FieldPermissions provides fine-grained, field-level access control in MediaWiki using Semantic MediaWiki (SMW) properties. It enables you to restrict field visibility based on permission levels or explicit user groups, filtering data at the source.
Compatible with SMW 6.x using a secure "Tier 2" architecture (ResultPrinter Overrides).
- Semantic Configuration: Configure visibility using standard SMW properties (
Has visibility level,Visible to) on property pages. - Database-Backed: Visibility levels and group mappings are stored in the database and managed via a Special Page.
- Output Filtering: Automatically filters SMW query results (#ask, API, JSON, CSV, etc.) by overriding ResultPrinters to remove restricted columns before rendering.
- Secure by Design: Filters data at the rendering stage, ensuring that restricted properties are never requested or displayed.
- Factbox Protection: Filters properties displayed in the Factbox at the bottom of pages.
-
Clone or download this extension into your MediaWiki
extensions/directory:cd /path/to/mediawiki/extensions git clone https://github.com/your-repo/FieldPermissions.git -
Add the following to your
LocalSettings.php:wfLoadExtension( 'FieldPermissions' );
-
Run the update script to create database tables:
php maintenance/update.php
Go to Special:ManageVisibility (requires fp-manage-visibility right, default for sysops).
Create levels with numeric values. Higher numbers = more restrictive. Example:
- Public: 0
- Internal: 10
- Private: 20
In Special:ManageVisibility, map user groups to their maximum allowed visibility level.
Example:
- user: Public (0)
- lab_member: Internal (10)
- pi: Private (20)
On any Property page (e.g., Property:Salary), add the following semantic annotations:
To restrict by level:
[[Has visibility level::Visibility:Private]](Assuming you have a page Visibility:Private representing the level, or just use the name if configured).
To restrict by specific group:
[[Visible to::sysop]]
[[Visible to::hr_manager]]Use standard SMW queries. Data will be automatically filtered based on the viewing user's permissions.
{{#ask: [[Category:Employee]]
|?Salary
|?Email
}}If a user does not have permission to see Salary, that column/field will be empty or removed.
See docs/Configuration.md for detailed configuration guide.
This extension uses a Tier 2 filtering approach for SMW 6.x:
- Interception: Hooks into
SMW::ResultPrinter::Registerto replace standard printers. - Overrides: Custom
Fp*printers (Table, List, JSON, etc.) extend standard SMW printers. - Filtering: Inside the printer, the extension inspects the
QueryResultand removes anyPrintRequest(column) that the user is not authorized to view. - Result: SMW skips fetching and rendering data for the removed columns, ensuring security.
GPL-2.0-or-later