API talk:Restricting API usage

How do I test a site's API to see what the settings are?[edit]

Latest comment: 13 years ago1 comment1 person in discussion

My API client is giving an error when I try to write a page, so I'd like to check if it is being caused by insufficient usage rights. --Dmb 00:28, 22 January 2011 (UTC)Reply

Restrict usage of READ API?[edit]

For private wikis, where user must be logged in in order to read the content, how to forbid usage of API altogether unless a valid login has been provided? -- 08:48, 20 August 2012 (UTC)

Nevermind, the cookies where inherited from the browser which was used to login to the wiki prior to using the API. Running the bot code from the command line resolved it. -- 09:23, 20 August 2012 (UTC)

Conditionally disable some modules[edit]

Latest comment: 10 years ago1 comment1 person in discussion

In the Restrict_API_Usage page, it says that, to conditionally disable some modules of the API, one can do the following. My question is: where to put the code? Seems to me it should not be in LocalSettings.php, but I don't know where it should go to. Thanks a lot.

if ( !in_array( 'sysop', $wgUser->getGroups() ) ) {
       $wgAPIModules['edit'] = 'ApiDisabled';
}

-- UPDATE: I found this hook, which was introduced in MW version 1.20, that might be useful.

Confirmed. As far as I can tell, the suggested change won't work in LocalSettings.php unless you put it into some kind of hook because $wgUser isn't defined yet. If there is a way to do it, I couldn't find it. Since I'm working on 1.19, what I ended up adding to LocalSettings.php was this:

$wgHooks['APIEditBeforeSave'][] = 'onAPIEditBeforeSave';
function onAPIEditBeforeSave( $editPage, $text, &$resultArr ) {
    global $wgUser;

    if ( !in_array( 'bot', $wgUser->getGroups() ) ) {
        $resultArr = array(
            'code' => 'BotEditsOnly',
            'info' => 'API edits are disabled on this wiki except for registered bots.');
        return false;
    }

    return true;
}

I believe that should work with everything from 1.14 forwards. – RobinHood70 ^talk 02:47, 8 April 2014 (UTC)Reply

Rationale for restricting API use[edit]

Latest comment: 9 years ago1 comment1 person in discussion

What is the rationale behind disabling API use by users who otherwise have the right to view or edit the wiki? All it does is force client applications to use screen scraping. --Damian Yerrick (talk) 11:48, 28 June 2014 (UTC)Reply

It's useful because it stops people from accessing private wikis through the API. If you didnt have the feature, anyone could edit private wikis. — Preceding unsigned comment added by 24.138.81.104 (talk • contribs) 00:34, 4 September 2015

Disable read API for anonymous users[edit]

Since $wgEnableAPI is deprecated also (as of v1.32 I believe), how can you restrict access for anonymous users to read from the api ? Only via the hook ApiCheckCanExecute ?

$wgGroupPermissions['*']['read'] = false is enough. Tested on 1.39.6 https://yoursite.com/w/api.php?action=feedrecentchanges

{
    "error": {
        "code": "readapidenied",
        "info": "You need read permission to use this module.",
        "*": "See https://yoursite.com/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/> for notice of API deprecations and breaking changes."
    }
}

Restrict use of API on semi-public wiki, but not for extensions[edit]

Latest comment: 5 months ago2 comments2 people in discussion

Hello,

Using MediaWiki as a collaborative platform / CMS / encyclopedia for a public administration, I added a few custom namespaces that can only be viewed by logged-in users, with the help of Extension:Lockdown, to allow private discussions on soon-to-be-published content. I realized however that pages in namespaces that are hidden to anonymous visitors thanks to Lockdown can still be read via the API.

Since the API is now used by extensions, such as - correct me if I am wrong - the Parsoid service for Extension:VisualEditor and Extension:TextExtracts, and is thus not easy to disable, I am struggling to restrict use of API to prevent requests by anonymous users while still allowing extensions to use it.

I used a hook on ApiCheckCanExecute as proposed in the Manual page to restrict the query action, however Extension:TextExtracts can no longer get the content to feed to Extension:Popups (Parsoid seems to work though).

I know that MediaWiki is not conceived to restrict reading rights. But it is such an amazing tool for my administration, that it would be a shame to renounce to it. Any help appreciated ! Thank you in advance. --- FunkyBeats99 (talk) 12:21, 3 May 2021 (UTC)Reply

Did you find a resolution to this? --Squeak24 (talk) 17:28, 15 November 2023 (UTC)Reply