Out of all possible methods of restricting API usage, the writeapi permission causes least issues compared to the other two.
- disabling any $wgActions will break that action for everyone, even those with permission to execute the action. Probably isn't intended for user with permission to be denied. Error message that occurs is
specified by the URL is invalid. You might have mistyped the URL, or followed an incorrect link. This might also indicate a bug in the software used by website
- attempting to restrict API modules results in severe internal server error 500, worst case.
- When disabling writeapi for regular users, it not only GET and POST requests involving read or modify of the wiki but also denies wiki scripts located under MediaWiki:Common.js from even loading; that does not seem to have been the original intent nor is any of this indicative of this permission.
public wiki error:
{ "error": { "code": "accessdenied", "info": "You are not allowed to view MediaWiki:PAGENAME.js", "*": "See http://XXXX/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes." } }private wiki error:
"Login Required" { "error": { "code": "readapidenied", "info": "You need read permission to use this module.", "*": "See http://XXX/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes." } }Thus I am requesting discussion regarding splitting this permission or at the very minimum allow scripts located on the wiki to be executed as text/javascript rather being sent as text/html (safe). This permission is not doing what is expected on the surface.