Version: unspecified
Severity: normal
Whiteboard: storypoints: 3
Description
Details
- Reference
- bz40557
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Reedy | T40975 Deployment of Wikidata to Wikimedia wikis (tracking) | |||
Resolved | None | T42000 Deploy wikidata.org with the Wikidata repository | |||
Resolved | None | T42573 Backport fixes to Wikibase v0.1 | |||
Resolved | None | T42557 Check permissions on read |
Event Timeline
Api - It looks like reading from the api is based on a generic permission, which is what the MW api does currently as well. However, we get lots of requests for the title's permissions to be checked on read, so that reading individual pages/items from the api can be controlled on a page-by-page basis (like you're doing for writes). If this is not desired for wikidata objects, please document that somewhere. Or if that granularity in permissions is desired, then it should be implemented now.
API modules were already checking the standard "read" permission, added unit tests for that: Idb009c0d
Standard checks in core seems to be sufficient to enforce the "read" permission for UI access. I have confirmed this with manual testing for normal page views, history and diffs. We could add selenium tests, but I suggest a separate item with low prio for that.