Context
In the API Portal, when viewing API key details, display the permissions allowed for the key. These are the scopes in the API response.
Here's an example of the data returned to the API Portal from the OAuth server:
"scopes": [ "basic", "editpage", "editmycssjs", "editmyoptions", "createeditmovepage", "viewmywatchlist", "editmywatchlist" ]
If the API Portal displayed only API keys created via the Portal, the Portal could simply add the same fields used in the create-key form:
However, because the Portal displays all OAuth 2.0 clients (created via the Portal or via Meta-Wiki), the Portal needs to be able to display all possible scopes a client could have. The complete list of scopes can be found on Special:ListGrants. One of the main reasons the Portal offers only a limited set from this list is because it can be hard to understand what each grant allows, especially just looking at the name.
Here are my assumptions:
- If a user is viewing an API key on the Portal, it is more likely that they created that key via the Portal than via Meta
- If a user has created API keys via Meta, they are already familiar with the complexity of selecting from the full grant list.
Here are the objectives I see for this task:
- Provide a clear, simplified experience for users who have created their API keys via the Portal
- Provide accurate information for users who have created their API keys via Meta-Wiki
Recommendation:
If an API key only has scopes offered by the Portal (basic, createeditmovepage, editprotected), display the message from the WikimediaApiPortalOAuth extension. If the key has other scopes, display the message from MediaWiki core and link to Special:ListGrants, similar to the form on Meta.
Cleaner solution:
De-duplicate messages between WikimediaApiPortalOAuth extension and MediaWiki Core. I think we could do this as long as we could change the message for the basic grant from "Basic rights" to "Read pages", although I don't know if there will be objections to that since the basic grant includes other rights besides just reading pages.
User Story
As an API Portal developer,
I want to view what permissions I'm granted
So that I can expect what operations I'm authorized to take
Acceptance Criteria
- Given I am on the API Key page, when I select "View Details" I expect to view my permissions (Below the client ID)
- When viewing an API key with permissions other than basic, createeditmovepage, and editprotected, the key details view displays the grant name from MediaWiki core and links to Special:ListGrants: