On Thu, Sep 25, 2008 at 5:55 PM, catrope@svn.wikimedia.org wrote:
Revision: 41261 Author: catrope Date: 2008-09-25 15:55:09 +0000 (Thu, 25 Sep 2008)
Log Message:
(bug 15609) Add inprop=url (full URL to page and edit form) and inprop=readable (whether the current user can read the page) to prop=info
If a user has insufficient permissions to read a page, he should not be able to fetch any information at all about it I think.
Bryan
Bryan Tong Minh schreef:
On Thu, Sep 25, 2008 at 5:55 PM, catrope@svn.wikimedia.org wrote:
Revision: 41261 Author: catrope Date: 2008-09-25 15:55:09 +0000 (Thu, 25 Sep 2008)
Log Message:
(bug 15609) Add inprop=url (full URL to page and edit form) and inprop=readable (whether the current user can read the page) to prop=info
If a user has insufficient permissions to read a page, he should not be able to fetch any information at all about it I think.
IIRC, the API only honors read rights when serving page *content*, and AFAIK the UI allows users to get information about unreadable pages too (Special:Allpages and friends, for example).
Roan Kattouw (Catrope)
If a user has insufficient permissions to read a page, he should not be able to fetch any information at all about it I think.
IIRC, the API only honors read rights when serving page *content*, and AFAIK the UI allows users to get information about unreadable pages too (Special:Allpages and friends, for example).
Isn't this different than the way the normal rights work? Shouldn't the API only allow pages on the white list to be read? Is there a good reason to go against MediaWiki's normal security design in the API?
I think quite a few locked down wikis may have issues with this.
V/r,
Ryan Lane
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Lane, Ryan wrote:
If a user has insufficient permissions to read a page, he should not be able to fetch any information at all about it I think.
IIRC, the API only honors read rights when serving page *content*, and AFAIK the UI allows users to get information about unreadable pages too (Special:Allpages and friends, for example).
Isn't this different than the way the normal rights work? Shouldn't the API only allow pages on the white list to be read? Is there a good reason to go against MediaWiki's normal security design in the API?
Well, that's the thing -- if Special:Allpages is on the whitelist, then you can go to Special:Allpages and see everything Special:Allpages has to offer (a list of all pages).
If you can access the API...
- -- brion
be able to fetch any information at all about it I think.
IIRC, the API only honors read rights when serving page *content*, and AFAIK the UI allows users to get information about unreadable pages too (Special:Allpages and friends, for example).
Isn't this different than the way the normal rights work?
Shouldn't the
API only allow pages on the white list to be read? Is there a good reason to go against MediaWiki's normal security design in the API?
Well, that's the thing -- if Special:Allpages is on the whitelist, then you can go to Special:Allpages and see everything Special:Allpages has to offer (a list of all pages).
If you can access the API...
Oops, ignore me; I read the originally completely incorrectly.
Thanks,
Ryan Lane
On Thu, Sep 25, 2008 at 8:41 PM, Brion Vibber brion@wikimedia.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Lane, Ryan wrote:
If a user has insufficient permissions to read a page, he should not be able to fetch any information at all about it I think.
IIRC, the API only honors read rights when serving page *content*, and AFAIK the UI allows users to get information about unreadable pages too (Special:Allpages and friends, for example).
Isn't this different than the way the normal rights work? Shouldn't the API only allow pages on the white list to be read? Is there a good reason to go against MediaWiki's normal security design in the API?
Well, that's the thing -- if Special:Allpages is on the whitelist, then you can go to Special:Allpages and see everything Special:Allpages has to offer (a list of all pages).
or run
$ wget "http://download.wikimedia.org/enwiki/latest/enwiki-latest-all-titles-in-ns0...." -o todo_vandalize.list
Tei wrote:
or run
$ wget "http://download.wikimedia.org/enwiki/latest/enwiki-latest-all-titles-in-ns0...." -o todo_vandalize.list
Hehehe, you then will end up with a file enwiki-latest-all-titles-in-ns0.gz and a todo_vandalize.list full of progress text ;)
You wanted to do: wget "http://download.wikimedia.org/enwiki/latest/enwiki-latest-all-titles-in-ns0...." -O - | gzip -d | xargs -I pagename curl "http://en.wikipedia.org/w/api.php?action=watch&title=pagename"
:-)
Brion Vibber schreef:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Lane, Ryan wrote:
If a user has insufficient permissions to read a page, he should not be able to fetch any information at all about it I think.
IIRC, the API only honors read rights when serving page *content*, and AFAIK the UI allows users to get information about unreadable pages too (Special:Allpages and friends, for example).
Isn't this different than the way the normal rights work? Shouldn't the API only allow pages on the white list to be read? Is there a good reason to go against MediaWiki's normal security design in the API?
The function Title::userCanRead() is used, which checks for the 'read' permission as well as the whitelist..
Well, that's the thing -- if Special:Allpages is on the whitelist, then you can go to Special:Allpages and see everything Special:Allpages has to offer (a list of all pages).
If you can access the API...
True. I've had plans to implement selective disabling of API modules in LocalSettings.php for a while now. Also, there should probably be a right that controls whether users can use the API as a whole.
Roan Kattouw (Catrope)
wikitech-l@lists.wikimedia.org