Page MenuHomePhabricator

Wikibase entities created/edited via OAuth consumer without “edit your watchlist” grant are not added to watchlist despite setting
Closed, ResolvedPublic


As a tool developer, I want to write tools that work as expected without extra implementation effort and privileges required; as a tool user, I expect a tool that creates or edits entities on my behalf to add those entities to my watchlist if my user settings say to add created/edited pages to the watchlist.

@KaMan reported over half a year ago that, when the Wikidata Lexeme Forms tool creates a new lexeme, the page is not added to the user’s watchlist even if the user has the “Add pages I create and files I upload to my watchlist” preference enabled, and I think I’ve finally figured out why this happens (while looking at the related code due to T213725). This is the code in Wikibase (in SubmitEntityAction): that updates the watchlist:

	 * Update watchlist.
	 * @param Title $title
	private function doWatch( Title $title ) {
		$user = $this->getUser();

		if ( $user->isLoggedIn()
			&& $user->getOption( 'watchdefault' )
			&& !$user->isWatched( $title )
		) {
			WatchAction::doWatch( $title, $user );

And this is the WatchAction function that MediaWiki core itself uses (e. g. in EditPage::updateWatchlist()):

	 * Watch or unwatch a page
	 * @since 1.22
	 * @param bool $watch Whether to watch or unwatch the page
	 * @param Title $title Page to watch/unwatch
	 * @param User $user User who is watching/unwatching
	 * @return Status
	public static function doWatchOrUnwatch( $watch, Title $title, User $user ) {
		if ( $user->isLoggedIn() &&
			$user->isWatched( $title, User::IGNORE_USER_RIGHTS ) != $watch
		) {
			// If the user doesn't have 'editmywatchlist', we still want to
			// allow them to add but not remove items via edits and such.
			if ( $watch ) {
				return self::doWatch( $title, $user, User::IGNORE_USER_RIGHTS );
			} else {
				return self::doUnwatch( $title, $user );

		return Status::newGood();

Notice that it adds the IGNORE_USER_RIGHTS flag, because “if the user doesn’t have editmywatchlist (e. g. because the OAuth consumer in use does not include the editmywatchlist grant), we still want to allow them to add … items via edits”. I think this is exactly the bit that’s missing in Wikibase, which is why edits from Wikidata Lexeme Forms don’t end up on the watchlist.

GIVEN the user is using an OAuth consumer or bot password that does not include the “Edit your watchlist” grant, e. g. Wikidata Lexeme Forms (consumer)
WHEN an entity is created or edited
THEN it is added to the user’s watchlist according to the user’s settings.

Acceptance criteria

  • Creating or editing pages through OAuth does the right thing (see BDD and rest of task)
  • Check other related code (calls to User::isWatched()) whether they should also be updated even if they’re not directly related to OAuth editing

Event Timeline

Restricted Application added a project: Growth-Team. · View Herald TranscriptFeb 26 2019, 4:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Lucas_Werkmeister_WMDE renamed this task from Entities created/edited via OAuth consumer without “edit your watchlist” grant are not added to watchlist despite setting to Wikibase entities created/edited via OAuth consumer without “edit your watchlist” grant are not added to watchlist despite setting.Feb 26 2019, 4:09 PM

(Small correction, I think the really relevant Wikibase code for my use case is WikiPageEntityStore::updateWatchlist, whereas SubmitEntityAction::doWatch is only used for undo/restore. But they both have the same problem.)

abian added a subscriber: abian.Sep 12 2020, 3:08 PM

Change 626874 had a related patch set uploaded (by Lucas Werkmeister; owner: Lucas Werkmeister (WMDE)):
[mediawiki/extensions/Wikibase@master] Fix watch-on-edit settings on grant-limited requests

LucasWerkmeister added a comment.EditedSep 13 2020, 2:08 PM

I tested the above fix with the following Python script:

import json
import mwapi

session = mwapi.Session(host='http://localhost', api_path='/wiki1/api.php')
lgtoken = session.get(action='query',
             lgname='Lucas Werkmeister@T217144',

token = session.get(action='query',
id ='wbeditentity',
                      'type': 'lexeme',
                      'lemmas': {'en': {'language': 'en', 'value': 'T217144'}},
                      'lexicalCategory': 'Q10',
                      'language': 'Q85',
                      'claims': [],
                      'forms': [],
                      'senses': [],

With the fix checked out locally, the new lexeme would be on my watchlist; without the fix, it would be missing.

(Edit: Lucas Werkmeister@T217144 is a bot password with the “Edit existing pages” and “Create, edit, and move pages” grants.)

Michael claimed this task.Sep 16 2020, 12:17 PM
Michael added a subscriber: Michael.

Will review the patch. Let's see if I also manage to create one for the other callers mentioned in the commit message

Restricted Application added a project: User-Michael. · View Herald TranscriptSep 16 2020, 12:17 PM
Michael removed Michael as the assignee of this task.Sep 16 2020, 4:11 PM

Change 626874 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] Fix watch-on-edit settings on grant-limited requests

This is fixed, at least for Wikidata Lexeme Forms. I added a note about it to the next weekly summary, but after I now realized this also affected QuickStatements, I’m starting to wonder if it might deserve an even larger announcement… I’m slightly worried that QuickStatements power users may actually have relied on this bug without realizing it, and may not be happy with a flood of new watchlist entries.