ACL implementation details
- ACL Implementation Details
This article details the Access Control List (ACL) implementation within our MediaWiki 1.40 server environment. Understanding these details is crucial for administrators managing user permissions and ensuring site security. ACLs control what actions users can perform on specific pages and namespaces. This document covers the underlying mechanisms, configuration options, and best practices.
Core Concepts
At its heart, MediaWiki’s ACL system leverages a combination of user groups, page permissions, and rights management. Rights management is the foundation, defining what actions a user *can* perform. These rights are then applied to specific pages or namespaces through page protection and user group membership. The system differentiates between standard users, sysops (system administrators), and bureaucrats, each having varying levels of access.
ACLs aren't directly visible as a list of rules; instead, they're an emergent property of these underlying components. This means understanding how these components interact is key to managing access. Special:ListGroupRights is an invaluable tool for viewing the rights associated with each group.
Rights and User Groups
The following table outlines some critical rights and the user groups typically associated with them. This isn’t exhaustive, but it covers the most frequently used permissions.
| Right | Description | Common User Groups |
|---|---|---|
| edit | Allows editing of pages. | Registered users, Autoconfirmed users |
| create | Allows creating new pages. | Registered users, Autoconfirmed users |
| delete | Allows deleting pages. | Sysops |
| block | Allows blocking users and IP addresses. | Sysops |
| protect | Allows changing page protection levels. | Sysops |
| rollback | Allows reverting edits quickly. | Sysops |
| patroldiffs | Allows marking edits as patrolled. | Autoconfirmed users, Patrollers |
| viewsuppress | Allows viewing suppressed revisions. | Bureaucrats, Oversight |
It's important to note that rights can be granted directly to users, but this is generally discouraged in favor of managing permissions through user groups. Special:UserRights is used to manage user rights directly.
Page Protection Levels
MediaWiki offers several levels of page protection to control editing access. These levels interact directly with the ACL system.
| Protection Level | Description | Effects on Editing |
|---|---|---|
| Not Protected | No restrictions. | Anyone (depending on user group rights) can edit. |
| Fully Protected | Only sysops can edit. | Prevents editing by all non-sysop users. |
| Sysop Protected | Only bureaucrats and sysops can edit. | Prevents editing by all non-bureaucrat/sysop users. |
| Template Protected | Only template editors and sysops can edit. | Prevents accidental modification of important templates. |
| Cascading Protection | Protection extends to all included templates. | Protects all transcluded pages as well. |
Page protection is configured through Special:ProtectPage. Understanding the implications of each protection level is crucial for maintaining site stability and preventing vandalism. Help:Protecting pages provides a more detailed explanation of page protection.
Namespace-Specific Permissions
ACLs are not limited to individual pages; they can also be applied to entire namespaces. This allows for granular control over content creation and editing within specific areas of the wiki. For example, the Project: namespace might have stricter editing rules than the Help: namespace.
The following table shows common namespace permissions.
| Namespace | Default Permissions (for Autoconfirmed Users) | Common Restrictions |
|---|---|---|
| Main | Edit, Create | May be subject to full or sysop protection. |
| Talk | Edit, Create | Usually open for discussion. |
| User | Edit (own user page only), Create (user talk page) | Restricted editing of other user pages. |
| User talk | Edit (own talk page only) | Prevents harassment and unwanted modifications. |
| Project | Edit, Create (with restrictions) | May require sysop approval for major changes. |
| Help | Edit, Create (with restrictions) | Similar to Project namespace. |
Namespace permissions are often adjusted through MediaWiki: namespace. Careful consideration should be given to the permissions assigned to each namespace to balance accessibility and security.
Advanced Configuration
Beyond the standard user groups and page protection levels, advanced configuration options exist for fine-tuning ACLs. These include:
- Extension:TitleBlacklist: Prevents the creation of pages with unwanted titles.
- Extension:AbuseFilter: Detects and prevents abusive behavior, such as vandalism and spam.
- Custom user rights: While discouraged for general use, custom rights can be defined to create highly specific permissions.
Regularly reviewing Special:RecentChanges and Special:Log/abusefilter-extended is essential for monitoring ACL effectiveness and identifying potential security breaches.
Special:ListUsers
Special:Groups
Help:User rights
Help:Page
Help:Namespace
Manual:Configuration settings
Manual:Configuring authentication
Manual:Administering MediaWiki
Extension:AbuseFilter
Extension:TitleBlacklist
Special:ProtectPage
Special:UserRights
Special:ListGroupRights
Help:Protecting pages
Manual:FAQ
Manual:FAQ/Security
Manual:FAQ/Configuration
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️