Page MenuHomePhabricator

Wikibase entities created/edited via OAuth consumer without “edit your watchlist” grant are not added to watchlist despite setting
Open, Needs TriagePublic

Description

As a tool developer, I want to write tools that work as expected without extra implementation effort and privileges required; as a tool user, I expect a tool that creates or edits entities on my behalf to add those entities to my watchlist if my user settings say to add created/edited pages to the watchlist.

Problem:
@KaMan reported over half a year ago that, when the Wikidata Lexeme Forms tool creates a new lexeme, the page is not added to the user’s watchlist even if the user has the “Add pages I create and files I upload to my watchlist” preference enabled, and I think I’ve finally figured out why this happens (while looking at the related code due to T213725). This is the code in Wikibase (in SubmitEntityAction): that updates the watchlist:

	/**
	 * Update watchlist.
	 *
	 * @param Title $title
	 */
	private function doWatch( Title $title ) {
		$user = $this->getUser();

		if ( $user->isLoggedIn()
			&& $user->getOption( 'watchdefault' )
			&& !$user->isWatched( $title )
		) {
			WatchAction::doWatch( $title, $user );
		}
	}

And this is the WatchAction function that MediaWiki core itself uses (e. g. in EditPage::updateWatchlist()):

	/**
	 * Watch or unwatch a page
	 * @since 1.22
	 * @param bool $watch Whether to watch or unwatch the page
	 * @param Title $title Page to watch/unwatch
	 * @param User $user User who is watching/unwatching
	 * @return Status
	 */
	public static function doWatchOrUnwatch( $watch, Title $title, User $user ) {
		if ( $user->isLoggedIn() &&
			$user->isWatched( $title, User::IGNORE_USER_RIGHTS ) != $watch
		) {
			// If the user doesn't have 'editmywatchlist', we still want to
			// allow them to add but not remove items via edits and such.
			if ( $watch ) {
				return self::doWatch( $title, $user, User::IGNORE_USER_RIGHTS );
			} else {
				return self::doUnwatch( $title, $user );
			}
		}

		return Status::newGood();
	}

Notice that it adds the IGNORE_USER_RIGHTS flag, because “if the user doesn’t have editmywatchlist (e. g. because the OAuth consumer in use does not include the editmywatchlist grant), we still want to allow them to add … items via edits”. I think this is exactly the bit that’s missing in Wikibase, which is why edits from Wikidata Lexeme Forms don’t end up on the watchlist.

BDD
GIVEN the user is using an OAuth consumer or bot password that does not include the “Edit your watchlist” grant, e. g. Wikidata Lexeme Forms (consumer)
WHEN an entity is created or edited
THEN it is added to the user’s watchlist according to the user’s settings.

Event Timeline

Restricted Application added a project: Growth-Team. · View Herald TranscriptFeb 26 2019, 4:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Lucas_Werkmeister_WMDE renamed this task from Entities created/edited via OAuth consumer without “edit your watchlist” grant are not added to watchlist despite setting to Wikibase entities created/edited via OAuth consumer without “edit your watchlist” grant are not added to watchlist despite setting.Feb 26 2019, 4:09 PM

(Small correction, I think the really relevant Wikibase code for my use case is WikiPageEntityStore::updateWatchlist, whereas SubmitEntityAction::doWatch is only used for undo/restore. But they both have the same problem.)