Re: [Mediawiki-api] Disabling the API without disabling search suggestions?
Thanks to everyone who contributed advice about disabling the API, and the security implications of trying to hide certain MediaWiki features (special pages, RSS, page history, etc.). For anyone interested, the site is up at https://how-emotions-are-made.com. DanB ___ Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Re: [Mediawiki-api] Disabling the API without disabling search suggestions?
Brad Jorsch (Anomie) writes: >https://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions >comes to mind here. Thank you, Brad. That page is a great resource. In my case, my "restricted" wiki passes all tests on that page except the API access. Mainly because users can't edit (and therefore no editing tricks will access hidden features), we're not attempting to hide content (just old versions), and special pages are easy to blacklist via hook. I should mention this isn't a high-security site. I'm just removing features that don't fit the purpose of the site. If people see more than they should, it's no big deal. >You might try to hack something up by blacklisting certain API modules with >ApiCheckCanExecute and the like, >but such things aren't really supported. Thanks for the tip and the warning! DanB ___ Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Re: [Mediawiki-api] Disabling the API without disabling search suggestions?
https://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions comes to mind here. You might try to hack something up by blacklisting certain API modules with ApiCheckCanExecute and the like, but such things aren't really supported. $wgDisableAPI itself probably doesn't make much sense anymore and may eventually be removed. On Mon, Jan 9, 2017 at 12:35 PM, Daniel Barrettwrote: > Max Semenik asks: > >Why are you disabling the API in the first place? Maybe, there's a better > solution? > > I am creating a wiki (for a specialized project) that lets anonymous users > read articles, but that is all they can do. They cannot log in, cannot view > article history, cannot view Special Pages, or use any other wiki features. > Basically, it's a wiki for a few writers and thousands of anonymous > readers. MediaWiki is a great platform because the articles are highly > interlinked like an encyclopedia. > > Unfortunately, when the API is enabled, anybody can still access all the > hidden information (article history, etc.). That's why I want to block the > API. But then I kill search suggestions. :-) > > I'm grateful for any advice you may have. Thank you. > DanB > > ___ > Mediawiki-api mailing list > Mediawiki-api@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/mediawiki-api > -- Brad Jorsch (Anomie) Senior Software Engineer Wikimedia Foundation ___ Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Re: [Mediawiki-api] Disabling the API without disabling search suggestions?
Max Semenikasks: >Why are you disabling the API in the first place? Maybe, there's a better >solution? I am creating a wiki (for a specialized project) that lets anonymous users read articles, but that is all they can do. They cannot log in, cannot view article history, cannot view Special Pages, or use any other wiki features. Basically, it's a wiki for a few writers and thousands of anonymous readers. MediaWiki is a great platform because the articles are highly interlinked like an encyclopedia. Unfortunately, when the API is enabled, anybody can still access all the hidden information (article history, etc.). That's why I want to block the API. But then I kill search suggestions. :-) I'm grateful for any advice you may have. Thank you. DanB ___ Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Re: [Mediawiki-api] Disabling the API without disabling search suggestions?
Why are you disabling the API in the first place? Maybe, there's a better solution? 9 янв. 2017 г. 12:23 ПП пользователь "Daniel Barrett"написал: > I notice that when the MediaWiki API is disabled (with $wgEnableAPI = > false), this also disables auto-suggestions in the search box. > > Assuming this is intentional... what's the friendliest way to forbid > general web access to the API but still allow search suggestions to appear? > I considered using the hook 'ApiBeforeMain' to return false unless > action=opensearch. Is that the most reliable/friendly solution? > > This is MediaWiki 1.28.0 with the default search engine, on an Ubuntu > 16.04LTS host. > > Thank you very much, > DanB > > > ___ > Mediawiki-api mailing list > Mediawiki-api@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/mediawiki-api > ___ Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
[Mediawiki-api] Disabling the API without disabling search suggestions?
I notice that when the MediaWiki API is disabled (with $wgEnableAPI = false), this also disables auto-suggestions in the search box. Assuming this is intentional... what's the friendliest way to forbid general web access to the API but still allow search suggestions to appear? I considered using the hook 'ApiBeforeMain' to return false unless action=opensearch. Is that the most reliable/friendly solution? This is MediaWiki 1.28.0 with the default search engine, on an Ubuntu 16.04LTS host. Thank you very much, DanB ___ Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api