Page MenuHomePhabricator
Create Task
Maniphest T294397

Drop writeapi MediaWiki right
Open, MediumPublic
Actions

Description

The writeapi permission controls whether one is allowed to use action API endpoints which do some kind of write. This is not terribly useful:

  • By default it's given to all users, even anonymous ones.
  • Write permission handling is somewhat mixed up with write performance handling (ie. whether the API does DB writes) and as a result all kinds of conceptually non-write APIs require this permission.
    • Specifically, the login API requires it, so revoking it from anonymous users makes the site unusable unless it uses some very atypical authentication method.
  • All actions that actually change something have their own user rights so writeapi isn't really needed for access control.
  • writeapi check are applied at the API endpoints, so usually they can be circumvented by performing the same action via the web interface.

Requiring writeapi for login is a recent change (T283394: ApiLogin and ApiClientLogin should return true for isWriteMode()) necessitated by the coupling of write permission flags and write performance flags. A bunch of third-party wikis disabled writeapi for anonymous users; there is not much point to that, but the documentation kind of implied it's a useful thing to do (e.g. here) and it didn't break anything. But with the change to login APIs, it does break a lot of things, so let's get rid of it and turn Rest\Handler::isWriteAllowed() and similar into performance-only flags.

A possible counterargument would be that those flags come in pairs (e.g. with Rest\Handler::isReadAllowed()) and the read flag is meaningful for permission handling - there is no readapi right, just read, and that is used as the main access control mechanism for all kinds of things. So having those flags fulfill different functions would be unintuitive.

Details

SubjectRepoBranchLines +/-
Drop writeapi userrightmediawiki/coremaster+18 -71
Remove usage of writeapi userrightmediawiki/extensions/Wikibasemaster+20 -29
Remove usage of writeapi userrightmediawiki/extensions/Translatemaster+0 -2
Remove usage of writeapi userrightmediawiki/extensions/Thanksmaster+1 -2
Remove usage of writeapi userrightmediawiki/extensions/AbuseFiltermaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Tgr created this task.Oct 27 2021, 12:09 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 27 2021, 12:09 AM
Tgr mentioned this in T294316: writeapidenied error on login with $wgGroupPermissions['*']['writeapi'] = false.Oct 27 2021, 12:09 AM
DannyS712 subscribed.Oct 27 2021, 3:24 AM
RhinosF1 subscribed.Oct 27 2021, 7:55 AM

+1 to this, removing it breaks visual editor too. It's a source of pain as a lot of users accidentally remove it not knowing what it does and then break things wonderfully.

Zabe subscribed.Oct 27 2021, 9:19 AM
Justin_C_Lloyd subscribed.Oct 27 2021, 9:38 AM
Seb35 subscribed.Mar 9 2022, 7:51 PM

+1 for removing writeapi. I was surprised a Semantic MediaWiki action checking internal state was failing when writeapi is false. In MediaWiki core, the API action=purge fails when writeapi is false, but action=purge succeed with the same user rights.

Seb35 added a comment.Mar 9 2022, 8:15 PM

Comparing in MediaWiki core the API actions with isWriteMode() === true and mustBePosted() === true (possibly because needsToken() !== false), it appears that (currently on 0cf01bc091f) all actions with write mode must be POSTed, and there are 3 POSTed actions without write mode (*):

  • ApiCSPReport.php
  • ApiLogout.php
  • ApiValidatePassword.php

So except these 3 exceptions, these two functions have always the same value.

(*) Methodology:

  • Checking that when function mustBePosted() is defined, it always returns true (except ApiBase)
$ grep -r -A 3 'function mustBePosted' includes/api
  • Checking that when function needsToken() is defined, it always returns a string and never false (except ApiBase and ApiResetPassword)
$ grep -r -A 3 'function needsToken' includes/api
  • Checking that when function isWriteMode() is defined, it always returns true (except ApiBase and ApiResetPassword)
$ grep -r -A 3 'function isWriteMode' includes/api
  • Consequently when needsToken() is defined, then mustBePosted() is true (except ApiResetPassword), so we can compare files where ( mustBePosted() or needsToken() is defined ) with files where ( isWriteMode() is defined ).
$ diff <(grep -r -l -e 'function mustBePosted' -e 'function needsToken'  includes/api|sort) <(grep -r -l 'function isWriteMode'  includes/api|sort)
8d7
< includes/api/ApiCSPReport.php
17d15
< includes/api/ApiLogout.php
37d34
< includes/api/ApiValidatePassword.php
  • In ApiResetPassword, isWriteMode() and mustBePosted() are always the same value (see internal logic).
TheresNoTime removed a subscriber: RhinosF1.Dec 15 2022, 11:35 PM
Krinkle awarded a token.Jun 8 2023, 4:27 PM
Krinkle subscribed.Jun 8 2023, 4:30 PM
Reedy triaged this task as Medium priority.Feb 15 2024, 7:23 PM
JFolvarcik subscribed.Feb 15 2024, 7:27 PM
gerritbot added a comment.Feb 15 2024, 8:23 PM

Change 1003871 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@master] Drop writeapi userright

https://gerrit.wikimedia.org/r/1003871

gerritbot added a project: Patch-For-Review.Feb 15 2024, 8:23 PM
gerritbot added a comment.Feb 15 2024, 8:43 PM

Change 1003874 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/AbuseFilter@master] Remove usage of writeapi userright

https://gerrit.wikimedia.org/r/1003874

gerritbot added a comment.Feb 15 2024, 8:44 PM

Change 1003875 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/Thanks@master] Remove usage of writeapi userright

https://gerrit.wikimedia.org/r/1003875

gerritbot added a comment.Feb 15 2024, 8:50 PM

Change 1003876 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/Wikibase@master] Remove usage of writeapi userright

https://gerrit.wikimedia.org/r/1003876

gerritbot added a comment.Feb 15 2024, 8:51 PM

Change 1003877 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/Translate@master] Remove usage of writeapi userright

https://gerrit.wikimedia.org/r/1003877

bd808 subscribed.Feb 15 2024, 10:15 PM
[19:11]  <    jfolv> Anyone familiar with AWB? We just upgraded from 1.35 to 1.39 and now AWB is saying "you're not allowed to edit this wiki through the API." Our pywikibot still works, but this doesn't, and I confirmed the writeapi permission to be present in Special:ListGroupRights. Maybe it has to do with changes to the API?
[19:14]  <    Reedy> Are you logging in using bot passwords?
[19:14]  <    Reedy> you might be missing a grant or two there
[19:14]  <    jfolv> No, I'm logging into my own account.,
[19:14]  <    jfolv> Standard username/pass
[19:15]  <    Reedy> it can still be your own account and using bot passwords ;)
[19:16]  <    jfolv> True, but I'm just using the same password I would normally use to log in.
[19:18]  <    Reedy> I don't think much changed with the API between those versions, and I don't remember having to make any changes to AWB either to really support it
[19:18]  <    Reedy> Is the wiki public?
[19:19]  <    jfolv> Yeah, it's Bulbapedia
[19:19]  <    jfolv> https://bulbapedia.bulbagarden.net
[19:19]  <    Reedy> That is from apierror-writeapidenied
[19:19]  <    Reedy> which is only guarded with
[19:19]  <    Reedy>             } elseif ( !$this->getAuthority()->isAllowed( 'writeapi' ) ) {
[19:19]  <    Reedy>                 $this->dieWithError( 'apierror-writeapidenied' );
[19:21]  <    jfolv> Weird... We do have the writeapi permission denied to *, but you have to log in to use the site at all, so I imagine that shouldn't be a problem with it set to true under user.
[19:22]  <    Reedy> I think writeapi is one of those rights that doesn't really work like you think it should
[19:22]  <    jfolv> Oh jeez, that actually was the problem.
[19:22]  <    Reedy> And I wouldn't be surprised if that's causing the problem in one way or another
[19:22]  <    Reedy> lmao
[19:22]  <    jfolv> Well, you were spot on. But why is that, exactly?
[19:22]  <    Reedy> Why to which bit?
[19:22]  <    jfolv> Why does it work abnormally? Shouldn't it check the permissions of the current group and not *?
[19:22]  <    Reedy> T294397
Reedy added a project: MW-1.43-release.Apr 2 2024, 9:26 AM
Reedy moved this task from Blocker to Deprecate or remove on the MW-1.43-release board.
Reedy updated the task description. (Show Details)Apr 22 2024, 7:59 PM
Reedy mentioned this in T363054: Troubleshooting writeapidenied error.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits