API:Restricting API usage

Languages:

This page is part of the MediaWiki Action API documentation.

MediaWiki Action API
Basics
Etiquette and usage guidelines All query modules All page properties All list modules All meta modules Output formats
Authentication
Get tokens for data modifying operations Login Logout Verifying authentication (assertions)
Accounts and Users
Create an account Block or unblock a user Get info about the current user Get the current user's watchlist as a feed Change user options Change user group membership Send an email
Page Operations
Create and edit a page Get the contents of a page Upload a file Import a page Delete a page Parse content of a page Watch or unwatch a page Purge cache for page(s) Rollback a page Move a page Patrol a page or revision Restore revisions of a deleted page Change a page's protection level Change a page's language More...
Search
Search wiki pages by title (OpenSearch) Advanced search for wiki pages by title or text Search wiki pages near a location Search for a language name Perform a prefix search for page titles
Developer Utilities
Access libraries Cross-site requests Creating an API module in an extension Using the API in MediaWiki and extensions Restricting API usage Localisation Implementation Strategy
Tutorials
Action API Tutorial Article ideas generator Nearby places viewer Picture of the day viewer Holidays viewer
v · d · e

There are several ways to restrict usage of (certain parts of) the API to certain groups of users, or to disable it altogether. Some of these require changing group permissions.

Disabling general access

[edit ]

There is no dedicated user permission for accessing the API. To disable API access for a specific user group, you can disable read permissions for that group. For instance, to disallow anonymous requests,

$wgGroupPermissions['*']['read'] = false;

Note that some API modules may be available regardless. If access is successfully prevented, the API output will usually show the error code 'readapidenied'.

Disabling modules

[edit ]

You can disable individual modules for all users by adding a line to LocalSettings.php. Exactly what to add depends on the type of module you want to disable:

For action= modules, use $wgAPIModules ['modulename'] = 'ApiDisabled';
For prop= modules, use $wgAPIPropModules ['modulename'] = 'ApiQueryDisabled';
For list= modules, use $wgAPIListModules ['modulename'] = 'ApiQueryDisabled';
For meta= modules, use $wgAPIMetaModules ['modulename'] = 'ApiQueryDisabled';

Examples

[edit ]

To disable anyone from using action=edit:

$wgAPIModules['edit'] = 'ApiDisabled';

To limit the access of an API action, add the following hook for ApiCheckCanExecute :

static function onApiCheckCanExecute( $module, $user, &$message ) {
 $moduleName = $module->getModuleName();
 if (
 $moduleName == 'action' &&
 !in_array( 'right', $user->getRights() )
 ) {
 $message = 'apierror-action-notallowed';
 return false;
 }
 return true;
}

Replace 'action', 'right' and 'apierror-action-notallowed' with the appropriate values.

Retrieved from "https://www.mediawiki.org/w/index.php?title=API:Restricting_API_usage&oldid=7501563"