I am running a small MediaWiki.
It has the standard groups: all, user, bureaucrat, bot and sysop all with matching rights.
But some of these rights are doubled so "all" may use the writeAPI and "users" may use the writeAPI too, so far no problem.
Now I want to restrict some accounts rights so they can't do anything else than reading.
Therefor I wanted to add a new group, wich overrides all other existing group rights of the account added to it.
So anybody in this group may only read articles no matter what other group they are in.
If you are added to this group it takes rights from you rather than granting you new ones
Is this possible, or do I have to add a new "writingUser" group and add anybody to this new group, remove the all rights from the standard "user" and "all" group and then remove accounts from the "writingUser" group to do the restriction...
I could not find anything like this in the web, were I just looking for the wrong thing or is it just not possible?
Use $wgRevokePermissions, e.g. $wgRevokePermissions['punished-user']['edit'] = false; but you'll have to revoke every permission you don't want them to have explicitly. Also, you might consider simply blocking them:)
Related
I want to invisible particular fields to stock manager and visible for stock user and Main Administrator(one of the stock manager).
for example:
<field name ="name_ids" groups="!group_stock_manager,group_stock_user"/>
It works but this field is not visible to the main administrator.
how I make visible this field to main administrator?
The thing is that group_stock_manager inherits from group_stock_userso you cannot restrict the first while allowing access to the second group. To solve it you may need to use other group different from group_stock_user to be able to isolate the permissions for group_stock_manager that will not be inherited from group_stock_user
Like Axel was saying you need to isolate the permissions. What you would need to do in your security definitions define the access rights to the field and use base.group_user.
Then create a new security group xml for people who can see and edit the field.
I have two similar pages that need a menu link. Page 1 is shown to members of Group A. Page 2 is shown to everyone who is not a member of Group A. I have a "Guest" group which would include everyone who is not logged in. But some users are members of group A and Group B. I cannot figure out how to only show one link to them, based on whether they are a member of Group A or not. If I create an access level that includes only Group A and one that includes every other group and someone is in both groups, they will see both links, which is redundant since the pages are different versions of the same page. Any ideas?
We've got a similiar situation, and they way we got around it is to have another Usergroup called "GroupNotA". Then, we have a user plugin that we configure the UserGroups that are in play, and use the OnUserAfterSave event to insure everyone is conditionally in the correct user groups as shown in the code snippets below. With that, we can user menu items, etc. that are available to GroupA and GroupNotA.
myUserPlugin.xml
<field name="usergroup_a" type="usergroup" label="Group A" multiple="false" />
<field name="usergroup_not_a" type="usergroup" label="Group Not A" multiple="false" />
myUserPlugin.php
public function onUserBeforeSave($oldUser, $isnew, $newUser)
{
$UserGroupA = $this->params->get('usergroup_a');
$UserGroupNotA = $this->params->get('usergroup_not_a');
if(in_array(UserGroupA, $newUser['groups'])){
// Use IS in Group A - do nothing?
}else{
// Use is NOT in Group A - Add to group $UserGroupNotA
// add/remove from array $user['groups']
}
A word of caution though, the natural inclination was to use JUserHelper::addUserToGroup(), but it triggers OnUserAfterSave() again, so we went with direct manipulation of the Groups array.
A sample user plugin is installed with Joomla at plugins/user/example.php, and full documentation is available at Plugin/Events/User. Good Luck.
Note I just realized that we do this during a new user registration, so I'm altering the answer to use the event onUserBeforeSave(). I'm not sure that it will work as I originally suggested or not, but at least you have a starting point and the pieces to accomplish a solution.
I created custom role for some users, and I assigned role to particular user with content tree limitation. Like on this image
Problem is that when that user log in, he get error like on this image. Roles are working, so user can see his assigned content tree and work with it.
How can I solved this first screen? Even redirection on his content tree would do the job.
Thank you :)
Make sure that the user you assigned the role to, also has a basic role to access basic contribution functions. I usually have a "backoffice user" role which is assigned to every contributor (or group), which includes (without any limitation) :
user/login on the admin siteaccess
content/read on at least the root node : you need to be able to get "through" that node (and others if needed) to see the ones under it
ezoe, ezjscore, ezmultiupload, ezfind, ezie etc
content/(edit|remove|...) on contents which is owned by the user himself or its group
Hope this helps
Hi
is it possible to have more than one group as admin_group? being able to change users?
or, in alternative, how can i add one user to more than one group?
Thanks
The "admin" group is just another named group. There is nothing special about it other than it has a shortcut to check that role with...
$this->ion_auth->is_admin();
instead of just using...
$this->ion_auth->is_group('admin_group');
so really it all depends on how YOU treat the users.
so, to allow 2 groups admin access I'd just do this... Note is_group() can accept an array of strings also.
$admin_groups = array('admin_group1','admin_group2');
if ($this->ion_auth->is_group($admin_groups)) {
//do stuff
}
I run a social networking / blogging website ( http://www.obsidianportal.com ), and currently the users are identified by their unique (and unchangeable) username everywhere. Many have requested the ability to have a display name as well that they can choose. I'd like to support this, but I'm worried about spoofing and identity theft. So, I'm wondering if anyone has dealt with this and has any advice?
Here's what I'd like to avoid:
I'm known as Micah on the site. I don't want anyone to be able to choose my name as their display name and then impersonate me to others on the site. Similarly, I don't want people to be able to impersonate each other.
Here are some possible avenues I've identified:
Let them choose whatever name they want (within reason: profanity, racism, hate speech, etc.)
Don't allow users to choose a display name that overlaps with an existing unique username
Don't allow users to choose a display name that overlaps with an existing unique username OR an existing display name.
Am I being too paranoid? Should I just chill out and let users pick whatever names they want?
I'd go with the principle of least astonishment, in this case "Don't allow users to choose a display name that overlaps with an existing unique username OR an existing display name." Otherwise you could have 10 different people with nickname Piskvor talking to each other ;)
If the account is linked to a profile with some statistic I think you doesn't require to have to be unique username. If at StackOverFlow someone try to use my name and he is under 1 000 reps, I think it's obvious that I am the real. Of course, someone can use my name here and try to be me, in that case I would require assistance from administrator so maybe you should have a système to report abuse.
In the other way, I have a system that validate the username to be unique. That way, it's simpler. I do this because registered people doesn't have any profile page so it would be hard to know who is the real one.
Hope that help you.