r24673 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r24672‎ \| r24673 \| r24674 >
Date:	15:12, 8 August 2007
Author:	yurik
Status:	old
Tags:
Comment:	Revert r24668; needed to prevent accidental API exposure by novice administrators.
Modified paths:	/trunk/phase3/config/index.php (modified) (history)

Diff [purge]

Index: trunk/phase3/config/index.php
—	—	@@ -702,6 +702,7 @@
703	703	$conf->Emailuser = importRequest("Emailuser", "emailuser_enabled");
704	704	$conf->Enotif = importRequest("Enotif", "enotif_allpages");
705	705	$conf->Eauthent = importRequest("Eauthent", "eauthent_enabled");
	706	+$conf->Api = importRequest("Api", "api_enabled_readonly" );
706	707
707	708	if( $conf->posted && ( 0 == count( $errs ) ) ) {
708	709	do { /* So we can 'continue' to end prematurely */
—	—	@@ -1238,6 +1239,20 @@
1239	1240	MediaWiki can also detect and support eAccelerator, Turck MMCache, APC, and XCache, but
1240	1241	these should not be used if the wiki will be running on multiple application servers.
1241	1242	</p>
	1243	+ <div class="config-input">
	1244	+ <label class='column'>External API:</label>
	1245	+
	1246	+ <ul class="plain">
	1247	+ <li><?php aField( $conf, "Api", "Enabled for Reading and Writing", "radio", "api_enabled_readwrite" ); ?></li>
	1248	+ <li><?php aField( $conf, "Api", "Enabled for Reading only", "radio", "api_enabled_readonly" ); ?></li>
	1249	+ <li><?php aField( $conf, "Api", "Disabled", "radio", "api_disabled" ); ?></li>
	1250	+ </ul>
	1251	+ </div>
	1252	+ <p class="config-desc">
	1253	+ API allows programs and scripts to directly access MediaWiki data in computer-readable formats.
	1254	+ Once enabled, it will be accessible through
	1255	+ <?php echo htmlspecialchars( $conf->ScriptPath ); ?>/api.php
	1256	+ </p>
1242	1257	</div>
1243	1258
1244	1259	<h2>E-mail, e-mail notification and authentication setup</h2>
—	—	@@ -1527,6 +1542,22 @@
1528	1543	$enotifwatchlist = 'false';
1529	1544	}
1530	1545
	1546	+ switch ( $conf->Api ) {
	1547	+ case "api_enabled_readwrite":
	1548	+ $apiEnabled = 'true';
	1549	+ $apiWriteEnabled = 'true';
	1550	+ break;
	1551	+ case "api_enabled_readonly":
	1552	+ $apiEnabled = 'true';
	1553	+ $apiWriteEnabled = 'false';
	1554	+ break;
	1555	+ case "api_disabled":
	1556	+ default:
	1557	+ $apiEnabled = 'false';
	1558	+ $apiWriteEnabled = 'false';
	1559	+ break;
	1560	+ }
	1561	+
1531	1562	$file = @fopen( "/dev/urandom", "r" );
1532	1563	if ( $file ) {
1533	1564	$secretKey = bin2hex( fread( $file, 32 ) );
—	—	@@ -1671,6 +1702,11 @@
1672	1703	# sure that cached pages are cleared.
1673	1704	\$configdate = gmdate( 'YmdHis', @filemtime( __FILE__ ) );
1674	1705	\$wgCacheEpoch = max( \$wgCacheEpoch, \$configdate );
	1706	+
	1707	+# Enable direct access to the data API through api.php
	1708	+\$wgEnableAPI = $apiEnabled;
	1709	+\$wgEnableWriteAPI = $apiWriteEnabled;
	1710	+
1675	1711	"; ## End of setting the $localsettings string
1676	1712
1677	1713	// Keep things in Unix line endings internally;

Follow-up revisions

Revision	Commit summary	Author	Date
r24678	Revert r24673; this is not needed. If "API exposure" is so dangerous, then ...	robchurch	17:32, 8 August 2007
r24705	Merged revisions 24632-24693 via svnmerge from...	david	19:15, 9 August 2007

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r24668	Revert r24666; don't see a need for it. The API is enabled for reads, but not...	robchurch	01:02, 8 August 2007

Status & tagging log

15:20, 12 September 2011 Meno25 (talk | contribs) changed the status of r24673 [removed: ok added: old]