Page MenuHomePhabricator
Create Task
Maniphest T231845

wdqs update with restricted view access on anonymous users
Open, MediumPublic
Actions

Description

Based on a previous support request I was able to disable read access to wikibase for anonymous users by adding the following on LocalSettings.php.template

$wgGroupPermissions['*']['read'] = false;

Right after that, the query service syncing edits from wikibase. With the current setup, It requires anonymous access to recent changes and page data to work correctly.
Is there a way to pass credential information on the wdqs updater service?

Thank you in advance again for your support

Best,
Dimitris

Related Objects

Event Timeline

Jimkont created this task.Sep 2 2019, 9:42 PM
Restricted Application added a project: Wikidata. · View Herald TranscriptSep 2 2019, 9:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Addshore added a project: Wikidata-Query-Service.Sep 8 2019, 5:59 PM
Addshore subscribed.

Hmm, that is indeed correct, the query service updater needs read access.

A vaguely hacky way to fix this would be to wrap the line that you have setting wgGroupPermissions in some condition, such as a condition making sure that the location of the request is internal / came from the updater IP address. You could increase the security of this by also providing some static token in a header to be communicated between the 2 services, but that might require altering the wdqs itself or putting a proxy in between (which would defeat the point)

As for the updater logging in when retrieving updates, that could be possible, but would require alteration of the wdqs code and more complexity than the above which might work for you.

Addshore added a comment.Sep 8 2019, 5:59 PM

Tagged the query service as this is a usecase for third party wikis that may want a little bit of thought.

Bcbussche subscribed.Jan 1 2020, 2:35 PM
Gehel moved this task from Incoming to Small Tasks on the Wikidata-Query-Service board.Feb 13 2020, 2:09 PM
Gehel moved this task from Small Tasks to Feature Requests on the Wikidata-Query-Service board.Jul 1 2020, 12:54 PM
Gehel triaged this task as Medium priority.Sep 15 2020, 7:55 AM
Addshore edited projects, added Wikibase (3rd party installations); removed Wikibase-Docker-2017+.Jun 30 2021, 7:16 AM
Martsniez subscribed.Apr 29 2022, 11:42 AM

I would like to give this issue a bump. I have a WIkibase instance that runs within a government network where I need to restrict read access to all anonymous users. I wanted to whitelist the main page as an introduction page for non-members.

Has this issue been discussed further since 2019?

Regards,

Maarten Zeinstra

Addshore unsubscribed.Jun 27 2023, 12:40 PM
darthmon_wmde added a project: Wikibase Suite Team.Jan 2 2024, 2:31 PM
darthmon_wmde mentioned this in T343688: Administration of wbSuite Extensions.
darthmon_wmde moved this task from Inbox to Inherited Backlog on the Wikibase Suite Team board.Jan 2 2024, 2:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits