Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions docs/api/rest-api.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,9 @@ Demo wiki example: [neowiki.dev/w/rest.php/specs/v0/module/-](https://neowiki.de

## Permissions

Read endpoints enforce the caller's per-page `read` permission: page protection, restricted namespaces, read
whitelists, and permission extensions all apply. When you may not read a page, its read endpoints respond as if
The Subject, Schema, Layout, Mapping and RDF read endpoints enforce the caller's per-page `read` permission: read
whitelists and permission extensions apply. (MediaWiki's `read` action ignores page protection and
`$wgNamespaceProtection`, so neither restricts these endpoints.) When you may not read a page, they respond as if
the data were absent — a `null` value, an empty list, or a `404` — rather than with a `403`. Treat a not-found
response as "not available": it may mean the data does not exist, or that you may not read it.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,19 @@ public function testUnreadableSchemaNamesAreOmitted(): void {
);
}

public function testUnreadableSchemaNamesAreOmittedFromSearchResults(): void {
$denyFirstMatch = static fn ( string $permission, ?PageIdentity $page = null ): bool =>
$page === null || $page->getDBkey() !== 'SchemaNameLookupTest21';

$names = array_map(
static fn ( TitleValue $title ): string => $title->getText(),
$this->getLookup( $this->mockRegisteredAuthority( $denyFirstMatch ) )
->getSchemaNamesMatching( 'SchemaNameLookupTest2', 10 )
);

$this->assertSame( [ 'SchemaNameLookupTest22' ], $names );
}

public function testGateUsesBindingAuthorizeRead(): void {
// probablyCan is a UI-hint check that skips the expensive ACL hook; the filter must
// use the binding authorizeRead with the 'read' action. Reverting fails this test.
Expand Down
Loading