Page MenuHomePhabricator

Improve API's "permission denied" error message
Closed, ResolvedPublic

Description

I have no advanced rights on enwikibooks. I used ApiSandbox to try and delete a page:

{
    "servedby": "mw1193",
    "error": {
        "code": "permissiondenied",
        "info": "Permission denied",
        "*": "See https://en.wikibooks.org/w/api.php for API usage"
    }
}

Tried to protect a page:

{
    "servedby": "mw1123",
    "error": {
        "code": "permissiondenied",
        "info": "Permission denied",
        "*": "See https://en.wikibooks.org/w/api.php for API usage"
    }
}

Globally block a user:

{
    "servedby": "mw1223",
    "error": {
        "code": "permissiondenied",
        "info": "Permission denied",
        "*": "See https://en.wikibooks.org/w/api.php for API usage"
    }
}

And so on, you get the picture.

These errors don't say precisely what permission has been denied, so they're not especially useful. They should mention which right is required to perform the given action, or for bonus marks, which user groups have the required right (just like the UI does)

In general, the API has been pretty bad at providing machine-readable error messages. This would be a good place to start improving that, by at least listing the missing user right as a data value alongside code and info.

Event Timeline

TTO created this task.Oct 5 2015, 5:57 AM
TTO updated the task description. (Show Details)
TTO raised the priority of this task from to Needs Triage.
TTO added a project: MediaWiki-API.
TTO added a subscriber: TTO.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 5 2015, 5:57 AM
Anomie triaged this task as Low priority.Oct 5 2015, 1:26 PM
Anomie added a subscriber: Anomie.

API error reporting in general needs a major overhaul, and T47843: Rework API error reporting is on my TODO list.

All the examples you cite, BTW, are something deeper in MediaWiki returning 'badaccess-groups' or 'badaccess-group0' statuses and the API not-too-helpfully turns it into that message. ApiUpload and ApiRevisionDelete also do this, while most other API modules at least report "You don't have permission to do X".

by at least listing the missing user right as a data value alongside code and info.

Considering all the ones you cite are coming in as 'badaccess-groups', you'd wind up having to somehow parse the $1 parameter passed to that message (which doesn't necessarily contain the actual group names) to get the groups back, and no indication of the specific user right(s).

Or you could try changing core to use the ApiMessage class (which was introduced to be used for T47843 someday) to report that error, plus the places in the API making a 'permissiondenied' response without using that message.

Anomie moved this task from Unsorted to Needs Code on the MediaWiki-API board.Oct 5 2015, 1:26 PM
Anomie closed this task as Resolved.Feb 7 2017, 2:49 PM
Anomie claimed this task.

The error message for these cases is now more informative and equivalent to the UI.

{
    "error": {
        "code": "permissiondenied",
        "info": "The action you have requested is limited to users in the group: [[Wikipedia:Administrators|Administrators]].",
        "*": "See https://en.wikipedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes."
    },
    "servedby": "mw1232"
}

If machine-readable details are needed, a separate task with the use case should be filed. I note that might require a fair bit of work since the errors come from deep inside MediaWiki and don't currently carry the machine-readable list of rights or groups along with them.