Skip to main content
MediaWiki’s permission system is based on user groups that are assigned sets of rights. Every action on the wiki — reading, editing, deleting, blocking — is controlled by a right, and every user has the rights granted by all the groups they belong to.

Default User Groups

* (Everyone)

Applies to all requests, including unauthenticated visitors. By default grants read, createaccount, and edit (the last of which can be revoked to make a read-only wiki).

user

All registered (logged-in) accounts. Grants rights like move, upload, minoredit, editmywatchlist, and sendemail.

autoconfirmed

Accounts that meet the auto-confirmation thresholds ($wgAutoConfirmAge and $wgAutoConfirmCount). Gets autoconfirmed and editsemiprotected.

sysop

Administrators. Can delete pages, protect pages, block users, view deleted revisions, import pages, and manage the wiki configuration via the UI.

bureaucrat

Can promote and demote users to/from the sysop and bot groups via Special:UserRights.

bot

Automated accounts. Edits are flagged as bot edits and hidden from recent changes by default. Grants bot, autopatrol, nominornewtalk, and noratelimit.

interface-admin

Can edit MediaWiki interface pages (MediaWiki: namespace) including site-wide CSS and JavaScript. Separate from sysop since MediaWiki 1.32.

suppress

Can suppress (oversight) revisions so they are hidden from sysops as well as normal users. Often restricted to trusted users only.

$wgGroupPermissions

All group→right mappings are defined in $wgGroupPermissions. The array key is the group name, the nested key is the right name, and the value is a boolean. 
// LocalSettings.php

// Prevent anonymous users from editing
$wgGroupPermissions['*']['edit'] = false;

// Prevent anonymous users from reading (private wiki)
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = true;

// Allow autoconfirmed users to patrol edits
$wgGroupPermissions['autoconfirmed']['patrol'] = true;

// Create a custom group
$wgGroupPermissions['trusted']['move'] = true;
$wgGroupPermissions['trusted']['delete'] = false;

// Grant a right to all logged-in users
$wgGroupPermissions['user']['upload'] = true;
To revoke a right that was granted to an earlier group in the hierarchy, use $wgRevokePermissions rather than setting the right to false — the latter only affects that specific group.
// Revoke 'edit' from all users, including those in elevated groups
$wgRevokePermissions['*']['edit'] = true;

Available Rights

The following core rights are defined in PermissionManager::CORE_RIGHTS:

Content Rights

read · edit · createpage · createtalk · move · movefile · upload · reupload · delete · undelete · import · importupload

Administrative Rights

block · blockemail · protect · editprotected · rollback · patrol · autopatrol · userrights · siteadmin · interwiki

Interface Rights

editinterface · editsitecss · editsitejs · editsitejson · editusercss · edituserjs · edituserjson

User Rights

createaccount · autocreateaccount · sendemail · viewmyprivateinfo · editmyprivateinfo · editmyoptions · editmywatchlist · viewmywatchlist

Content Visibility

deletedhistory · deletedtext · suppressrevision · viewsuppressed · suppressionlog · hideuser · browsearchive

Performance Rights

apihighlimits · noratelimit · bot · markbotedits · autoconfirmed · nominornewtalk · bigdelete

Namespace-Level Permissions

$wgNamespaceProtection locks specific namespaces so that only users with a given right can edit them: 
// Only sysops can edit the MediaWiki namespace (already the default)
$wgNamespaceProtection[NS_MEDIAWIKI] = [ 'editinterface' ];

// Only trusted users can edit namespace 100 (a custom namespace)
$wgNamespaceProtection[100] = [ 'editcustomns' ];

// Grant the right to the 'editor' group
$wgGroupPermissions['editor']['editcustomns'] = true;

Page Protection Levels

Individual pages can be protected via the UI (Special:Protect) or API. Protection levels are defined in $wgRestrictionLevels: 
// Default protection levels: '', 'autoconfirmed', 'sysop'
// Add a custom 'reviewer' level
$wgRestrictionLevels[] = 'reviewer';
$wgGroupPermissions['reviewer']['editreviewer'] = true;

Block System

The block system prevents specific users, IP addresses, or CIDR ranges from editing (and optionally reading, creating accounts, or sending email).

Block Types

Block TypeExampleDescription
User blockBlockUserBlocks a specific registered account
IP block192.168.1.1Blocks a single IP address
Range block192.168.1.0/24Blocks a CIDR range of IP addresses
Autoblock(automatic)Automatically blocks IPs used by a blocked user
Global block(via CentralAuth)Blocks across all wikis in a farm

Block Configuration

// Maximum block duration for non-sysop users to apply
$wgBlockAllowsUTEdit = true;   // Allow blocked users to edit their own talk page

// Allow sysops to issue partial blocks (specific pages/namespaces only)
// (enabled by default since 1.33)

// Prevent blocked users from logging in
$wgBlockDisablesLogin = false; // default; set to true to disable login for blocked users

Purging Expired Blocks

php maintenance/run.php purgeExpiredBlocks

Checking Permissions in Code

Use PermissionManager (available via MediaWikiServices) to check whether a user can perform an action. Do not check $wgGroupPermissions directly. 
use MediaWiki\MediaWikiServices;

$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();

// Check if a user can perform an action on a page
if ( $permissionManager->userCan( 'delete', $user, $title ) ) {
    // User is allowed to delete this page
}

// Get all errors preventing an action (returns array of error messages)
$errors = $permissionManager->getPermissionErrors( 'edit', $user, $title );
if ( $errors === [] ) {
    // No permission errors
}

// Check a right without a specific page context
if ( $permissionManager->userHasRight( $user, 'block' ) ) {
    // User is in a group that grants 'block'
}

Rigor Levels

PermissionManager supports three rigor levels for permission checks:
RigorConstantDescription
QuickRIGOR_QUICKCheap checks using replica DB; suitable for UI rendering
FullRIGOR_FULLFull checks possibly from replica DB
SecureRIGOR_SECUREFull checks using the primary DB; use for actual write operations
// Secure check before a write operation
$errors = $permissionManager->getPermissionErrors(
    'delete',
    $user,
    $title,
    PermissionManager::RIGOR_SECURE
);

Auto-confirmation

Auto-confirmation automatically promotes users to the autoconfirmed group after meeting age and edit count thresholds: 
// Require 4 days old and 10 edits for autoconfirmed
$wgAutoConfirmAge   = 4 * 24 * 3600; // seconds
$wgAutoConfirmCount = 10;

Build docs developers (and LLMs) love

Get started for freeTalk to us