Two cents from the API dept:
In order to quickly and efficiently operate, the API must know what
*read* rights the user has *before* performing db page queries.
Example: get 100 page titles
Normal operations: API has to query with limit 101, add each to the
result. If there is 101st row, more data is available, so add
"from=nextTitle" to let the client know how to get more results.
* If "can read" rule is page-based, API has to check each page title
before adding to the result. So the user may get < 100 titles, even
nothing, but still get a "from=xxx" to continue paging. But what if
that xxx is also non-visible? API may perform another query, try to
find the next readable title... In our current scenario, this might
mean the entire NS will have to be read until the user realizes that
the whole NS is blocked for her.
Proposed solution: Only allow the entire NS to be hidden from a
everybody/group/user. In such case, the API will refuse to get data
for any pages in that NS.
In case there is a white list allowing a specific page to be visible
(like Main or Login), API ignores it as well, unless the page is asked
specifically by name.