Disabling the API without disabling search suggestions?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Disabling the API without disabling search suggestions?

Daniel Barrett
I notice that when the MediaWiki API is disabled (with $wgEnableAPI = false), this also disables auto-suggestions in the search box.

Assuming this is intentional... what's the friendliest way to forbid general web access to the API but still allow search suggestions to appear? I considered using the hook 'ApiBeforeMain' to return false unless action=opensearch. Is that the most reliable/friendly solution?

This is MediaWiki 1.28.0 with the default search engine, on an Ubuntu 16.04LTS host.

Thank you very much,
DanB


_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Disabling the API without disabling search suggestions?

Max Semenik
Why are you disabling the API in the first place? Maybe, there's a better solution?

9 янв. 2017 г. 12:23 ПП пользователь "Daniel Barrett" <[hidden email]> написал:
I notice that when the MediaWiki API is disabled (with $wgEnableAPI = false), this also disables auto-suggestions in the search box.

Assuming this is intentional... what's the friendliest way to forbid general web access to the API but still allow search suggestions to appear? I considered using the hook 'ApiBeforeMain' to return false unless action=opensearch. Is that the most reliable/friendly solution?

This is MediaWiki 1.28.0 with the default search engine, on an Ubuntu 16.04LTS host.

Thank you very much,
DanB


_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Disabling the API without disabling search suggestions?

Daniel Barrett
Max Semenik <[hidden email]> asks:
>Why are you disabling the API in the first place? Maybe, there's a better solution?

I am creating a wiki (for a specialized project) that lets anonymous users read articles, but that is all they can do. They cannot log in, cannot view article history, cannot view Special Pages, or use any other wiki features. Basically, it's a wiki for a few writers and thousands of anonymous readers. MediaWiki is a great platform because the articles are highly interlinked like an encyclopedia.

Unfortunately, when the API is enabled, anybody can still access all the hidden information (article history, etc.). That's why I want to block the API. But then I kill search suggestions. :-)

I'm grateful for any advice you may have. Thank you.
DanB

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Disabling the API without disabling search suggestions?

Brad Jorsch (Anomie)
You might try to hack something up by blacklisting certain API modules with ApiCheckCanExecute and the like, but such things aren't really supported. $wgDisableAPI itself probably doesn't make much sense anymore and may eventually be removed.

On Mon, Jan 9, 2017 at 12:35 PM, Daniel Barrett <[hidden email]> wrote:
Max Semenik <[hidden email]> asks:
>Why are you disabling the API in the first place? Maybe, there's a better solution?

I am creating a wiki (for a specialized project) that lets anonymous users read articles, but that is all they can do. They cannot log in, cannot view article history, cannot view Special Pages, or use any other wiki features. Basically, it's a wiki for a few writers and thousands of anonymous readers. MediaWiki is a great platform because the articles are highly interlinked like an encyclopedia.

Unfortunately, when the API is enabled, anybody can still access all the hidden information (article history, etc.). That's why I want to block the API. But then I kill search suggestions. :-)

I'm grateful for any advice you may have. Thank you.
DanB

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api



--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Disabling the API without disabling search suggestions?

Daniel Barrett
Brad Jorsch (Anomie) writes:
>https://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions comes to mind here.

Thank you, Brad. That page is a great resource.
In my case, my "restricted" wiki passes all tests on that page except the API access.
Mainly because users can't edit (and therefore no editing tricks will access hidden features),
we're not attempting to hide content (just old versions), and special pages are easy to blacklist via hook.

I should mention this isn't a high-security site. I'm just removing features that don't fit the purpose of the site.
If people see more than they should, it's no big deal.

>You might try to hack something up by blacklisting certain API modules with ApiCheckCanExecute and the like,
>but such things aren't really supported.

Thanks for the tip and the warning!

DanB
_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Disabling the API without disabling search suggestions?

Daniel Barrett
In reply to this post by Brad Jorsch (Anomie)
Thanks to everyone who contributed advice about disabling the API, and the security implications of trying to hide certain MediaWiki features (special pages, RSS, page history, etc.).

For anyone interested, the site is up at https://how-emotions-are-made.com.

DanB

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api