How to limit API access to user groups

api
mediawiki

#1

I’m trying to limit access to certain API modules to specific user groups. I found API:Restricting API usage, but the example there (under “Disabling modules”) didn’t work; there’s no $wgUser in LocalSettings.php. Do you need to add something more or should the code snippet go somewhere else (not in LocalSettings.php)?


#2

I did some more digging around and found ApiBase::checkUserRightsAny(). I experimented with putting this at the start of execute() in my API class and that seems to have done the trick; you get an API error if you don’t have the appropriate rights.

I’m not sure if this is how you’re supposed to do this, so if anyone can confirm or can explain why it’s not a good idea, please let me know.


#3

checkUserRightsAny() is the normal way, yeah.

Disabling modules is mainly useful when you want to prevent access to something not under your control (e.g. the OAuth extension uses it to prevent use of the core login API when the request is authenticated with an OAuth header), and normally you’d do that with the ApiCheckCanExecute hook as you can return a custom error message that way, while just disabling is bound to be confusing and meant for wiki administrators, not extensions.


#4

Thanks. I didn’t know about ApiCheckCanExecute (although I suspected that there might be a hook for this somewhere); it wasn’t listed under “API” on https://www.mediawiki.org/wiki/Manual:Hooks#Hooks_grouped_by_function.


#5

It would be useful to document that in the Restricting API usage page, with a working example.


#6

I added an example now. Not sure if it’s 100% correct, but it works for me.