inprop=readable (Re: [MediaWiki-CVS] SVN: [41261] trunk/phase3)

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

inprop=readable (Re: [MediaWiki-CVS] SVN: [41261] trunk/phase3)

Bryan Tong Minh
On Thu, Sep 25, 2008 at 5:55 PM,  <[hidden email]> wrote:
> Revision: 41261
> Author:   catrope
> Date:     2008-09-25 15:55:09 +0000 (Thu, 25 Sep 2008)
>
> Log Message:
> -----------
> (bug 15609) Add inprop=url (full URL to page and edit form) and inprop=readable (whether the current user can read the page) to prop=info
>

If a user has insufficient permissions to read a page, he should not
be able to fetch any information at all about it I think.


Bryan

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: inprop=readable (Re: [MediaWiki-CVS] SVN: [41261] trunk/phase3)

Roan Kattouw
Bryan Tong Minh schreef:

> On Thu, Sep 25, 2008 at 5:55 PM,  <[hidden email]> wrote:
>  
>> Revision: 41261
>> Author:   catrope
>> Date:     2008-09-25 15:55:09 +0000 (Thu, 25 Sep 2008)
>>
>> Log Message:
>> -----------
>> (bug 15609) Add inprop=url (full URL to page and edit form) and inprop=readable (whether the current user can read the page) to prop=info
>>
>>    
>
> If a user has insufficient permissions to read a page, he should not
> be able to fetch any information at all about it I think.
IIRC, the API only honors read rights when serving page *content*, and
AFAIK the UI allows users to get information about unreadable pages too
(Special:Allpages and friends, for example).

Roan Kattouw (Catrope)

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: inprop=readable (Re: [MediaWiki-CVS] SVN: [41261] trunk/phase3)

Lane, Ryan
> > If a user has insufficient permissions to read a page, he should not
> > be able to fetch any information at all about it I think.
> IIRC, the API only honors read rights when serving page
> *content*, and
> AFAIK the UI allows users to get information about unreadable
> pages too
> (Special:Allpages and friends, for example).
>

Isn't this different than the way the normal rights work? Shouldn't the
API only allow pages on the white list to be read? Is there a good
reason to go against MediaWiki's normal security design in the API?

I think quite a few locked down wikis may have issues with this.

V/r,

Ryan Lane

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: inprop=readable (Re: [MediaWiki-CVS] SVN: [41261] trunk/phase3)

Brion Vibber-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lane, Ryan wrote:

>>> If a user has insufficient permissions to read a page, he should not
>>> be able to fetch any information at all about it I think.
>> IIRC, the API only honors read rights when serving page
>> *content*, and
>> AFAIK the UI allows users to get information about unreadable
>> pages too
>> (Special:Allpages and friends, for example).
>>
>
> Isn't this different than the way the normal rights work? Shouldn't the
> API only allow pages on the white list to be read? Is there a good
> reason to go against MediaWiki's normal security design in the API?

Well, that's the thing -- if Special:Allpages is on the whitelist, then
you can go to Special:Allpages and see everything Special:Allpages has
to offer (a list of all pages).

If you can access the API...

- -- brion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjb20cACgkQwRnhpk1wk47jCgCfWG7Czjpbxi2qaP/UkHR84xqN
7cQAoKqDMto8QV3u9Xcwi9RpShpH+6n5
=X8jA
-----END PGP SIGNATURE-----

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: inprop=readable (Re: [MediaWiki-CVS] SVN: [41261] trunk/phase3)

Lane, Ryan
> >>> be able to fetch any information at all about it I think.
> >> IIRC, the API only honors read rights when serving page
> >> *content*, and
> >> AFAIK the UI allows users to get information about unreadable
> >> pages too
> >> (Special:Allpages and friends, for example).
> >>
> >
> > Isn't this different than the way the normal rights work?
> Shouldn't the
> > API only allow pages on the white list to be read? Is there a good
> > reason to go against MediaWiki's normal security design in the API?
>
> Well, that's the thing -- if Special:Allpages is on the
> whitelist, then
> you can go to Special:Allpages and see everything Special:Allpages has
> to offer (a list of all pages).
>
> If you can access the API...
>

Oops, ignore me; I read the originally completely incorrectly.

Thanks,

Ryan Lane

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: inprop=readable (Re: [MediaWiki-CVS] SVN: [41261] trunk/phase3)

Tei-2
In reply to this post by Brion Vibber-3
On Thu, Sep 25, 2008 at 8:41 PM, Brion Vibber <[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Lane, Ryan wrote:
>>>> If a user has insufficient permissions to read a page, he should not
>>>> be able to fetch any information at all about it I think.
>>> IIRC, the API only honors read rights when serving page
>>> *content*, and
>>> AFAIK the UI allows users to get information about unreadable
>>> pages too
>>> (Special:Allpages and friends, for example).
>>>
>>
>> Isn't this different than the way the normal rights work? Shouldn't the
>> API only allow pages on the white list to be read? Is there a good
>> reason to go against MediaWiki's normal security design in the API?
>
> Well, that's the thing -- if Special:Allpages is on the whitelist, then
> you can go to Special:Allpages and see everything Special:Allpages has
> to offer (a list of all pages).

or run

$ wget "http://download.wikimedia.org/enwiki/latest/enwiki-latest-all-titles-in-ns0.gz"
-o todo_vandalize.list

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: inprop=readable (Re: [MediaWiki-CVS] SVN: [41261] trunk/phase3)

Roan Kattouw
In reply to this post by Brion Vibber-3
Brion Vibber schreef:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Lane, Ryan wrote:
>  
>>>> If a user has insufficient permissions to read a page, he should not
>>>> be able to fetch any information at all about it I think.
>>>>        
>>> IIRC, the API only honors read rights when serving page
>>> *content*, and
>>> AFAIK the UI allows users to get information about unreadable
>>> pages too
>>> (Special:Allpages and friends, for example).
>>>
>>>      
>> Isn't this different than the way the normal rights work? Shouldn't the
>> API only allow pages on the white list to be read? Is there a good
>> reason to go against MediaWiki's normal security design in the API?
>>    
The function Title::userCanRead() is used, which checks for the 'read'
permission as well as the whitelist..
>
> Well, that's the thing -- if Special:Allpages is on the whitelist, then
> you can go to Special:Allpages and see everything Special:Allpages has
> to offer (a list of all pages).
>
> If you can access the API...
True. I've had plans to implement selective disabling of API modules in
LocalSettings.php for a while now. Also, there should probably be a
right that controls whether users can use the API as a whole.

Roan Kattouw (Catrope)

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: inprop=readable (Re: [MediaWiki-CVS] SVN: [41261] trunk/phase3)

Platonides
In reply to this post by Tei-2
Tei wrote:
> or run
>
> $ wget "http://download.wikimedia.org/enwiki/latest/enwiki-latest-all-titles-in-ns0.gz"
> -o todo_vandalize.list

Hehehe, you then will end up with a file
enwiki-latest-all-titles-in-ns0.gz and a todo_vandalize.list full of
progress text ;)

You wanted to do:
wget
"http://download.wikimedia.org/enwiki/latest/enwiki-latest-all-titles-in-ns0.gz"
-O -
| gzip -d | xargs -I pagename curl
"http://en.wikipedia.org/w/api.php?action=watch&title=pagename"


:-)


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l