I notice that when the MediaWiki API is disabled (with $wgEnableAPI = false), this also disables auto-suggestions in the search box.
Assuming this is intentional... what's the friendliest way to forbid general web access to the API but still allow search suggestions to appear? I considered using the hook 'ApiBeforeMain' to return false unless action=opensearch. Is that the most reliable/friendly solution?
This is MediaWiki 1.28.0 with the default search engine, on an Ubuntu 16.04LTS host.
Thank you very much, DanB
Why are you disabling the API in the first place? Maybe, there's a better solution?
9 янв. 2017 г. 12:23 ПП пользователь "Daniel Barrett" danb@cimpress.com написал:
I notice that when the MediaWiki API is disabled (with $wgEnableAPI = false), this also disables auto-suggestions in the search box.
Assuming this is intentional... what's the friendliest way to forbid general web access to the API but still allow search suggestions to appear? I considered using the hook 'ApiBeforeMain' to return false unless action=opensearch. Is that the most reliable/friendly solution?
This is MediaWiki 1.28.0 with the default search engine, on an Ubuntu 16.04LTS host.
Thank you very much, DanB
Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Max Semenik maxsem.wiki@gmail.com asks:
Why are you disabling the API in the first place? Maybe, there's a better solution?
I am creating a wiki (for a specialized project) that lets anonymous users read articles, but that is all they can do. They cannot log in, cannot view article history, cannot view Special Pages, or use any other wiki features. Basically, it's a wiki for a few writers and thousands of anonymous readers. MediaWiki is a great platform because the articles are highly interlinked like an encyclopedia.
Unfortunately, when the API is enabled, anybody can still access all the hidden information (article history, etc.). That's why I want to block the API. But then I kill search suggestions. :-)
I'm grateful for any advice you may have. Thank you. DanB
https://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions comes to mind here.
You might try to hack something up by blacklisting certain API modules with ApiCheckCanExecute and the like, but such things aren't really supported. $wgDisableAPI itself probably doesn't make much sense anymore and may eventually be removed.
On Mon, Jan 9, 2017 at 12:35 PM, Daniel Barrett danb@cimpress.com wrote:
Max Semenik maxsem.wiki@gmail.com asks:
Why are you disabling the API in the first place? Maybe, there's a better
solution?
I am creating a wiki (for a specialized project) that lets anonymous users read articles, but that is all they can do. They cannot log in, cannot view article history, cannot view Special Pages, or use any other wiki features. Basically, it's a wiki for a few writers and thousands of anonymous readers. MediaWiki is a great platform because the articles are highly interlinked like an encyclopedia.
Unfortunately, when the API is enabled, anybody can still access all the hidden information (article history, etc.). That's why I want to block the API. But then I kill search suggestions. :-)
I'm grateful for any advice you may have. Thank you. DanB
Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Brad Jorsch (Anomie) writes:
https://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions comes to mind here.
Thank you, Brad. That page is a great resource. In my case, my "restricted" wiki passes all tests on that page except the API access. Mainly because users can't edit (and therefore no editing tricks will access hidden features), we're not attempting to hide content (just old versions), and special pages are easy to blacklist via hook.
I should mention this isn't a high-security site. I'm just removing features that don't fit the purpose of the site. If people see more than they should, it's no big deal.
You might try to hack something up by blacklisting certain API modules with ApiCheckCanExecute and the like, but such things aren't really supported.
Thanks for the tip and the warning!
DanB
mediawiki-api@lists.wikimedia.org