Page MenuHomePhabricator
Create Task
Maniphest T64842

API should not require 'read' user right for most actions
Open, LowestPublicFeature
Actions

Description

It is not possible to view a whitelisted page through the MediaWiki API.

Steps to reproduce:

  • Set $wgGroupPermissions['*']['read'] = false to create a private wiki.
  • Add a page to the whitelist using $wgWhitelistRead = array( "Foo" );
  • Access api.php?action=parse&page=Foo

Expected behaviour:

  • The API to return successfully, showing the contents of the page [[Foo]].

Actual behaviour:

  • The API returns a readapidenied error ("You need read permission to use this module"), even though a user can access index.php?title=Foo without an error.

This bug has been mentioned on the MediaWiki wiki since at least 2010 ([[mw:Special:Permalink/300785]]), but I couldn't find any existing filed bugs in the API category on Bugzilla.

Version: unspecified
Severity: enhancement

Details

Reference
bz62842

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 22 2014, 3:03 AM
bzimport added a project: MediaWiki-Action-API.
bzimport set Reference to bz62842.
bzimport added a subscriber: Unknown Object (MLST).
MC8 created this task.Mar 19 2014, 4:55 PM
Anomie added a comment.Mar 19 2014, 5:17 PM

Quoting from the page you linked:

This means that a client needs to be logged in to query any information at all
through the API.

If the user isn't allowed 'read', they aren't allowed to query ''any information at all''.[1] It never gets to the point of checking whether they can read any particular page, or even of executing the query module.

Fixing this would be a fair bit of work, as it would likely require auditing every API module to verify that each one properly checks the 'read' permission before leaking any information (including e.g. whether a page exists or not).

[1]: This is slightly inaccurate: they can still get a login token, try to create an account, and access the API's autogenerated documentation.

Anomie moved this task from Unsorted to Needs Code on the MediaWiki-Action-API board.Feb 19 2015, 6:38 PM
Aklapper removed subscribers: Anomie, wikibugs-l-list.Oct 16 2020, 5:03 PM
Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 11:14 AM
Krd subscribed.Jul 7 2022, 5:45 AM
Krd unsubscribed.Dec 31 2023, 9:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL