Page MenuHomePhabricator

FlaggedRevs permissions should be available in grants
Closed, ResolvedPublic

Description

My bot has admin rights in Russian Wikipedia and, among other things, stabilises some articles via [[https://www.mediawiki.org/wiki/Extension:FlaggedRevs#action_.3D_stabilize|FlaggedRevs extension's action = stabilize]]. This used to work.
Now, after login via action=login was deprecated in rMW54d58ef50665, I changed my bot to use BotPasswords instead and checked every checkbox on that page. However, now I get this reply from the API:

{
  "servedby": "mw1201",
  "error": {
    "code": "permissiondenied",
    "info": "Permission denied",
    "*": "See https://ru.wikipedia.org/w/api.php for API usage"
  }
}

What should I do?

Event Timeline

@Leloiandudu: Where can the code of your bot be seen / inspected?

Anomie subscribed.

What's needed is for someone to add the appropriate rights, in this case stablesettings, into the appropriate grants in $wgGrantPermissions. The other FlaggedRevs rights (review, validate, autoreviewrestore, unreviewedpages, movestable) could probably use the same treatment.

This is simple from a technical standpoint: either in [[https://phabricator.wikimedia.org/diffusion/EFLR/browse/master/FlaggedRevs.php;af779984e0782d0703483af549006564c86ad8b4$119-120|FlaggedRevs's FlaggedRevs.php]] (if it makes sense for everyone) or in [[https://phabricator.wikimedia.org/diffusion/OMWC/browse/master/wmf-config/CommonSettings.php;0fb021f55e5d457e397d8232b609ddf5c9bf7525$622-628|mediawiki-config's CommonSettings.php]] (if it only makes sense for WMF wikis) add the entries to put the rights in the proper grants. If you decide you need to add a new grant for some of the rights instead of bundling them into existing grants, that's not very hard either: you add an entry to $wgGrantPermissionGroups defining which UI grouping it belongs to and add i18n messages to name the new grant (in FlaggedRevs if you add the grants in FlaggedRevs.php or in WikimediaMessages if in CommonSettings.php).

The potentially hard part is deciding which grants these rights belong in.

@Anomie So, essentially every extension that uses custom rights is broken for bots now. I kinda have a feeling this should've been addressed somehow before deploying action = login deprecation.

Anyway, I don't get the big idea behind BotPasswords. I guess it's useful when the user and the bot share the same account? But the usual case is when the bot has a separate account (mine has too) and each wiki assigns rights to that account in the usual way. Am I wrong?

I don't think BotPasswords supports this case very well. Can we please have another checkbox that says "grant the same rights the parent account has?" This is beneficial in many ways:

  1. Supports the widespread 'bot has a separate account' case well
  2. No need to fix every (now broken) extension's code
  3. No need to fit weird rights into existing grants, which probably doesn't make sense anyway and kinda turns the idea of 'grants' into a leaky abstraction.

@Anomie So, essentially every extension that uses custom rights is broken for bots now.

Not every extension. Many were already taken care of.

Anyway, I don't get the big idea behind BotPasswords.

Largely that it allows a non-interactive login mechanism for bots. The "grants" model is based off of the same model used in the OAuth extension.

I don't think BotPasswords supports this case very well. Can we please have another checkbox that says "grant the same rights the parent account has?"

That would be a separate feature request that would need Security review. Feel free to file it if you'd like.

  1. No need to fit weird rights into existing grants, which probably doesn't make sense anyway and kinda turns the idea of 'grants' into a leaky abstraction.

There's no need to do that anyway, it's very easy to add new grants.

@Anomie thank you very much for the clarification!

Tgr renamed this task from Special rights and BotPasswords to FlaggedRevs permissions should be available in grants.Nov 22 2016, 10:45 PM

Change 323074 had a related patch set uploaded (by Gergő Tisza):
Add grants for FlaggedRevs permissions

https://gerrit.wikimedia.org/r/323074

Change 323074 merged by jenkins-bot:
Add grants for FlaggedRevs permissions

https://gerrit.wikimedia.org/r/323074

Anomie claimed this task.