Brion Vibber schreef:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lane, Ryan wrote:
>>> If a user has insufficient permissions to read a page, he should not
>>> be able to fetch any information at all about it I think.
>>>
>> IIRC, the API only honors read rights when serving page
>> *content*, and
>> AFAIK the UI allows users to get information about unreadable
>> pages too
>> (Special:Allpages and friends, for example).
>>
>>
> Isn't this different than the way the normal rights work? Shouldn't the
> API only allow pages on the white list to be read? Is there a good
> reason to go against MediaWiki's normal security design in the API?
>
The function Title::userCanRead() is used, which checks for the
'read'
permission as well as the whitelist..
Well, that's the thing -- if Special:Allpages is on the whitelist, then
you can go to Special:Allpages and see everything Special:Allpages has
to offer (a list of all pages).
If you can access the API...
True. I've had plans to implement selective
disabling of API modules in
LocalSettings.php for a while now. Also, there should probably be a
right that controls whether users can use the API as a whole.
Roan Kattouw (Catrope)