We'd like to continue supporting editing on private wikis like office wiki. To do this, we need to globally check for the 'read' right in [the userinfo query result](https://en.wikipedia.org/w/api.php?action=query&meta=userinfo&format=json&uiprop=rights) for all read accesses to the domain.
More concrete steps:
- Figure out a way to configure permissions at the root of a wiki. It might make sense to use the swagger [security object](https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#securityDefinitionsObject) for this, possibly with a custom Mediawiki mediaWikiSecurity scheme as sketched in [these older notes on schema loading](https://github.com/wikimedia/restbase/blob/3c841dad2f926996daef48f2923c0d1f810a5a8a/doc/Implementation.md#spec-loading) and [the production config.yaml](https://github.com/wikimedia/operations-puppet/blob/production/modules/restbase/templates/config.yaml.erb#L65).
- It might actually make sense to set this at the level of https://github.com/wikimedia/operations-puppet/blob/production/modules/restbase/templates/config.yaml.erb#L161, so that we can share the sub-specs between public & private wikis.
- On each read request (GET), kick off a parallel access check in RESTBase (in parallel with the handler), ideally in a separate security module that hides the details. For POST and PUT, we'll probably want to perform this check sequentially before doing anything else. For now, the request will be to [the userinfo query end point in the PHP API](https://en.wikipedia.org/w/api.php?action=query&meta=userinfo&format=json&uiprop=rights), and will forward the incoming cookie header to MediaWiki so that the request can be authenticated.
- If the access check fails for 'read' rights, return a 403.