Page MenuHomePhabricator

Check permissions on read
Closed, ResolvedPublic


Version: unspecified
Severity: normal
Whiteboard: storypoints: 3



Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 12:45 AM
bzimport set Reference to bz40557.
bzimport added a subscriber: Unknown Object (MLST).

Api - It looks like reading from the api is based on a generic permission, which is what the MW api does currently as well. However, we get lots of requests for the title's permissions to be checked on read, so that reading individual pages/items from the api can be controlled on a page-by-page basis (like you're doing for writes). If this is not desired for wikidata objects, please document that somewhere. Or if that granularity in permissions is desired, then it should be implemented now.

API modules were already checking the standard "read" permission, added unit tests for that: Idb009c0d

Standard checks in core seems to be sufficient to enforce the "read" permission for UI access. I have confirmed this with manual testing for normal page views, history and diffs. We could add selenium tests, but I suggest a separate item with low prio for that.

Verified in Wikidata demo time for sprint 18