Re: [Mediawiki-api] Disabling the API without disabling search suggestions?

[Daniel Barrett]

Thanks to everyone who contributed advice about disabling the API, and the 
security implications of trying to hide certain MediaWiki features (special 
pages, RSS, page history, etc.).

For anyone interested, the site is up at https://how-emotions-are-made.com.

DanB

___
Mediawiki-api mailing list
Mediawiki-api@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api

Re: [Mediawiki-api] Disabling the API without disabling search suggestions?

[Daniel Barrett]

Brad Jorsch (Anomie) writes:
>https://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions 
>comes to mind here.

Thank you, Brad. That page is a great resource.
In my case, my "restricted" wiki passes all tests on that page except the API 
access.
Mainly because users can't edit (and therefore no editing tricks will access 
hidden features),
we're not attempting to hide content (just old versions), and special pages are 
easy to blacklist via hook.

I should mention this isn't a high-security site. I'm just removing features 
that don't fit the purpose of the site.
If people see more than they should, it's no big deal.

>You might try to hack something up by blacklisting certain API modules with 
>ApiCheckCanExecute and the like,
>but such things aren't really supported.

Thanks for the tip and the warning!

DanB
___
Mediawiki-api mailing list
Mediawiki-api@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api

Re: [Mediawiki-api] Disabling the API without disabling search suggestions?

[Brad Jorsch (Anomie)]

https://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions
comes to mind here.

You might try to hack something up by blacklisting certain API modules with
ApiCheckCanExecute and the like, but such things aren't really supported.
$wgDisableAPI itself probably doesn't make much sense anymore and may
eventually be removed.

On Mon, Jan 9, 2017 at 12:35 PM, Daniel Barrett  wrote:

> Max Semenik  asks:
> >Why are you disabling the API in the first place? Maybe, there's a better
> solution?
>
> I am creating a wiki (for a specialized project) that lets anonymous users
> read articles, but that is all they can do. They cannot log in, cannot view
> article history, cannot view Special Pages, or use any other wiki features.
> Basically, it's a wiki for a few writers and thousands of anonymous
> readers. MediaWiki is a great platform because the articles are highly
> interlinked like an encyclopedia.
>
> Unfortunately, when the API is enabled, anybody can still access all the
> hidden information (article history, etc.). That's why I want to block the
> API. But then I kill search suggestions. :-)
>
> I'm grateful for any advice you may have. Thank you.
> DanB
>
> ___
> Mediawiki-api mailing list
> Mediawiki-api@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
>



-- 
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation
___
Mediawiki-api mailing list
Mediawiki-api@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api

Re: [Mediawiki-api] Disabling the API without disabling search suggestions?

[Daniel Barrett]

Max Semenik  asks:
>Why are you disabling the API in the first place? Maybe, there's a better 
>solution?

I am creating a wiki (for a specialized project) that lets anonymous users read 
articles, but that is all they can do. They cannot log in, cannot view article 
history, cannot view Special Pages, or use any other wiki features. Basically, 
it's a wiki for a few writers and thousands of anonymous readers. MediaWiki is 
a great platform because the articles are highly interlinked like an 
encyclopedia.

Unfortunately, when the API is enabled, anybody can still access all the hidden 
information (article history, etc.). That's why I want to block the API. But 
then I kill search suggestions. :-)

I'm grateful for any advice you may have. Thank you.
DanB

___
Mediawiki-api mailing list
Mediawiki-api@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api

Re: [Mediawiki-api] Disabling the API without disabling search suggestions?

[Max Semenik]

Why are you disabling the API in the first place? Maybe, there's a better
solution?

9 янв. 2017 г. 12:23 ПП пользователь "Daniel Barrett" 
написал:

> I notice that when the MediaWiki API is disabled (with $wgEnableAPI =
> false), this also disables auto-suggestions in the search box.
>
> Assuming this is intentional... what's the friendliest way to forbid
> general web access to the API but still allow search suggestions to appear?
> I considered using the hook 'ApiBeforeMain' to return false unless
> action=opensearch. Is that the most reliable/friendly solution?
>
> This is MediaWiki 1.28.0 with the default search engine, on an Ubuntu
> 16.04LTS host.
>
> Thank you very much,
> DanB
>
>
> ___
> Mediawiki-api mailing list
> Mediawiki-api@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
>
___
Mediawiki-api mailing list
Mediawiki-api@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api

[Mediawiki-api] Disabling the API without disabling search suggestions?

[Daniel Barrett]

I notice that when the MediaWiki API is disabled (with $wgEnableAPI = false), 
this also disables auto-suggestions in the search box.

Assuming this is intentional... what's the friendliest way to forbid general 
web access to the API but still allow search suggestions to appear? I 
considered using the hook 'ApiBeforeMain' to return false unless 
action=opensearch. Is that the most reliable/friendly solution?

This is MediaWiki 1.28.0 with the default search engine, on an Ubuntu 16.04LTS 
host.

Thank you very much,
DanB


___
Mediawiki-api mailing list
Mediawiki-api@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api