-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lane, Ryan wrote:
If a user has insufficient permissions to read a page,
he should not
be able to fetch any information at all about it I think.
IIRC, the API only
honors read rights when serving page
*content*, and
AFAIK the UI allows users to get information about unreadable
pages too
(Special:Allpages and friends, for example).
Isn't this different than the way the normal rights work? Shouldn't the
API only allow pages on the white list to be read? Is there a good
reason to go against MediaWiki's normal security design in the API?
Well, that's the thing -- if Special:Allpages is on the whitelist, then
you can go to Special:Allpages and see everything Special:Allpages has
to offer (a list of all pages).
If you can access the API...
- -- brion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iEYEARECAAYFAkjb20cACgkQwRnhpk1wk47jCgCfWG7Czjpbxi2qaP/UkHR84xqN
7cQAoKqDMto8QV3u9Xcwi9RpShpH+6n5
=X8jA
-----END PGP SIGNATURE-----