Lock down the Mediawiki API
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
Drake Panzer e3aaecf2e1 c 8 months ago
core f 9 months ago
i18n c 9 months ago
src c 8 months ago
LICENSE Initial commit 9 months ago
README.md [ 9 months ago
extension.json t 8 months ago

README.md

APILockdown

Lock down the Mediawiki API

This extension restricts access to the Mediawiki API. It's kinda messy and uses too many php die() functions instead of the Mediawiki API, but it works.


Install

  1. git clone https://git.dp15.us/dpanzer/APILockdown.git
  2. Add this to the bottom of LocalSettings.php:
wfLoadExtension( 'APILockdown' );
$wgAPILockdownBlockAllExports = true; // kill access to every export page if not in allowed groups
$wgAPILockdownNukeAPI = false; // kill all access to api if they are not in the specified allowed groups
$wgAPILockdownKillPHP = false; // If a visitor is denied access to a page, kill the PHP script instead of redirecting them to the login page. true = kill php script, false = redirect to login page
$wgAPILockdownKillPHPMsg = "Access Denied"; // the text to display when denied using wgAPILockdownKillPHP
$wgAPILockdownGroupsDebug = false;

$wgAPILockdownAllowedGroups = array("bureaucrat", "commentadmin", "interface-admin", "bot", "staff", "sysop"); // groups that can bypass restrictions. you will have to customise this for your own setup.

// this probably doesnt need to be changed
$wgAPILockdownRestrictedActions = array("abusefiltercheckmatch","abusefilterchecksyntax","abusefilterevalexpression","abusefilterunblockautopromote","abuselogprivatedetails","aggregategroups","antispoof","block","centralauthtoken","centralnoticecdncacheupdatebanner","centralnoticechoicedata","centralnoticequerycampaign","changeauthenticationdata","changecontentmodel","checktoken","cirrus-config-dump","cirrus-mapping-dump","cirrus-profiles-dump","cirrus-settings-dump","clearhasmsg","clientlogin","codediff","coderevisionupdate","codeupdate","compare","createaccount","cspreport","delete","deleteglobalaccount","echomarkread","echomarkseen","echomute","edit","editmassmessagelist","emailuser","embedvideo","expandtemplates","fancycaptchareload","featuredfeed","feedcontributions","feedrecentchanges","feedthreads","feedwatchlist","filerevert","flow","flow-parsoid-utils","flowthank","globalblock","globalpreferenceoverrides","globalpreferences","globaluserrights","graph","groupreview","help","imagerotate","import","jsonconfig","languagesearch","linkaccount","managetags","massmessage","mergehistory","move","newslettersubscribe","oathvalidate","opensearch","options","paraminfo","parse","patrol","protect","purge","removeauthenticationdata","resetpassword","revisiondelete","rollback","rsd","scribunto-console","searchtranslations","setglobalaccountstatus","setnotificationtimestamp","setpagelanguage","shortenurl","sitematrix","smpuserprivacy","smpuserprofiletype","socialprofile-delete-message","socialprofile-request-response","socialprofile-send-message","spamblacklist","stashedit","streamconfigs","strikevote","tag","templatedata","thank","threadaction","titleblacklist","tokens","transcodereset","translationaids","translationreview","ttmserver","unblock","undelete","unlinkaccount","upload","userrights","validatepassword","voteny","watch","webapp-manifest","webauthn","wikilove");
  1. Figure out the internal group names. You can do this by setting $wgAPILockdownGroupsDebug to true. This will interrupt the Mediawiki application and display the current user's groups. Copy the group IDs you want to have access (not the display names) to $wgAPILockdownAllowedGroups.

Notes

  • This isn't a perfect solution, it's more like a Band-Aid. There are probably some tricky ways to get around this extension that I don't know about.

some code from https://www.mediawiki.org/wiki/Extension:SourceProtection