https://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions comes to mind here.

You might try to hack something up by blacklisting certain API modules with ApiCheckCanExecute and the like, but such things aren't really supported. $wgDisableAPI itself probably doesn't make much sense anymore and may eventually be removed.

On Mon, Jan 9, 2017 at 12:35 PM, Daniel Barrett <danb@cimpress.com> wrote:

Max Semenik <maxsem.wiki@gmail.com> asks:
>Why are you disabling the API in the first place? Maybe, there's a better solution?

I am creating a wiki (for a specialized project) that lets anonymous users read articles, but that is all they can do. They cannot log in, cannot view article history, cannot view Special Pages, or use any other wiki features. Basically, it's a wiki for a few writers and thousands of anonymous readers. MediaWiki is a great platform because the articles are highly interlinked like an encyclopedia.

Unfortunately, when the API is enabled, anybody can still access all the hidden information (article history, etc.). That's why I want to block the API. But then I kill search suggestions. :-)

I'm grateful for any advice you may have. Thank you.

DanB

_______________________________________________
Mediawiki-api mailing list
Mediawiki-api@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api

Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation