Disabling user accounts in MediaWiki

Question

I have a wiki family that has several thousand users that I need to manage. We do not have an elegant way of disabling any of the users that have left the program, in the past we have been able to change their passwords, but this is not a lasting solution for the future. I have investigated a couple different ways of disabling a user account, but I'm not sure which option to choose.

1. The CentralAuth extension - This is pretty complicated to set up for a wiki family and is tied very closely to the wikipedia core development. I got as far as migrating my users into the centralauth global user table. This setup does not take into account table prefixes, which we use extensively. The special pages associated with the extension are all broken because of this.

2. IP Blocking - I can't use this since the multiple users may access the wiki from the same IP, at a work station or computer lab.

3. A hook on login - Could possibly use a hook (UserLoginComplete) when the user logs in, then log them out immediately based on a flag set in the database.

4. Shared Permissions - I took a look at a couple extensions that allow global permissions, but many of them are not stable or in beta, for example: SharedUserRights. The idea here is to create an 'inactive' permission and manage accounts globally with that permission group.

I'm open to ideas! Hopefully this all makes sense, thanks in advance!

Answer 1

Thanks all for the suggestions! I ended up using a global ipblocks table and Extension:Lockout to block users from logging in, effectively disabling their accounts. I set up the shared tables and shared database for global users in my LocalSettings.php file:

 $wgSharedDB = 'up_commonusers';
 $wgSharedTables = array(  'user', 'user_groups', 'account_requests', 'account_credentials', 'ipblocks');

I plan on managing the blocked accounts based on username with this list: Special:BlockList. The drawback of this list is that it does not have the user's home wiki, so I added a 'ipb_user_home' column to the ipblocks table to use as reference later with this hook:

 $wgHooks['BlockIpComplete'][] = 'addHomeWikiData';

 function addHomeWikiData(&$block, &$user){
     $userId = $block->getTarget() instanceof User ? $block->getTarget()->getID() : 0;

     if($userId>0){
        $dbw = wfGetDB(DB_MASTER);
        $row = $dbw->selectRow('user', '*', array('user_id'=>$userId));
        $dbw->begin();
        $dbw->update('ipblocks', array('ipb_user_home'=>$row->user_home), array('ipb_user'=>$userId));
        $dbw->commit();
        return true;
     }
     return false;
}

I will eventually write my own Block list table in the future that will use this info, but for now I have what I need.

So the workflow is pretty simple. I use the normal Special:Block page to block users. The blocked users are added to the global ipblocks table instead of the local one since we configured a SharedTable, it then adds their home wiki data with the hook. The Lockout extension uses a different hook on login that will detect if the user is blocked or not and throw an error message. The Error pops up and you can't log in.

Hope this helps!

Answer 2

If you want to completely lock them out (disable logging in), use the AbortLogin hook to check usernames against the blacklist. See Extension:Lockout for an example.

If you want them to be able to log in but not edit, you can pobably use the UserGetRights hook to strip edit rights from them.

Answer 3

What's wrong with mediawiki standard user rights handling? Just give read/write access to a specific group and remove a user from that group when it is no longer relevant?