Tested on MW 1.22.6 with stable snapshot of VisualEditor, but looking at the master branches I'm quite sure that this still applies.
Steps to reproduce
- Set wiki to have read access only for users:
$wgGroupPermissions['*']['read'] = false; $wgGroupPermissions['user']['read'] = true;
Note that if testing on local environment, you will have to first open VE with the 'Edit' button, so that Parsoid is not locked out by this configuration.
- Open the 'Media' button in the VE toolbar and search for something.
- The AJAX request will return 'readapidenied', because it won't recognise the user credentials.
ve.ui.MWMediaSearchWidget.js makes a JSONP request to the localhost. However, MediaWiki's ApiMain.php:180 (https://git.wikimedia.org/blob/mediawiki%2Fcore.git/9db61c9ab58b11b639a1f95916b37b57530ec674/includes%2Fapi%2FApiMain.php#L180) will remove user credentials from JSONP requests for security reasons. Therefore, the user is treated as not being logged in and the 'readapidenied' message is returned.
There is already a TODO here from Trevor Parschal bf268e82:
// TODO: Only use JSON-P for cross-domain. // jQuery has this logic built-in (if url is not same-origin ..) // but isn't working for some reason.
However, I can't see anything in the jQuery $.ajax docs that says it will switch from JSONP to JSON for same-origin requests.
I didn't want to make a patch for this without checking about the security implications, and also to ask if there is an existing utility function in MediaWiki which checks if a request is same-origin?
If you are only searching the private wiki and no external sources, a temporary workaround is to change "'datatype': 'jsonp'" to "'datatype': 'json'" in ve.ui.MWMediaSearchWidget.js