceptions to the global permissions granted by user groups. This is heavily reliant on the Rights Management system.
ACLs are defined using a system of 'rules'. Each rule specifies:
- **Target:** The page(s) or namespace(s) the rule applies to.
- **Actor:** The user(s) or group(s) the rule applies to.
- **Right:** The permission being granted or denied.
Core Concepts & Terminology
Understanding the following terms is crucial for working with ACLs:
- **Rights:** These are the specific actions a user can perform (e.g., `edit`, `read`, `create`, `delete`). A full list of rights can be found on the Manual:Rights page.
- **Targets:** These specify where the rule applies. Targets can be specific page titles, namespaces (e.g., `Project:`), or even patterns using wildcards.
- **Actors:** These identify who the rule applies to. Actors can be individual user accounts (e.g., `User:Example`), user groups (e.g., `sysop`), or IP addresses/ranges.
- **Inheritance:** ACLs can inherit permissions from parent pages or namespaces. This allows you to set default permissions for entire sections of your wiki. Understanding Namespace structures is essential.
- **Deny vs. Allow:** Rules can either *allow* a right or *deny* a right. Deny rules generally take precedence over allow rules.
Configuring ACLs: Technical Details
ACLs are primarily managed through the `acl.php` script, which is located in the MediaWiki maintenance directory. Direct database manipulation is *strongly discouraged* as it can easily lead to corruption. The `acl.php` script utilizes the Database to store and retrieve ACL rules.
Here's a breakdown of common ACL management tasks and associated parameters:
Adding an ACL Rule
To add a rule, you would use the `acl.php` script with the `--add` option, followed by the target, actor, and right.
Example: To allow user `User:TestUser` to edit the page `Project:Testing`, you would use:
```bash php maintenance/acl.php --add "Project:Testing" "User:TestUser" "edit" ```
Removing an ACL Rule
To remove a rule, you would use the `acl.php` script with the `--remove` option, followed by the target, actor, and right.
Example: To remove the rule allowing `User:TestUser` to edit `Project:Testing`:
```bash php maintenance/acl.php --remove "Project:Testing" "User:TestUser" "edit" ```
Listing ACL Rules
To list all ACL rules for a specific target, you can use the `acl.php` script with the `--list` option and the target.
Example: To list all ACL rules for `Project:Testing`:
```bash php maintenance/acl.php --list "Project:Testing" ```
Example ACL Configurations
Here are a few example configurations demonstrating common use cases.
Scenario 1: Restricting Editing to Specific Users
Let's say you have a sensitive page, `Project:Confidential`, that should only be edited by administrators.
| Target | Actor | Right |
|---|---|---|
| Project:Confidential | sysop | edit |
| Project:Confidential | User:TrustedEditor1 | edit |
| Project:Confidential | User:TrustedEditor2 | edit |
This table shows that only members of the `sysop` group, and the users `User:TrustedEditor1` and `User:TrustedEditor2` are allowed to edit `Project:Confidential`. All other users will be denied edit access. This relies on proper User Rights assignments.
Scenario 2: Namespace-Level Restrictions
Suppose you want to prevent anonymous users from creating pages in the `Help:` namespace.
| Target | Actor | Right |
|---|---|---|
| Help: | * | create |
This configuration *denies* the `create` right to *all* users (represented by `*`) in the `Help:` namespace. This effectively prevents anonymous users from creating new help pages. Remember that this does *not* prevent editing of existing pages, only creation.
Scenario 3: Exception to a Group Permission
You want all editors to be able to read the `Draft:` namespace, but you want to deny `User:ProblemUser` access.
| Target | Actor | Right |
|---|---|---|
| Draft: | editor | read |
| Draft: | User:ProblemUser | read |
This configuration allows users in the `editor` group to read pages in the `Draft:` namespace, but explicitly denies `User:ProblemUser` read access.
Security Considerations
- **Complexity:** ACLs can quickly become complex and difficult to manage, especially in large wikis. Thorough planning is crucial.
- **Precedence:** Deny rules generally take precedence over allow rules. Understand this behavior to avoid unintended consequences.
- **Auditing:** Regularly review your ACL configurations to ensure they are still appropriate and effective. Consider using Logging to track ACL changes.
- **Database Backups:** Always maintain regular database backups to protect against accidental data loss or corruption.
Further Resources
- Manual:Configuring ACLs - Official MediaWiki documentation.
- Extension:ACL - A related extension that provides a more user-friendly interface for managing ACLs.
- Help:Contents - General help and documentation for MediaWiki.
- Special:ListUsers - Allows you to view and manage user accounts.
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️