Page MenuHomePhabricator

wdqs update with restricted view access on anonymous users
Open, MediumPublic

Description

Based on a previous support request I was able to disable read access to wikibase for anonymous users by adding the following on LocalSettings.php.template

$wgGroupPermissions['*']['read'] = false;

Right after that, the query service syncing edits from wikibase. With the current setup, It requires anonymous access to recent changes and page data to work correctly.
Is there a way to pass credential information on the wdqs updater service?

Thank you in advance again for your support

Best,
Dimitris

Event Timeline

Jimkont created this task.Sep 2 2019, 9:42 PM
Restricted Application added a project: Wikidata. · View Herald TranscriptSep 2 2019, 9:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Addshore added a subscriber: Addshore.

Hmm, that is indeed correct, the query service updater needs read access.

A vaguely hacky way to fix this would be to wrap the line that you have setting wgGroupPermissions in some condition, such as a condition making sure that the location of the request is internal / came from the updater IP address. You could increase the security of this by also providing some static token in a header to be communicated between the 2 services, but that might require altering the wdqs itself or putting a proxy in between (which would defeat the point)

As for the updater logging in when retrieving updates, that could be possible, but would require alteration of the wdqs code and more complexity than the above which might work for you.

Tagged the query service as this is a usecase for third party wikis that may want a little bit of thought.

Gehel triaged this task as Medium priority.Sep 15 2020, 7:55 AM