Page MenuHomePhabricator

"extendedconfirmed" sometimes missing from user_rights
Closed, InvalidPublic

Description

On enwiki, the extendedconfirmed right is part of the extendedconfirmed, bot, and sysop user groups.

For some edits made by users in those groups, the user_rights variable does not contain extendedconfirmed

For example:

https://en.wikipedia.org/wiki/Special:AbuseFilter/examine/log/25328598 (extendedconfirmed)
https://en.wikipedia.org/wiki/Special:AbuseFilter/examine/log/25329101 (bot)
https://en.wikipedia.org/wiki/Special:AbuseFilter/examine/log/25321331 (sysop)

The problem doesn't seem to affect all users. For example, user_rights correctly lists extendedconfirmed in these entries:

https://en.wikipedia.org/wiki/Special:AbuseFilter/examine/log/25330403 (extendedconfirmed)
https://en.wikipedia.org/wiki/Special:AbuseFilter/examine/log/25329877 (sysop)

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 13 2019, 10:00 PM
JJMC89 added a subscriber: JJMC89.Nov 13 2019, 10:15 PM

Based on the first example, extendedconfirmed is not the only right affected.

I think this is working as intended. The example cases were made by bots and Huggle, so the login was likely done using BotPasswords or OAuth, which limits the set of rights available to the user in that session.

@JJMC89: That makes sense, in theory. But is it really impossible to edit EC-protected pages from Huggle? If not, EC should still be part of the rights.

@JJMC89: That makes sense, in theory. But is it really impossible to edit EC-protected pages from Huggle? If not, EC should still be part of the rights.

You can edit EC-protected page with Huggle if your Huggle BotPassword includes the editprotected grant.

Ok, that explains 25321331. I also don't see tboverride in user_rights, so it looks like GorillaWarfare didn't grant Huggle editprotected rights. This can probably be closed as invalid, but 'll leave that to Daimona.

Daimona closed this task as Invalid.Nov 14 2019, 1:35 PM

Yes, that seems the most plausible explanation. All that AF does is call User::getRights, so there isn't much room for bugs (I mean, bugs affecting AF only).