Seeing the following error while trying to upload an image using the API. The request has token with the user being a sysop with all the permissions.
The info should be more clear as to what is not working.
{"error":{"code":"permissiondenied","info":"Permission denied","*":"See http://www.example.com/wiki/api.php for API usage"}}
Given the stated error response, this appears to have been generated on a wiki running a pre-1.29 version of MediaWiki.[1] MediaWiki 1.29 contained significant improvements to API error reporting, including (as far as I can tell from the limited information provided here) a fix for this issue.
In 1.29, the error response would probably look more like
{ "error": { "code": "permissiondenied", "info": "The action you have requested is limited to users in one of the groups: [[Wikipedia:Why create an account?|Users]], [[Wikipedia:Administrators|Administrators]].", "*": "See http://localhost/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes." } }
[1]: Or else someone customized three different i18n messages to make it look like pre-1.29, one of which would impact permissions errors in the web UI to similarly say "Permission denied", and/or added hooks or done something else odd.
The MediaWiki version used is 1.27.1
However, as I noted the logged-in user is the admin and still seeing the message. And more strangely it was working fine and suddenly stopped working.
Do you have any suggestions to debug this other than to upgrade MW?
Unless you're trying to apply change tags with the upload, the API is probably returning that message because the call to $this->mUpload->isAllowed( $user ) (here) is returning failure. You'll probably want to check that, then track down why it's doing so.
I just debugged this. Its returning "upload" which indicates that the user is not allowed uploading (see).
I can't find any place where upload has been turned off for anyone on the website :/
Is there any other way to see a user's permissions?
api.php?action=query&list=users&usprop=groups|rights&ususers=${NAME} will show you the rights of a user. If you have control of the user, api.php?action=query&meta=userinfo&uiprop=groups|rights while logged in will take into account restrictions from OAuth or BotPasswords.
Ah, that second link is great, helped me figure out the actual issue. Its actually a bug in the Lockdown extension which I got to know just now :/
Here's a link to the actual issue if anyone needs: T148582