On 24/8/23 07:13, Jeffrey Walton wrote:
Hi Everyone,
I was looking at our Special:Version page, and got to thinking about
api.php [1] and rest.php.[2] I don't believe anyone on our team is
using the APIs,
People don't use them. Scripts use them, on behalf of people. The
people don't know they are using them.
I see api.php can be disabled via $wgEnableAPI.[1]
$wgEnableAPI was removed in MW 1.32. (T115414)
But I don't see a similar option for rest.php.[2]
$wgEnableRestAPI was removed in MW 1.36.
I have two questions. First, is it possible to disable api.php and
rest.php in practice?
You could patch isCompatible() to always return false. MediaWiki will
assume everyone's browser is too old for JavaScript and will not
attempt to make requests via api.php or rest.php. Most things should
still work in a degraded mode.
Then you could move api.php and rest.php away, or deny access in
Apache, or patch them, or whatever.
When I say "most things", I mean like 70% of things. You're using
SimpleMathJax which would be broken. RateChange would disappear. You
should reconsider your need for this change.
Or restrict them to internal interfaces only?
That would not be useful.
For example, when a user clicks "logout", the controller
will invoke an API call. We want the controller to be able to call an
API. We don't want users to be able to call them.
That's not a thing.
-- Tim Starling
_______________________________________________
MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
To unsubscribe send an email to mediawiki-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
