From 379eb2210b5bea36f0e11968d183f01bdd00d752 Mon Sep 17 00:00:00 2001
From: Roan Kattouw <catrope@users.mediawiki.org>
Date: Tue, 27 May 2008 15:43:07 +0000
Subject: [PATCH] * Added 'writeapi' right that controls access to the write
 API. Users who don't have this right won't be able to use the write API
 modules even if $wgEnableWriteAPI = true; and they have the other rights
 required * Checking for 'writeapi' in ApiMain::requestWriteMode() and
 tweaking the noapiwrite error message a bit * Granting this right to *, user
 and bot by default.

For extra clarity: to e.g. move pages through the API, a user needs to have the 'move' right AND the 'writeapi' right AND $wgEnableWriteAPI = true;
---
 includes/DefaultSettings.php |  3 +++
 includes/api/ApiMain.php     | 13 ++++++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 869cdbf376..992be45fb9 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -1083,6 +1083,7 @@ $wgGroupPermissions['*'    ]['read']             = true;
 $wgGroupPermissions['*'    ]['edit']             = true;
 $wgGroupPermissions['*'    ]['createpage']       = true;
 $wgGroupPermissions['*'    ]['createtalk']       = true;
+$wgGroupPermissions['*'    ]['writeapi']         = true;
 
 // Implicit group for all logged-in accounts
 $wgGroupPermissions['user' ]['move']             = true;
@@ -1090,6 +1091,7 @@ $wgGroupPermissions['user' ]['read']             = true;
 $wgGroupPermissions['user' ]['edit']             = true;
 $wgGroupPermissions['user' ]['createpage']       = true;
 $wgGroupPermissions['user' ]['createtalk']       = true;
+$wgGroupPermissions['user' ]['writeapi']         = true;
 $wgGroupPermissions['user' ]['upload']           = true;
 $wgGroupPermissions['user' ]['reupload']         = true;
 $wgGroupPermissions['user' ]['reupload-shared']  = true;
@@ -1107,6 +1109,7 @@ $wgGroupPermissions['bot'  ]['nominornewtalk']   = true;
 $wgGroupPermissions['bot'  ]['autopatrol']       = true;
 $wgGroupPermissions['bot'  ]['suppressredirect'] = true;
 $wgGroupPermissions['bot'  ]['apihighlimits']    = true;
+$wgGroupPermissions['bot'  ]['writeapi']         = true;
 #$wgGroupPermissions['bot'  ]['editprotected']    = true; // can edit all protected pages without cascade protection enabled
 
 // Most extra permission abilities go to this group
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 56bdb27b8a..421ef17411 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -179,12 +179,19 @@ class ApiMain extends ApiBase {
 	}
 
 	/**
-	 * This method will simply cause an error if the write mode was disabled for this api.
+	 * This method will simply cause an error if the write mode was disabled
+	 * or if the current user doesn't have the right to use it
 	 */
 	public function requestWriteMode() {
+		global $wgUser;
 		if (!$this->mEnableWrite)
-			$this->dieUsage('Editing of this site is disabled. Make sure the $wgEnableWriteAPI=true; ' .
-			'statement is included in the site\'s LocalSettings.php file', 'noapiwrite');
+			$this->dieUsage('Editing of this wiki through the API' .
+			' is disabled. Make sure the $wgEnableWriteAPI=true; ' .
+			'statement is included in the wiki\'s ' .
+			'LocalSettings.php file', 'noapiwrite');
+		if (!$wgUser->isAllowed('writeapi'))
+			$this->dieUsage('You\'re not allowed to edit this ' .
+			'wiki through the API', 'writeapidenied');
 	}
 
 	/**
-- 
2.20.1