Security Model
From FiranMUX
This wiki is using the Group Based Access Control (AccessControl) extension, which lets us set up new groups of users and lock down a page so that you must be a member of one or more groups to edit it or even read it. The extension lets us easily add users to a group and remove them later, via bullet lists on an easily modified wiki page.
Important: By FiranWiki policy set by Steph and Adam, only they are allowed to create groups (or delegate that authority to other people). Do not create groups without permission!
In general, groups should be used sparingly, as there is only occasionally a need to hide content from the public. We might set up access control groups for content visible only to staff or certain factions on the game.
Contents |
Creating Groups
To create a new group, just create a new page named Usergroup:whatever, replacing whatever with the name of the group. For example, to create a group called "WikiEditors" you need to make a page called Usergroup:WikiEditors. The easiest way to create a new page is to click on the edit button of an existing page and change the "title=whatever" in the URL to your new page name.
The content of that new page is a bullet list containing the user names of people in the group, plus a security tag to keep people from editing your user list. For example, if you want users Adam and Steph to be in the WikiEditors group, edit the Usergroup:WikiEditors page and put the following in it:
<accesscontrol>WikiEditorsAdmin</accesscontrol> * Adam * Steph
The first line says that only people in the WikiEditorsAdmin group can change the page (and thus change who is in the WikiEditors group). The rest of the lines that start with "*" list users in the WikiEditors group.
Do not add Category links to Usergroup: pages because it seems to break some people's ability to edit those pages, even though they should have access.
Of course, once you create this page, you won't be allowed to view or edit it anymore, because you're not in the WikiEditorsAdmin group! That's easily remedied though. Just go repeat this process for the Usergroup:WikiEditorsAdmin page. This time, the list of users should be the people who can edit the users in the WikiEditors group. Lock that page (with >accesscontrol<) so that only the GroupAdmin group can edit it. The GroupAdmin group is a list of people who can edit groups. In general, only Adam and Steph are in that group.
Using Groups
The last section probably gives you a good idea how you can limit a page to a certain group, but it's more powerful than that.
You can set a page so that it can be read by members of more than one group, for example. Just list all the groups in the <accesscontrol> section, and separate them with double-commas. Yes, two commas, not one. For example:
<accesscontrol>WikiEditors,,SectionEditors</accesscontrol>
You can set a page so that certain groups can read it but not edit it. Make a page read-only for a certain group by putting "(ro)" after their group name in the >accesscontrol< list. For example:
<accesscontrol>WikiEditors,,SectionEditors,,Reviewers(ro)</accesscontrol>
In the previous example, WikiEditors and SectionEditors can read and edit the page. Reviewers can only read the page, not edit it. No one else can read the page.
Oh, here's a list of users, because you'll need their usernames.
Known Groups
This section is a shortcut to understanding and maintaining user groups created on this wiki. Please update this page when you add a new group.
| Group | Control Group | Purpose |
| none | Usergroup:GroupAdmin | Users who may edit permissions of Admin-type groups |
| Usergroup:LARP | Usergroup:LARPAdmin | Users who may view the secret LARP pages |
| Usergroup:Sysadmin Usergroup:SysadminRO | Usergroup:SysadminAdmin | Users who may edit and view pages containing system administration information |
| Usergroup:Military | Usergroup:MilitaryAdmin | Users who may edit and view pages about (IC) war and military missions |
| Usergroup:Viceroy | Usergroup:ViceroyAdmin | Users who may edit and view Viceroy Duty Pages |
| Usergroup:Wizards | Usergroup:WizardsAdmin | Users who are FiranMUX wizards |
| Usergroup:ClanCouncil | Usergroup:ClanCouncilAdmin | Users who can edit and view secure CC pages |
| Usergroup:PlayerHelper | Usergroup:Wizards | Users who can edit and view pages for PHers |
| Usergroup:Nekaht | Usergroup:Wizards | Users who can view Nekaht Secrets |
| Usergroup:WFHG | Usergroup:WFHGAdmin | Members of Steph's Writing Group |
| Usergroup:Lanesh | Usergroup:Wizards | Lanesh Regime Members |
| Usergroup:TinyPlot | Usergroup:Wizards | Temporary Group for TPs |
| Usergroup:HighPriests | Usergroup:Wizards | List of High Priests maintained by Wizards |
| Usergroup:Srennians | Usergroup:HighPriests | Members of the Temple of Srenna maintained by the High Priests |
| Usergroup:RPG | Usergroup:GroupAdmin | Tabletop Firan RPG development group |
Group Types
A Normal group is used to control which users get to see a normal wiki page. For example, if you want to control who can read the secret Lanesh pages, you might create a Lanesh group and put the user names of users who get to see that information.
An Admin control group controls which users can edit the membership of another group. For example, you don't want just any user changing the membership of the Lanesh group, so you should create a LaneshAdmin group and lock it down so that only a few people can change the Usergroup:Lanesh page. The GroupAdmin group is the owner/controller of every Admin-type group.
