Page MenuHomePhabricator
Create Task
Maniphest T404727

🧱 Unable to use Wikidata REST API to create statements: "error": "rest-write-denied" (due to globally blocked IP)
Closed, ResolvedPublicBUG REPORT
Actions

Description

Hi there! We're running into a puzzling issue that I hope somebody here can shed some light on.

We're building a tool (https://loom.everypolitician.org/ | https://github.com/opensanctions/poliloom/) that extracts statements on politicians from Wikipedia and the wider web, offers those to evaluators and on confirmation, pushes these statements to Wikidata. This makes use of the mediawiki OAuth system so people update Wikidata on their own account.

I'm running into the problem that I can't push Wikidata statements from our production environment, while the same code works fine in development. In production, we get a HTTP 403 JSON response:

{"error":"rest-write-denied","httpCode":403,"httpReason":"Forbidden"}

Our OAuth2 app settings are exactly the same for production and development.

I've ran the production setup locally to make sure there's no problem there, that works. Checked what tokens went out on the API request, both local development and production send the same access tokens, with the same permissions and user information, with only the AUD related claims differing, as expected.

I've tracked this issue to logic in Wikibase that returns this 403 on UseCaseError::PERMISSION_DENIED_UNKNOWN_REASON which does not provide much insight. When I look through the Wikibase source for this UseCaseError, I see some references to "protected" pages, however when I check entities that I'm trying to create statements for, I see no indication of them being protected. For example entity Q32965:

Failed to create statement for entity Q32965 with property P39: HTTP 403 - {"error":"rest-write-denied","httpCode":403,"httpReason":"Forbidden"}
Failed to push PositionEvaluation 5e8bc92d-1856-4c04-818f-05bec5aa725a to Wikidata

What is happening here? Why are edits from my development machine accepted, but edits coming from our production server denied? The software is doing the exact same thing, the OAuth2 configuration is exactly the same. Is our production app lacking permissions? And how do I figure out if Wikidata items are protected?

Thanks in advance for any help!

Related Objects
Search...

Event Timeline

Monneyboi created this task.Sep 16 2025, 2:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 16 2025, 2:33 PM
Reedy added projects: Wikidata, Wikibase REST API (WPP).Sep 16 2025, 2:40 PM
Aklapper added a comment.Sep 16 2025, 2:44 PM

That codebase seems to set ./poliloom/poliloom/api/auth.py: self.user_agent = "PoliLoom API/0.1.0" (for anyone digging in logs)

Reedy subscribed.Sep 16 2025, 2:44 PM

https://www.wikidata.org/wiki/Q32965?action=info
https://www.wikidata.org/w/index.php?title=Special:Log&type=protect&page=Q32965

^ Allow all users (infinite) means you can't edit anon, but logged in is fine (with no other rights).

Can you confirm the edits coming from your production server are actually correctly logged in/sending the expected tokens?

Monneyboi added a comment.Sep 16 2025, 3:00 PM

Can you confirm the edits coming from your production server are actually correctly logged in/sending the expected tokens?

Yes, I checked what tokens went out on the API requests, both local development and production send the same access tokens, with the same permissions and user information, with only the AUD related claims differing, as expected.

Monneyboi added a comment.Sep 17 2025, 8:23 AM

Here's the relevant debug logs from both production and development. They include the request body, and (expired) tokens.

production.log6 KBDownload

development.log6 KBDownload

I also tested using the production setup with my localhost credentials by setting up a reverse proxy on localhost. The production server also gets the rest-write-denied response when using the localhost credentials, so I don't think credentials are the problem.

Reedy added a comment.Sep 17 2025, 9:12 AM

Where is the server running? Some public cloud? Presuming you have a static IP on it?

Monneyboi added a comment.Sep 17 2025, 10:49 AM

The server is running in the Hetzner Falkenstein datacenter in Germany.

IPv4: 148.251.131.144
IPv6: 2a01:4f8:210:30ce::2
Krinkle subscribed.Sep 17 2025, 12:29 PM

This might have something to do with it.

https://meta.wikimedia.org/wiki/Special:BlockList?wpTarget=148.251.131.14

The user 148.251.131.144 is blocked globally.

  • Date: 8 May 2025
  • Target: 148.251.0.0/16
  • Expires: 8 May 2026
  • Blocks: editing, anon only, account creation
  • Reason: Open proxy
Monneyboi added a comment.Sep 17 2025, 12:40 PM

Woah, great find! That looks like it's the problem yeah.

Can we be whitelisted, or could that block rule be made more specific? Right now it's blocking a whole /16 in the Hetzner network, 65,534 hosts.

Reedy added a comment.Sep 17 2025, 12:42 PM

Unfortunately a lot of bad traffic comes from "cheap" provider networks like Hetzner.

https://meta.wikimedia.org/wiki/Special:MyLanguage/NOP
https://meta.wikimedia.org/wiki/WM:OP/H

https://meta.wikimedia.org/wiki/Special:MyLanguage/Stewards/Wizard would be the appeal process

If you have a static IP, you should have a reasonable case... Or are you able to force traffic from your side over IPv6?

Monneyboi added a comment.Sep 17 2025, 12:46 PM

Yes we have a static address.

I'll submit an appeal first, if that for some reason does not work out, I can still look into the possibility of forcing IPv6 traffic.

Thank you very much for your help in figuring this out, it's much appreciated!

Aklapper renamed this task from Unable to use Wikidata REST API to create statements: "error": "rest-write-denied" to Unable to use Wikidata REST API to create statements: "error": "rest-write-denied" (due to globally blocked IP).Sep 20 2025, 4:23 PM
Pppery subscribed.Sep 20 2025, 4:55 PM

Sidenote: the error message could be much clearer here and specify why the write is denied.

Monneyboi added a comment.Sep 22 2025, 12:36 PM

Thank you all for your help, we're no longer blocked from using the Wikidata API, our initial issue is resolved.

Sidenote: the error message could be much clearer here and specify why the write is denied.

I couldn't agree more. Also the constant UseCaseError::PERMISSION_DENIED_UNKNOWN_REASON that I found when I looked for this error put me on the wrong track.

Reedy added a comment.Sep 22 2025, 2:22 PM

A follow up task should probably be filed to have this fixed/improved in Wikibase

Ifrahkhanyaree_WMDE subscribed.Nov 19 2025, 9:26 AM

I'm glad the issue was resolved for @Monneyboi, and apologies for getting to it this late. I'll add this in our backlog to see to us getting around to improving the error message

Ifrahkhanyaree_WMDE added a project: Wikibase Reuse Team.Nov 19 2025, 9:26 AM
Ifrahkhanyaree_WMDE moved this task from Incoming tickets outside WPP to Ready for planning on the Wikibase Reuse Team board.Nov 19 2025, 9:43 AM
Ifrahkhanyaree_WMDE moved this task from Ready for planning to Sprint 58 on the Wikibase Reuse Team board.Nov 25 2025, 9:24 AM
Ifrahkhanyaree_WMDE edited projects, added Wikibase Reuse Team (Sprint 58); removed Wikibase Reuse Team.
ItamarWMDE claimed this task.Nov 26 2025, 8:31 AM
Restricted Application added a project: User-ItamarWMDE. · View Herald TranscriptNov 26 2025, 8:31 AM
ItamarWMDE moved this task from To Do to Doing on the Wikibase Reuse Team (Sprint 58) board.Nov 26 2025, 8:31 AM
ItamarWMDE created subtask T411355: 🧱 Respond with a blocked user message for globally blocked users.Dec 1 2025, 11:38 AM
ItamarWMDE renamed this task from Unable to use Wikidata REST API to create statements: "error": "rest-write-denied" (due to globally blocked IP) to 🧱 Unable to use Wikidata REST API to create statements: "error": "rest-write-denied" (due to globally blocked IP).Dec 1 2025, 12:41 PM
ItamarWMDE removed ItamarWMDE as the assignee of this task.
ItamarWMDE created subtask T411363: 🧱 Respond with a blocked ip message for globally and locally blocked IPs.
ItamarWMDE moved this task from Doing to To Do on the Wikibase Reuse Team (Sprint 58) board.
ItamarWMDE subscribed.
Ifrahkhanyaree_WMDE moved this task from Backlog to Happening now on the Wikibase REST API (WPP) board.Dec 2 2025, 3:14 PM
Silvan_WMDE moved this task from Sprint 58 to Sprint 59 on the Wikibase Reuse Team board.Dec 9 2025, 10:25 AM
Silvan_WMDE edited projects, added Wikibase Reuse Team (Sprint 59); removed Wikibase Reuse Team (Sprint 58).
Silvan_WMDE closed subtask T411355: 🧱 Respond with a blocked user message for globally blocked users as Resolved.Dec 9 2025, 10:28 AM
ItamarWMDE moved this task from To Do to Product Verification on the Wikibase Reuse Team (Sprint 59) board.Dec 16 2025, 11:55 AM
Ifrahkhanyaree_WMDE closed subtask T411363: 🧱 Respond with a blocked ip message for globally and locally blocked IPs as Resolved.Jan 5 2026, 11:15 AM
Ifrahkhanyaree_WMDE moved this task from Product Verification to Done on the Wikibase Reuse Team (Sprint 59) board.
Ifrahkhanyaree_WMDE closed this task as Resolved.Jan 6 2026, 10:06 AM
Ifrahkhanyaree_WMDE claimed this task.
Ifrahkhanyaree_WMDE moved this task from Happening now to Done on the Wikibase REST API (WPP) board.Mon, Jan 12, 1:59 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits