Page MenuHomePhabricator

Does PAWS pass user credentials to the action API?
Closed, ResolvedPublic

Description

As an admin on English Wikipedia I can get larger query result sets than most users (500 instead of 50; 5000 instead of 500 in some circumstances).

However, when I write a script in PAWS to give me a list of admins on English Wikipedia using this URL: https://en.wikipedia.org/w/api.php?action=query&format=json&list=allusers&meta=&augroup=sysop&aulimit=5000, it tells me English Wikipedia has 500 admins when it should be telling me there are 1209.

This leads me to believe that although I am authenticated to PAWS via OAuth, those credentials are not being passed to the Action API, and as a result, the default limit of 500 is applied instead of the heightened limit of 5,000.

Is there a way I can re-use my OAuth session within a Python notebook on PAWS?

Event Timeline

Harej created this task.Jun 2 2018, 1:15 AM
Chicocvenancio added a subscriber: Chicocvenancio.EditedJun 2 2018, 1:33 AM

See T192237. Basically the current Oauth consumer does not request access to administrator functions. We should add those functions, but I'm not comfortable doing that without better understanding and/or solving the security implications of T120469.

I first assumed this was using pywikibot, but @Harej explained this was a using the python requests library. At that level PAWS does not add any credential. Though it is possible to send your own Oauth credentials, it will expose credentials to the world and wouldn't be advisable.

One approach that is doable is to use the environment variables with the Oauth credentials used by PAWS (though care should be taken not to expose them to the world).

Vvjjkkii renamed this task from Does PAWS pass user credentials to the action API? to 4sbaaaaaaa.Jul 1 2018, 1:07 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
CommunityTechBot renamed this task from 4sbaaaaaaa to Does PAWS pass user credentials to the action API?.Jul 2 2018, 1:24 AM
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)

@Harej Should we turn this to a feature request make PAWS add oAuth credentials to some requests to Wikimedia projects or close it?

I do appreciate the point you brought up above about how I was using the Python Requests library and not the Pywikibot library. Duh, no wonder my session didn't count for anything.

I think the PAWS OAuth grant should, theoretically, entertain the idea of admin actions via PAWS. I don't really have good insight on what form this takes. It could, for example, be two different options for permissions grant: the usual one, and a sudo mode with admin privs attached.

Chicocvenancio added a comment.EditedApr 16 2019, 4:08 PM

I think the PAWS OAuth grant should, theoretically, entertain the idea of admin actions via PAWS. I don't really have good insight on what form this takes. It could, for example, be two different options for permissions grant: the usual one, and a sudo mode with admin privs attached.

That is T192237. Yeah, we could have multiple Wikimedia oAuth consumers, one without admin permissions to limit attack surface and one with them to allow users to use admin powers. However a lack of oAuth v2 support in mediawiki (T125337) means it would take a lot of PAWS-specific development to get any oAuth done in a safe way(T120469). While I mostly feel confortable leaving that avenue open as it stands, opening the possibility of admin actions through PAWS means a step too far in my view. One year and a day ago I created T192237, since no one has commented there for us to enable admin actions despite the lack of security inherent in the current setup I am taking this as a very niche feature that hopefully can be taken care of once Mediawiki allows oAuth v2.

Chicocvenancio closed this task as Resolved.May 18 2019, 11:18 AM
Chicocvenancio claimed this task.