API should not require 'read' user right for most actions
Open, LowestPublic


It is not possible to view a whitelisted page through the MediaWiki API.

Steps to reproduce:

  • Set $wgGroupPermissions['*']['read'] = false to create a private wiki.
  • Add a page to the whitelist using $wgWhitelistRead = array( "Foo" );
  • Access api.php?action=parse&page=Foo

Expected behaviour:

  • The API to return successfully, showing the contents of the page [[Foo]].

Actual behaviour:

  • The API returns a readapidenied error ("You need read permission to use this module"), even though a user can access index.php?title=Foo without an error.

This bug has been mentioned on the MediaWiki wiki since at least 2010 ([[mw:Special:Permalink/300785]]), but I couldn't find any existing filed bugs in the API category on Bugzilla.

Version: unspecified
Severity: enhancement


bzimport raised the priority of this task from to Lowest.
bzimport set Reference to bz62842.
bzimport added a subscriber: Unknown Object (MLST).
MC8 created this task.Mar 19 2014, 4:55 PM

Quoting from the page you linked:

This means that a client needs to be logged in to query any information at all
through the API.

If the user isn't allowed 'read', they aren't allowed to query ''any information at all''.[1] It never gets to the point of checking whether they can read any particular page, or even of executing the query module.

Fixing this would be a fair bit of work, as it would likely require auditing every API module to verify that each one properly checks the 'read' permission before leaking any information (including e.g. whether a page exists or not).

[1]: This is slightly inaccurate: they can still get a login token, try to create an account, and access the API's autogenerated documentation.

Anomie moved this task from Unsorted to Needs Code on the MediaWiki-API board.Feb 19 2015, 6:38 PM