====== Extranet Plugin ====== ---- plugin ---- description: Restrict pages, media and actions for extranet visitors author : Valentin LORTET email : contact@valentinlortet.fr type : Action, Syntax, Helper lastupdate : 2026-03-13 compatible : Librarian depends : prosemirror conflicts : similar : tags : Access, Extranet, Intranet, Proxy, Security, Helper downloadurl: https://github.com/Lortet/dokuwiki-plugin-extranet/zipball/master bugtracker : https://github.com/Lortet/dokuwiki-plugin-extranet/issues sourcerepo : https://github.com/Lortet/dokuwiki-plugin-extranet/ donationurl: screenshot_img : ---- [[fr:plugin:extranet|🇫🇷 Français]] | 🇬🇧 **English** | [[de:plugin:extranet|🇩🇪 Deutsch]] | [[es:plugin:extranet|🇪🇸 Español]] ===== Installation ===== Install the plugin from the [[plugin:extension|Extension Manager]] using the URL above, or copy it into ''lib/plugins/extranet''. ===== Description ===== The **extranet** plugin can: * detect whether a request comes from the extranet from a configurable ''$_SERVER'' value; * restrict the display of pages and media files; * disable selected DokuWiki actions for extranet visitors; * apply global rules through filters; * add per-page exceptions with ''~~NOEXTRANET~~'' and ''~~EXTRANET~~''; * integrate with ProseMirror so these macros are preserved in WYSIWYG editing. The plugin is suited to intranet/extranet segmentation. It complements ACLs, but does not replace real access control. ===== Settings ===== ^ Name ^ Description ^ Default value ^ | request_match_key | ''$_SERVER'' key used to determine whether the request comes from the extranet. Can be ''REMOTE_ADDR'' or an ''HTTP_*'' key. | '''' | | extranet_match_list | Comma-separated list of values treated as extranet. | '''' | | extranet_match_regex | Regex used to detect an extranet request from the configured value. | '''' | | default_policy | Default policy: ''allow'', ''block'', ''force_allow'' or ''force_block''. | ''allow'' | | filter_list | List of page or media IDs targeted by the policy. Supports exact IDs, namespace prefixes ending with '':'', and wildcards ''*''. | '''' | | filter_regex | Additional regex used to target pages or media files. | '''' | | hide_files | How restricted media files are handled: ''all'', ''except_pageicons'' or ''none''. | ''none'' | | disable_actions | DokuWiki actions disabled for extranet visitors. | ''admin,edit,preview,save,revisions,diff,export_raw,export_xhtml,export_xhtmlbody,permalink,register'' | | restricted_disable_actions | Additional actions disabled only when the current page is restricted. | '''' | | preserve_first_title | Keep the first heading when a page is hidden. | ''true'' | | message_prefix | Prefix inserted before the restriction message. | '''' | | message_suffix | Suffix inserted after the restriction message. | '''' | ===== Compatibility ===== The following legacy configuration keys are still accepted: * ''server_ip_key'' * ''extranet_ip_list'' * ''extranet_ip_regex'' The new names should be preferred: * ''request_match_key'' * ''extranet_match_list'' * ''extranet_match_regex'' ===== Usage ===== Two macros are available: * ''~~NOEXTRANET~~'' : blocks the page from the extranet when the policy allows it; * ''~~EXTRANET~~'' : allows the page from the extranet when the policy allows it. Behavior depending on ''default_policy'': * ''allow'' : everything is allowed except filtered pages or pages marked ''~~NOEXTRANET~~''; * ''block'' : everything is blocked except filtered pages or pages marked ''~~EXTRANET~~''; * ''force_allow'' : only filter rules apply, ''~~NOEXTRANET~~'' is ignored; * ''force_block'' : only filter rules apply, ''~~EXTRANET~~'' is ignored. ===== Examples ===== Detection by direct IP: * ''request_match_key = REMOTE_ADDR'' * ''extranet_match_regex = /^10\.100\./'' Detection by proxy header: * ''request_match_key = HTTP_X_NETWORK_ZONE'' * ''extranet_match_list = extranet'' Detection by upstream host name: * ''request_match_key = HTTP_X_UPSTREAM_HOST'' * ''extranet_match_regex = /^frontend-ext-/'' ===== Helper API ===== Load helper: ''$extranet = plugin_load('helper', 'extranet');'' ==== Main methods ==== ^ Method ^ Since ^ Description ^ | ''getDefaultPolicy()'' | ''2026-03-13'' | Returns the effective default policy. | | ''getRequestMatchKey()'' | ''2026-03-13'' | Returns the ''$_SERVER'' key used for detection. | | ''getExtranetMatchList()'' | ''2026-03-13'' | Returns the list of values treated as extranet. | | ''getExtranetMatchRegex()'' | ''2026-03-13'' | Returns the extranet detection regex. | | ''isExtranetRequest()'' | ''2026-03-13'' | Tells whether the current request is treated as extranet. | | ''isPageVisibleFromExtranet($id, $content = null)'' | ''2026-03-13'' | Tells whether a page is visible from the extranet. | | ''isMediaVisibleFromExtranet($mediaID)'' | ''2026-03-13'' | Tells whether a media file is visible from the extranet. | | ''isPageAllowed($id, $content = null)'' | ''2026-03-13'' | Tells whether a page is allowed in the current context. | | ''isMediaAllowed($mediaID)'' | ''2026-03-13'' | Tells whether a media file is allowed in the current context. | | ''parseRuleList($raw)'' | ''2026-03-13'' | Converts a rules configuration into a usable array. | | ''idMatchesRule($id, $rule)'' | ''2026-03-13'' | Tests an ID against an exact rule, namespace, wildcard or regex. | ===== How it works ===== Extranet detection is based on a value read from ''$_SERVER'': * the full raw value is tested; * if it contains commas, each separated item is also tested. This covers: * a direct IP; * an ''X-Forwarded-For''-style header; * a network marker injected by a proxy; * an upstream or frontend host name. When a page is restricted: * the cache is separated between intranet and extranet; * the wiki content is replaced with a configurable message; * the first heading can be kept if ''preserve_first_title'' is enabled. When a media file is restricted and ''hide_files'' is not ''none'', the plugin serves a dedicated image instead of the real file. ===== Notes ===== * The plugin should not be seen as a replacement for ACLs. * Reliability depends on the request marker provided by the web infrastructure. An untrusted or forgeable header makes the detection unsafe.