Wikibase entities created/edited via OAuth consumer without “edit your watchlist” grant are not added to watchlist despite setting
Closed, ResolvedPublic
Actions

Description

As a tool developer, I want to write tools that work as expected without extra implementation effort and privileges required; as a tool user, I expect a tool that creates or edits entities on my behalf to add those entities to my watchlist if my user settings say to add created/edited pages to the watchlist.

Problem:
@KaMan reported over half a year ago that, when the Wikidata Lexeme Forms tool creates a new lexeme, the page is not added to the user’s watchlist even if the user has the “Add pages I create and files I upload to my watchlist” preference enabled, and I think I’ve finally figured out why this happens (while looking at the related code due to T213725). This is the code in Wikibase (in SubmitEntityAction): that updates the watchlist:

	/**
	 * Update watchlist.
	 *
	 * @param Title $title
	 */
	private function doWatch( Title $title ) {
		$user = $this->getUser();

		if ( $user->isLoggedIn()
			&& $user->getOption( 'watchdefault' )
			&& !$user->isWatched( $title )
		) {
			WatchAction::doWatch( $title, $user );
		}
	}

And this is the WatchAction function that MediaWiki core itself uses (e. g. in EditPage::updateWatchlist()):

	/**
	 * Watch or unwatch a page
	 * @since 1.22
	 * @param bool $watch Whether to watch or unwatch the page
	 * @param Title $title Page to watch/unwatch
	 * @param User $user User who is watching/unwatching
	 * @return Status
	 */
	public static function doWatchOrUnwatch( $watch, Title $title, User $user ) {
		if ( $user->isLoggedIn() &&
			$user->isWatched( $title, User::IGNORE_USER_RIGHTS ) != $watch
		) {
			// If the user doesn't have 'editmywatchlist', we still want to
			// allow them to add but not remove items via edits and such.
			if ( $watch ) {
				return self::doWatch( $title, $user, User::IGNORE_USER_RIGHTS );
			} else {
				return self::doUnwatch( $title, $user );
			}
		}

		return Status::newGood();
	}

Notice that it adds the IGNORE_USER_RIGHTS flag, because “if the user doesn’t have editmywatchlist (e. g. because the OAuth consumer in use does not include the editmywatchlist grant), we still want to allow them to add … items via edits”. I think this is exactly the bit that’s missing in Wikibase, which is why edits from Wikidata Lexeme Forms don’t end up on the watchlist.

BDD
GIVEN the user is using an OAuth consumer or bot password that does not include the “Edit your watchlist” grant, e. g. Wikidata Lexeme Forms (consumer)
WHEN an entity is created or edited
THEN it is added to the user’s watchlist according to the user’s settings.

Acceptance criteria

Creating or editing pages through OAuth does the right thing (see BDD and rest of task)
Check other related code (calls to User::isWatched()) whether they should also be updated even if they’re not directly related to OAuth editing

Details

	Subject	Repo	Branch	Lines +/-
	Fix watch-on-edit settings on grant-limited requests	mediawiki/extensions/Wikibase	REL1_35	+39 -5
	Fix watch-on-edit settings on grant-limited requests	mediawiki/extensions/Wikibase	master	+39 -5

Customize query in gerrit

Related Objects

Mentioned In: T250621: Items created through QuickStatements don't get added to Watchlist on wikidata.org
T136132: Watchlist preferences do not pick up pages created or edited through the API
Mentioned Here: T213725: [Story] Add newly created Schemas to user’s watchlist according to setting

Event Timeline

Lucas_Werkmeister_WMDE created this task.Feb 26 2019, 4:09 PM

Restricted Application added a project: Growth-Team. · View Herald TranscriptFeb 26 2019, 4:09 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Lucas_Werkmeister_WMDE renamed this task from Entities created/edited via OAuth consumer without “edit your watchlist” grant are not added to watchlist despite setting to Wikibase entities created/edited via OAuth consumer without “edit your watchlist” grant are not added to watchlist despite setting.Feb 26 2019, 4:09 PM

(Small correction, I think the really relevant Wikibase code for my use case is WikiPageEntityStore::updateWatchlist, whereas SubmitEntityAction::doWatch is only used for undo/restore. But they both have the same problem.)

JJMC89 moved this task from Backlog to User rights on the MediaWiki-User-management board.Apr 14 2019, 4:00 AM

abian subscribed.Sep 12 2020, 3:08 PM

Change 626874 had a related patch set uploaded (by Lucas Werkmeister; owner: Lucas Werkmeister (WMDE)):
[mediawiki/extensions/Wikibase@master] Fix watch-on-edit settings on grant-limited requests

https://gerrit.wikimedia.org/r/626874

gerritbot added a project: Patch-For-Review.Sep 13 2020, 2:05 PM

I tested the above fix with the following Python script:

#!/usr/bin/python3
import json
import mwapi

session = mwapi.Session(host='http://localhost', api_path='/wiki1/api.php')
lgtoken = session.get(action='query',
                      meta='tokens',
                      type='login')['query']['tokens']['logintoken']
session.post(action='login',
             lgname='Lucas Werkmeister@T217144',
             lgpassword='[redacted]',
             lgtoken=lgtoken)

token = session.get(action='query',
                    meta='tokens',
                    type='csrf')['query']['tokens']['csrftoken']
id = session.post(action='wbeditentity',
                  new='lexeme',
                  token=token,
                  data=json.dumps({
                      'type': 'lexeme',
                      'lemmas': {'en': {'language': 'en', 'value': 'T217144'}},
                      'lexicalCategory': 'Q10',
                      'language': 'Q85',
                      'claims': [],
                      'forms': [],
                      'senses': [],
                  }))['entity']['id']
print(f'http://localhost/wiki1/index.php/Lexeme:{id}')

With the fix checked out locally, the new lexeme would be on my watchlist; without the fix, it would be missing.

(Edit: Lucas Werkmeister@T217144 is a bot password with the “Edit existing pages” and “Create, edit, and move pages” grants.)

Lydia_Pintscher added a project: Wikidata-Campsite.Sep 13 2020, 3:09 PM

Lydia_Pintscher moved this task from Incoming to Unconnected Stories on the Wikidata-Campsite board.

WMDE-leszek moved this task from Unconnected Stories to Wikidata-Campsite-Iteration-∞ (On Hold) on the Wikidata-Campsite board.Sep 15 2020, 12:22 PM

WMDE-leszek edited projects, added Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)); removed Wikidata-Campsite.

Lucas_Werkmeister_WMDE updated the task description. (Show Details)Sep 15 2020, 12:57 PM

Will review the patch. Let's see if I also manage to create one for the other callers mentioned in the commit message

Restricted Application added a project: User-Michael. · View Herald TranscriptSep 16 2020, 12:17 PM

Michael removed Michael as the assignee of this task.Sep 16 2020, 4:11 PM

Michael moved this task from Doing to Peer Review on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.

hoo moved this task from Peer Review to Test (Verification) on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.Sep 22 2020, 1:27 AM

Change 626874 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] Fix watch-on-edit settings on grant-limited requests

https://gerrit.wikimedia.org/r/626874

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.11; 2020-09-29).Sep 22 2020, 2:00 AM

Maintenance_bot removed a project: Patch-For-Review.Sep 22 2020, 2:10 AM

This is fixed, at least for Wikidata Lexeme Forms. I added a note about it to the next weekly summary, but after I now realized this also affected QuickStatements, I’m starting to wonder if it might deserve an even larger announcement… I’m slightly worried that QuickStatements power users may actually have relied on this bug without realizing it, and may not be happy with a flood of new watchlist entries.

\o/

Lucas_Werkmeister_WMDE merged a task: T250621: Items created through QuickStatements don't get added to Watchlist on wikidata.org.Oct 2 2020, 9:25 AM

Lucas_Werkmeister_WMDE merged a task: T136132: Watchlist preferences do not pick up pages created or edited through the API.

Lucas_Werkmeister_WMDE added subscribers: Epidosis, Magnus, Mbch331, Addshore.

Lucas_Werkmeister_WMDE added subscribers: agray, PokestarFan, Zppix.

Lucas_Werkmeister_WMDE mentioned this in T136132: Watchlist preferences do not pick up pages created or edited through the API.Oct 2 2020, 9:28 AM

Lydia_Pintscher mentioned this in T250621: Items created through QuickStatements don't get added to Watchlist on wikidata.org.Oct 14 2020, 12:53 PM

Mirahamira subscribed.Feb 9 2021, 5:38 AM

Maintenance_bot moved this task from incoming to in progress on the Wikidata board.Feb 9 2021, 6:15 AM

Change 672594 had a related patch set uploaded (by Tobias Andersson; owner: Lucas Werkmeister):
[mediawiki/extensions/Wikibase@REL1_35] Fix watch-on-edit settings on grant-limited requests

https://gerrit.wikimedia.org/r/672594

gerritbot added a project: Patch-For-Review.Mar 16 2021, 8:47 AM

Change 672594 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@REL1_35] Fix watch-on-edit settings on grant-limited requests