Thursday, March 08, 2012

Block anonymous users from seeing media wiki history

It looks like a patch to the install will be necessary for making it such that anonymous users do not get to see histories.  And while the  Other restrictions section of the mediawiki page, as of today, confirms this fact, that page does not make it clear how to actually prevent histories from showing up for anonymous users.

But have no fear, as of mediawiki 1.18.1, the following easy changes to two files have worked pretty well for me at preventing casual anonymous users from seeing the histories of pages:

1) Change the beginning of the history function in the includes/HistoryPage.php file so that it looks like this:
function history() {
    global $wgOut, $wgRequest, $wgScript, $wgUser;

    if ( ! $wgUser->isAllowed('edit') ) {
        $wgOut->addWikiMsg( 'nohistory' );
        wfProfileOut( __METHOD__ );
        return;
    }

2) Change the beginning of the insertDiffHist function in the includes/ChangesList.php file so that it looks like this:
public function insertDiffHist( &$s, &$rc, $unpatrolled ) {

    global $wgUser;

    if ( ! $wgUser->isAllowed('edit') ) {
        return null;
    }
This should prevent anonymous users from being able to see the histories of pages. For bonus points in the comments, let us know how badly this will affect our search engine rankings.

Enjoy.

1 comment:

  1. Just a note - MediaWiki version 1.19 has made changes that affect this patch.

    In 1), the file that must be modified is includes/actions/HistoryAction.php instead of includes/HistoryPage.php, and the function that must be modified is onView(), not history(). Additionally, the list of globals must also include $wgUseFileCache & $wgSquidMaxage, and need not include $wgRequest.

    Here is an updated version of this part of the patch:

    function onView() {
        global $wgScript, $wgUseFileCache, $wgSquidMaxage, $wgOut, $wgUser;

        if ( ! $wgUser->isAllowed('edit') ) {
            $wgOut->addWikiMsg( 'nohistory' );
            wfProfileOut( __METHOD__ );
            return;
        }

    Step 2) can be followed unmodified.

    ReplyDelete