I just noticed that https://en.wikipedia.org/w/api.php?action=query&list=allusers&aufrom=Krenair&auto=Krenair&auprop=rights does not include editinterface for example
var realRights, auRights; mw.user.getRights().then(function (r) { realRights = r; }); new mw.Api().get({'action': 'query', 'list': 'allusers', 'aufrom': 'Krenair', 'auto': 'Krenair', 'auprop': 'rights'}).then(function (d) { auRights = d.query.allusers[0].rights; });
console.log(realRights.length, auRights.length); 56 43
realRights.filter(x => auRights.indexOf(x) < 0); (13) ["editcontentmodel", "editeditorprotected", "editextendedsemiprotected", "editinterface", "editprotected", "editsitecss", "editsitejs", "editsitejson", "editusercss", "edituserjs", "oathauth-enable", "protect", "suppressredirect"]
auRights.filter(x => realRights.indexOf(x) < 0); []
<bawolff> it also presumably doesnt include other rights from hooks or revoked rights from session (botpassword etc)