API talk:Restricting API usage

From MediaWiki.org
Jump to navigation Jump to search

How do I test a site's API to see what the settings are?[edit]

My API client is giving an error when I try to write a page, so I'd like to check if it is being caused by insufficient usage rights. --Dmb 00:28, 22 January 2011 (UTC)

Restrict usage of READ API?[edit]

For private wikis, where user must be logged in in order to read the content, how to forbid usage of API altogether unless a valid login has been provided? -- 08:48, 20 August 2012 (UTC)

Nevermind, the cookies where inherited from the browser which was used to login to the wiki prior to using the API. Running the bot code from the command line resolved it. -- 09:23, 20 August 2012 (UTC)

Conditionally disable some modules[edit]

In the Restrict_API_Usage page, it says that, to conditionally disable some modules of the API, one can do the following. My question is: where to put the code? Seems to me it should not be in LocalSettings.php, but I don't know where it should go to. Thanks a lot.

if ( !in_array( 'sysop', $wgUser->getGroups() ) ) {
       $wgAPIModules['edit'] = 'ApiDisabled';

-- UPDATE: I found this hook, which was introduced in MW version 1.20, that might be useful.

Confirmed. As far as I can tell, the suggested change won't work in LocalSettings.php unless you put it into some kind of hook because $wgUser isn't defined yet. If there is a way to do it, I couldn't find it. Since I'm working on 1.19, what I ended up adding to LocalSettings.php was this:
$wgHooks['APIEditBeforeSave'][] = 'onAPIEditBeforeSave';
function onAPIEditBeforeSave( $editPage, $text, &$resultArr ) {
    global $wgUser;

    if ( !in_array( 'bot', $wgUser->getGroups() ) ) {
        $resultArr = array(
            'code' => 'BotEditsOnly',
            'info' => 'API edits are disabled on this wiki except for registered bots.');
        return false;

    return true;
I believe that should work with everything from 1.14 forwards. – RobinHood70 talk 02:47, 8 April 2014 (UTC)

Rationale for restricting API use[edit]

What is the rationale behind disabling API use by users who otherwise have the right to view or edit the wiki? All it does is force client applications to use screen scraping. --Damian Yerrick (talk) 11:48, 28 June 2014 (UTC)

It's useful because it stops people from accessing private wikis through the API. If you didnt have the feature, anyone could edit private wikis. — Preceding unsigned comment added by (talkcontribs) 00:34, 4 September 2015

Disable read API for anonymous users[edit]

Since $wgEnableAPI is deprecated also (as of v1.32 I believe), how can you restrict access for anonymous users to read from the api ? Only via the hook ApiCheckCanExecute ?