Passing on the cookie header from the VisualEditor extension to Parsoid and then from Parsoid back to the API might be enough to enable this. Definitely worth a try.

• Bug 44313 has been marked as a duplicate of this bug. ***

Change 85414 had a related patch set uploaded by GWicke:
WIP Bug 44483: Forward Cookie header to API

https://gerrit.wikimedia.org/r/85414

Random idea:

Could Parsoid be made private (already is, though last I checked it still has a public IP) and use an internal API instead of the public API. Then the responsibility for user rights lays in MediaWiki land, and when the request is in Parsoid we can assume it is authenticated and thus Parsoid can have unrestricted access.

(In reply to comment #4)

Random idea:

Could Parsoid be made private (already is, though last I checked it still
has a
public IP) and use an internal API instead of the public API. Then the
responsibility for user rights lays in MediaWiki land, and when the request
is
in Parsoid we can assume it is authenticated and thus Parsoid can have
unrestricted access.

That is what we'll have to do in the longer term once we store HTML. Parsoid might not even be involved in that case, only the content API / storage is. See https://www.mediawiki.org/wiki/User:GWicke/Notes/Storage for the current WIP on that.

Change 85414 merged by jenkins-bot:
Bug 44483: Forward Cookie header to API

https://gerrit.wikimedia.org/r/85414

Cookies are now forwarded, and caching is disabled if a cookie is set. Closing this bug as fixed. A content API will have to do its own auth.

Change 91111 had a related patch set uploaded by Jforrester:
Support private wikis by forwarding Cookie: headers to Parsoid

https://gerrit.wikimedia.org/r/91111

Closing again.

Change 91111 merged by jenkins-bot:
Support private wikis by forwarding Cookie: headers to Parsoid

https://gerrit.wikimedia.org/r/91111