The allrevisions list (and all other lists inheriting from ApiQueryRevisionsBase) in the action=query module can be used to retrieve the contents of pages that are protected by the Lockdown extension and added to $wgNonincludableNamespaces.
This is a similar issue to T397521.
Reproduction
- Install Lockdown and add the following to your LocalSettings.php:
$wgNamespacePermissionLockdown[NS_PROJECT]['read'] = [ 'sysop' ]; $wgNonincludableNamespaces[] = NS_PROJECT;
- Create a page in the project namespace
- Make sure you're logged out or don't have sysop perms (trying to access the page should yield a "Login required" page
- Go to /wiki/Special:ApiSandbox#action=query&format=json&list=allrevisions&titles=&formatversion=2&arvprop=content&arvnamespace=4
The API returns the content of the read-protected page, for example:
{ "batchcomplete": true, "warnings": { "main": { "warnings": "Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/> for notice of API deprecations and breaking changes." }, "allrevisions": { "warnings": "Because \"arvslots\" was not specified, a legacy format has been used for the output. This format is deprecated, and in the future the new format will always be used." } }, "query": { "allrevisions": [ { "pageid": 15, "revisions": [ { "contentformat": "text/x-wiki", "contentmodel": "wikitext", "content": "Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.\nTest" }, { "contentformat": "text/x-wiki", "contentmodel": "wikitext", "content": "Test" } ], "ns": 4, "title": "TestWiki:LockdownTest" } ] } }
Cause
One of the issues might be caused by this function:
Adding $this->checkTitleUserPermissions( $title, 'read' ); after $title is created fixes the issue for me, but it also causes all queries with list=allrevision that would return at least one protected page to fully fail instead of just skipping over the page if the user doesn't have permission to read it.
Another permission check is missing here: