Brad Jorsch <> changed:

           What    |Removed                     |Added
           Priority|Unprioritized               |Lowest
            Summary|Cannot read whitelisted     |API should not require
                   |pages from API              |'read' user right for most
                   |                            |actions
           Severity|normal                      |enhancement

--- Comment #1 from Brad Jorsch <> ---
Quoting from the page you linked:

> This means that a client needs to be logged in to query any information at all
> through the API.

If the user isn't allowed 'read', they aren't allowed to query ''any
information at all''.[1] It never gets to the point of checking whether they
can read any particular page, or even of executing the query module.

Fixing this would be a fair bit of work, as it would likely require auditing
every API module to verify that each one properly checks the 'read' permission
before leaking any information (including e.g. whether a page exists or not).

 [1]: This is slightly inaccurate: they can still get a login token, try to
create an account, and access the API's autogenerated documentation.

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to