Page MenuHomePhabricator

Allusers query auprop=rights does not include global rights (and is possibly wrong in other ways)
Closed, ResolvedPublicBUG REPORT

Description

I just noticed that https://en.wikipedia.org/w/api.php?action=query&list=allusers&aufrom=Krenair&auto=Krenair&auprop=rights does not include editinterface for example

var realRights, auRights;
mw.user.getRights().then(function (r) { realRights = r; });
new mw.Api().get({'action': 'query', 'list': 'allusers', 'aufrom': 'Krenair', 'auto': 'Krenair', 'auprop': 'rights'}).then(function (d) { auRights = d.query.allusers[0].rights; });
console.log(realRights.length, auRights.length);
56 43
realRights.filter(x => auRights.indexOf(x) < 0);
(13) ["editcontentmodel", "editeditorprotected", "editextendedsemiprotected", "editinterface", "editprotected", "editsitecss", "editsitejs", "editsitejson", "editusercss", "edituserjs", "oathauth-enable", "protect", "suppressredirect"]
auRights.filter(x => realRights.indexOf(x) < 0);
[]

<bawolff> it also presumably doesnt include other rights from hooks or revoked rights from session (botpassword etc)

Event Timeline

(Might be CentralAuth, might also be a missing Hooks::run call or something in core. I haven't dug into it yet.)

Anomie subscribed.

What ApiQueryAllUsers currently returns is the list of rights given by the local groups the user belongs to. It doesn't run the hooks used by CentralAuth to give rights from global groups, and it doesn't run the hooks other extensions might use to try to remove rights. At the most simple level, the fix could be to just use User->getRights() instead.

I note rMWd05ddf6e0649: Make action=query&list=users use User::getRights() fixed a similar issue in ApiQueryUsers, and seems to generally have more database-friendly code. Ideally the two would be rewritten to share common code for everything except the bits building the WHERE and ORDER BY bits of the query and the related parameter definitions.

Aklapper changed the subtype of this task from "Task" to "Bug Report".Nov 21 2022, 2:52 PM

I note that User::getRights() was deprecated in 1.34 and removed in 1.38. Apparently we are intended to use PermissionManager::getUserPermissions() instead.

Change 973730 had a related patch set uploaded (by ArielGlenn; author: ArielGlenn):

[mediawiki/core@master] run the UserGetRights hook in query allusers api calls

https://gerrit.wikimedia.org/r/973730

What do folks think of something like the above? (Untested)

Change 973730 merged by jenkins-bot:

[mediawiki/core@master] use getUserPermissions in query allusers api calls to get user rights

https://gerrit.wikimedia.org/r/973730

The above patch went out with last week's train, and is on all wikis (1.42.0-wmf.9) but the behaviour is unchanged so I'll need to look into this further.

Seems to work fine for me.

I tried both the link in the task description as well as using the web console and looking at that list, no editinterface in there. Tried both as logged out and logged in user. I wonder why you're getting different results.

The one thing I didn't think to check. Of course it works fine on other accounts. Closing!