We did indeed disable all non-view actions for people who aren't Users, so that includes raw.
We didn't disable Special:Expandtemplates, so thanks for pointing that out! The API is indeed disabled. I thought about doing the proxy thing but that was starting to be a lot of trouble. We might have to tear open whatever file the parameters are in and hack apart Diff there, if there's no other way. On Wed, Jan 10, 2018 at 3:01 AM, Brian Wolff <[email protected]> wrote: > Honestly, at that point, you'd probably be better setting up some sort > of proxy thing, where non-logged in users view some sort of proxy that > only proxies the page view (not allowing any url parameters through or > viewing any special pages), and logged in users actually deal with MW. > > The biggest thing you missed is probably ?action=raw . > Special:Expandtemplates is also another vector (via {{msgnw:page name > here}}). I assume you've also disabled the api. > > There's probably a lot of others. MediaWiki is not designed to hide > the wikitext source of pages. > > -- > Brian > > On Wed, Jan 10, 2018 at 7:01 AM, Drium Yrvak <[email protected]> wrote: > > Hi all! > > > > I'm helping set up a Mediawiki for a site. Unfortunately, it's in a > fairly > > drama-filled environment, where plagiarism is so common as to make us > feel > > that we'd like to protect how we did certain things. Our wiki uses a lot > of > > SQL integration and took a while to set up, and other wikis in the hobby > > don't use SQL a lot. To make a long story short, we want to prevent those > > competing sites from just copypasting our SQL code and > reverse-engineering > > how we did things from that. If they want to figure it out on their own > > they certainly can, but we don't want people to just take our code. > > > > Luckily, by virtue of how the site is handled, the wiki doesn't allow > > anyone but the administrators to make or edit pages. That means we > disabled > > account creation, and to protect certain pages (like history and view > > source) using the Lockdown extension, we simply restricted their access > to > > the Users group. > > > > Sadly, it's still possible to catch the wiki code of our pages using the > > Diff parameter, and no doubt few other pages. We disabled Special:Export > > and Special:Compare, for example. But using any page that lists edits, > like > > Recent Changes, people can just compare two old versions of a page and > see > > the raw wiki code. > > > > How would one go about preventing access to the Diff parameter unless > > they're a User? Are there other ways to grab the raw wiki source code we > > should know about? > > > > I know this is against Mediawiki's usual open source policy. I apologize! > > But if you could still help it'd be greatly appreciated. > > _______________________________________________ > > MediaWiki-l mailing list > > To unsubscribe, go to: > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
