What does your user-config.py look like? (Remember to remove any confidential information if you paste it here.)

My guess is that the OAuth grant on PAWS does not allow (un)deletion.

My user-config.py :

sort_ignore_case = True
mylang = 'uk'
family = 'wikipedia'
#simulate

As far as I understand, user-config.py is not used for notebook.

It would appear to be the case that "Delete pages, revisions, and log entries" is not part of the OAuth grant
https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/1fb341e2d259e6bd5b6644dc2d70ecf5

I'm not sure if that was for a reason. If not we could probably get it added.

@bd808 do you have any thoughts on if deletions were intentionally not included in PAWS?

There is no item "Delete pages, revisions, and log entries" in the list of giants. This item never came up for me. When I signed up, I wasn't an admin yet. After receiving the admin flag, I did not have any new items in the list of giants. I suspect that the list of giants is taken from the Russian wiki, not the Ukrainian wiki. I do not know what to do to change the list of giants.

In T330540#8646046, @Klip_game wrote:

There is no item "Delete pages, revisions, and log entries" in the list of giants. This item never came up for me. When I signed up, I wasn't an admin yet. After receiving the admin flag, I did not have any new items in the list of giants. I suspect that the list of giants is taken from the Russian wiki, not the Ukrainian wiki. I do not know what to do to change the list of giants.

Correct. The grants are the same for all PAWS users. It's what paws is allowed to do with your account, rather than a list of what your account can do. So we can't change the list of grants for your user, we would have to change it for everyone. Though we might be able to change it for everyone. Trying to figure out what the reasons for not having delete permissions there are before proceeding. Which as @EpicPupper mentions is discussed in T192237

Thanks for the advice. I posted a question on meta.wikimedia.org

In T330540#8646029, @rook wrote:

@bd808 do you have any thoughts on if deletions were intentionally not included in PAWS?

@yuvipanda would know for sure, but my hunch would be that the grant's rights were deliberately limited in order to reduce the harm that could be done by a rogue user. Checking old grants via Special:OAuthListConsumers it looks like delete was a requested right in the v1.0 grant that was not renewed in the v1.1 grant. T192237: Support administrative actions in PAWS is another ticket about adding rights that appear to have been in v1.0 but removed in v1.1. It is tempting to think that the concerns in T120469: Implement a 'signing OAuth Proxy' for PAWS factored into the rights changes, but that task was filed even before the v1.0 grant was approved so that connection is unclear.

I always like to ask @Tgr for his opinion when I have a question about what is and is not reasonable grant rights. He has spent a lot of time thinking about such things over the years.

On meta.wikimedia.org I got the answer:

"The rights in the OAuth grant are system wide and can only be changed by an administrator of PAWS requesting a new grant and changing the configuration of the app for everyone."

I so understand that it is necessary to try to use the console and the authorization instead of notebook and OAuth.

delete is a relatively low-risk grant IMO. The most dangerous thing it includes is probably bigdelete and history merge (mergehistory is not included but it can probably be simulated via normal delete), which can be used to cause significant disruption that takes a lot of effort (but is possible) to revert. It doesn't include anything that would cause permanent damage, nor anything that would be valuable for an attacker (monetizable, useful for disinformation purposes, etc). It does let you look up deleted (but not oversighted) content/usernames/edit summaries, but there isn't anything particularly secret about those.

AIUI the risks are:

• The application goes evil and does things the user does not approve of. In general this is a reasonable concern for disruption-prone rights, but PAWS is WMF-maintained so this is very unlikely. Maybe the user can be tricked into executing some malicious Python code, but that does not seem like a big added risk over the same happening via plain Pywikibot.
• Maybe a user can steal another user's OAuth credentials by making use of the shared platform and go on a deletion spree. I don't know how PAWS is implemented, but I assume this is unlikely.

See also T290790: Group OAuth grants by riskiness.