If a user has
insufficient permissions to read a page, he should not
be able to fetch any information at all about it I think.
IIRC, the API only
honors read rights when serving page
*content*, and
AFAIK the UI allows users to get information about unreadable
pages too
(Special:Allpages and friends, for example).
Isn't this different than the way the normal rights work? Shouldn't the
API only allow pages on the white list to be read? Is there a good
reason to go against MediaWiki's normal security design in the API?
I think quite a few locked down wikis may have issues with this.
V/r,
Ryan Lane