API:Restricting API usage
![]() |
This page is part of the MediaWiki action API documentation. |
MediaWiki action API
- Introduction and quick start
- FAQ
- Tutorial
- Formats
- Error reporting
- Restricting usage
- Cross-site requests
- Authentication
- Queries
- Searching (by title, content, coordinates...)
- Parsing wikitext and expanding templates
- Purging pages' caches
- Parameter information
- Changing wiki content
- Create and edit pages
- Move pages
- Merge pages
- Rollback
- Delete pages
- Restore deleted revisions
- (Un)protect pages
- (Un)block users
- (Un)watch pages
- Mark revisions of watched pages as visited
- Send email
- Patrol changes
- Import pages
- Change user group membership
- Upload files
- User options
- Tokens
- Page language
- Watchlist feed
- Wikidata
- Extensions
- Using the API in MediaWiki and extensions
- Miscellaneous
- Implementation
- Client code
- Asserting
There are several ways to restrict usage of (certain parts of) the API to certain groups of users, or to disable it altogether. Some of these require changing group permissions.
Contents
Disabling the entire API[edit]
You can disable the API as a whole by setting $wgEnableAPI = false;
in LocalSettings.php . The API is enabled by default.
Disabling the write API[edit]
You can disable all write modules by setting $wgEnableWriteAPI = false;
in LocalSettings.php. The write API is enabled by default as of MediaWiki 1.14, and disabled by default in older versions.
Restricting access to the write API[edit]
You can deny certain groups the right to use the write API by denying them the writeapi right. By default, all groups have the writeapi right. However, both the writeapi right and $wgEnableWriteAPI = true;
are required in order to use the write API.
Disabling modules[edit]
You can disable individual modules for all users by adding a line to LocalSettings.php. Exactly what to add depends on the type of module you want to disable:
- For
action=
modules, use$wgAPIModules ['modulename'] = 'ApiDisabled';
- For
prop=
modules, use$wgAPIPropModules ['modulename'] = 'ApiQueryDisabled';
- For
list=
modules, use$wgAPIListModules ['modulename'] = 'ApiQueryDisabled';
- For
meta=
modules, use$wgAPIMetaModules ['modulename'] = 'ApiQueryDisabled';
Example[edit]
To disable anyone who isn't a sysop from using action=edit
:
if ( !in_array( 'sysop', $wgUser->getGroups() ) ) {
$wgAPIModules['edit'] = 'ApiDisabled';
}