API Edit Requires a Captcha, but on Wiki edit does not
Open, Needs TriagePublic

Description

I'm making an edit to my user page on test2.wikipedia.org
https://test2.wikipedia.org/wiki/User_talk:DBarratt_(WMF)

and I can do this without a problem when I am on-wiki.

However, if I make an edit to the same page with the API (logged in as the same user with OAuth) I get a request for a captcha

array:1 [
  "edit" => array:2 [
    "captcha" => array:4 [
      "type" => "image"
      "mime" => "image/png"
      "id" => "1221847824"
      "url" => "/w/index.php?title=Special:Captcha/image&wpCaptchaId=1221847824"
    ]
    "result" => "Failure"
  ]
]

I see that this is one of the possible responses from the API:
https://www.mediawiki.org/wiki/API:Edit#CAPTCHAs_and_extension_errors
but why does this happen if you are logged in with OAuth and not when logged in directly?
Is there a way to avoid this?

dbarratt created this task.Jul 13 2017, 4:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 13 2017, 4:52 PM
Tgr added a subscriber: Tgr.Jul 13 2017, 6:11 PM

You have some user right preventing the captcha from showing up (skipcaptcha probably) that's masked out because the OAuth app doesn't have the corresponding grant. (cf T142308: Most extensions which add a user right should also add or extend a grant)

@Tgr Looks like it:
https://www.mediawiki.org/wiki/Extension:ConfirmEdit#Wikimedia_projects

Is there anyway to add that grant to the OAuth application? Or does ConfirmEdit (CAPTCHA extension) need to be updated to support that grant?

Seems weird that skipping Captcha would be a grant...

Tgr added a comment.Jul 13 2017, 8:22 PM

Yeah, you'd need to update ConfirmEdit. It's a simple config change, see the linked task for examples.

Every user right has to be part of a grant, OAuth works on a whitelist basis. basic is the catch-all grant that's given to all applications and contains lots of basic rights. Now that I look at it, it actually contains skipcaptcha already, so either that's broken somehow (unlikely) or your user does not have it and the difference is caused by some other user right. Or difference is not related to OAuth at all (maybe some kind of throttling? Some captcha rules are based on frequency). Or maybe the action is failing for some captcha-unrelated reason, and ConfirmEdit is just not clever enough to not add the captcha field to the response when the user is exempt. You should test the API with a non-OAuth request to see which is the case.