Making registration for media wiki require admin approval?

Question

A wiki I maintain has been hit pretty hard by spam bots... we don't have a lot of users, and I'd rather not saddle the legitimate users with captcha. Is there a simple way to make registration confirmation go to an admin? I've looked through the manual, and haven't been able to figure out how to do it.

Answer 1

You could create a new user right, e.g. "approved", allow admins to assign that right and restrict things like editing to only approved users, like this:

// Disallow editing and uploading from anons and registered users
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = false;

// New user group: approved users
$wgGroupPermissions['approved']['edit'] = true;

// Allow admins to approve (and unapprove) users via Special:UserRights
$wgAddGroups['sysop']['approved'] = true;
$wgRemoveGroups['sysop']['approved'] = true;

Note that removing the edit permission also stops non-approved users from doing most things that directly or indirectly involve changing pages in any way, so you shouldn't need to revoke those rights explicitly.

Also, instead of revoking editing rights from unapproved users completely, you could restrict their editing to certain namespaces using $wgNamespaceProtection (and perhaps further to certain pages in those namespaces using normal per-page protection), something like this:

// Limit editing of the main namespace to approved users
$wgNamespaceProtection[NS_MAIN] = array( 'edit-main' );
$wgGroupPermissions['approved']['edit-main'] = true;

That way, you could set up a page where new users can ask to be approved in one of the namespaces they can edit.

For more information, see Manual:User rights and Help:Assigning permissions on mediawiki.org.

Answer 2

If you're willing to install an extension then Extension:ConfirmAccount would be the best solution for you.

"The ConfirmAccount extension disables direct account creation and requires the approval of new accounts by a bureaucrat"

This means that new users are clearly told within the interface, that they are requesting a user account. It also presents a specially designed interface to the administrators, for approving the requests, and will email somebody (configured email address $wgConfirmAccountContact) when somebody's waiting.

Although spammers can still irritate you a little by requesting accounts (use in conjunction with ConfirmEdit captcha is recommended), they will not be getting as far as actually creating junk user accounts.