https://bugzilla.wikimedia.org/show_bug.cgi?id=62842

Brad Jorsch <bjor...@wikimedia.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|Unprioritized               |Lowest
            Summary|Cannot read whitelisted     |API should not require
                   |pages from API              |'read' user right for most
                   |                            |actions
           Severity|normal                      |enhancement

--- Comment #1 from Brad Jorsch <bjor...@wikimedia.org> ---
Quoting from the page you linked:

> This means that a client needs to be logged in to query any information at all
> through the API.

If the user isn't allowed 'read', they aren't allowed to query ''any
information at all''.[1] It never gets to the point of checking whether they
can read any particular page, or even of executing the query module.

Fixing this would be a fair bit of work, as it would likely require auditing
every API module to verify that each one properly checks the 'read' permission
before leaking any information (including e.g. whether a page exists or not).


 [1]: This is slightly inaccurate: they can still get a login token, try to
create an account, and access the API's autogenerated documentation.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to