Last modified: 2014-04-18 06:39:03 UTC
It is not possible to view a whitelisted page through the MediaWiki API. Steps to reproduce: * Set $wgGroupPermissions['*']['read'] = false to create a private wiki. * Add a page to the whitelist using $wgWhitelistRead = array( "Foo" ); * Access api.php?action=parse&page=Foo Expected behaviour: * The API to return successfully, showing the contents of the page [[Foo]]. Actual behaviour: * The API returns a `readapidenied` error ("You need read permission to use this module"), even though a user can access index.php?title=Foo without an error. ---- This bug has been mentioned on the MediaWiki wiki since at least 2010 ([[mw:Special:Permalink/300785]]), but I couldn't find any existing filed bugs in the API category on Bugzilla.
Quoting from the page you linked: > This means that a client needs to be logged in to query any information at all > through the API. If the user isn't allowed 'read', they aren't allowed to query ''any information at all''.[1] It never gets to the point of checking whether they can read any particular page, or even of executing the query module. Fixing this would be a fair bit of work, as it would likely require auditing every API module to verify that each one properly checks the 'read' permission before leaking any information (including e.g. whether a page exists or not). [1]: This is slightly inaccurate: they can still get a login token, try to create an account, and access the API's autogenerated documentation.
