Tentatively adding MediaWiki-extensions-CentralAuth and MediaWiki-Platform-Team to this. I assume CentralAuth extension would be involved in implementing this, but maybe not.

Why do you need to know the user rights? Most APIs will just add the extra information if the user has sufficient privileges, without the client having to do anything differently.

I don't know if we have a better way of looking up permissions on many different wikis on the backend then you'd have on the frontend (making a bunch of API requests).

Ignorant drive by comment:

Is this similar to other inter-wiki data use cases? Like wikibase item usage? Except about user accounts and permissions? Entities (users) from one site are used in another site.

You want to know when user permissions on a foreign wiki change, and update the view of them when that happens, correct?

Is this yet another dependency tracking problem (T253026: Introduce a centralized Dependency Tracking Service)

In T380867#10370474, @Tgr wrote:

Why do you need to know the user rights? Most APIs will just add the extra information if the user has sufficient privileges, without the client having to do anything differently.

The IP reveal user right is given to many different groups, so we can't use user groups. We want to avoid making API requests because they are unreliable, as demonstrated for Special:GlobalContributions in T384717.

In T380867#10642932, @Ottomata wrote:

Ignorant drive by comment:

Is this similar to other inter-wiki data use cases? Like wikibase item usage? Except about user accounts and permissions? Entities (users) from one site are used in another site.

You want to know when user permissions on a foreign wiki change, and update the view of them when that happens, correct?

Yes and no. I wouldn't think there is a need to have all permissions on a foreign wiki indexed given that this could be a lot of storage space. Ideally the system would be generating the data on-the-fly because when permissions change they should ideally be applied immediately.

Ideally the system would be generating the data on-the-fly because when permissions change they should ideally be applied immediately.

Like, if you could know about the user permission change on a foreign wiki, you'd then process that information and save what you need for SpecialGlobalContributions, not the actual permissions.

Did I get that right?

Or, does "on-the-fly" mean all of the SpecialGlobalContributions stats are calculated whenever the page is loaded? There is no local storage of the contribution info?

In T380867#10643110, @Ottomata wrote:

Ideally the system would be generating the data on-the-fly because when permissions change they should ideally be applied immediately.

Like, if you could know about the user permission change on a foreign wiki, you'd then process that information and save what you need for SpecialGlobalContributions, not the actual permissions.

That would be very expensive storage wise AFAICS, because we would need to have at least 2^6 different copies of the information for all the different combinations of user rights (we query for the presence of 6 different user rights in our API request plus if the user is blocked). Plus I'm not sure how this method would allow us to determine what user rights a specific user has on a different wiki (because we still need to determine what specific information would be displayed based on those rights, even if that data is cached on the local wiki).

Or, does "on-the-fly" mean all of the SpecialGlobalContributions stats are calculated whenever the page is loaded? There is no local storage of the contribution info?

We are able to read the revision table rows from any wiki we need to. We have central tables named cuci_user and cuci_temp_edit which tell us which wikis to load revision table rows from.

Aye okay, for a minute there it was also reminding me of T309738: Move MediaWiki QueryPages computation to Hadoop.

In T380867#10643005, @Dreamy_Jazz wrote:

The IP reveal user right is given to many different groups, so we can't use user groups.

Being given to many user groups is not that much of a problem, you can just query the rights each usergroup has and cache it, it basically never changes. But that's not the same as actual rights as there might be hooks involved (e.g. at some point we'll probably start supressing high privileges if the user doesn't have a second factor for authentication). If you want to make sure you are using actual rights, you need to use the API, I don't think there's any way around it.

We want to avoid making API requests because they are unreliable, as demonstrated for Special:GlobalContributions in T384717.

We have about a thousand wikis. I think pretty much everything is going to be unreliable at that scale - if we had a way to create a MediaWikiServices instance with a different wiki's configuration, and you did that a thousand times in a request, that would probably be unreliable too. (Granted, still less unreliable than trying to make a thousand API calls from a single request.)