On Thu, Sep 25, 2008 at 8:41 PM, Brion Vibber brion@wikimedia.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Lane, Ryan wrote:
If a user has insufficient permissions to read a page, he should not be able to fetch any information at all about it I think.
IIRC, the API only honors read rights when serving page *content*, and AFAIK the UI allows users to get information about unreadable pages too (Special:Allpages and friends, for example).
Isn't this different than the way the normal rights work? Shouldn't the API only allow pages on the white list to be read? Is there a good reason to go against MediaWiki's normal security design in the API?
Well, that's the thing -- if Special:Allpages is on the whitelist, then you can go to Special:Allpages and see everything Special:Allpages has to offer (a list of all pages).
or run
$ wget "http://download.wikimedia.org/enwiki/latest/enwiki-latest-all-titles-in-ns0...." -o todo_vandalize.list