Page MenuHomePhabricator
Create Task
Maniphest T425736

Create CheckUser API Module for the REST APIs in the extension
Open, In Progress, MediumPublic5 Estimated Story Points
Actions

Description

Description

The MediaWiki Interfaces team recently introduced a new pattern for defining self-contained REST API Modules within the MediaWiki REST framework for REST APIs. REST API modules represent collections of related endpoints, which can be independently managed from other REST API modules. They create controlled flexibility through federated ownership, while also ensuring that related capabilities are self-contained, can be independently versioned, and can share object definitions and the like. They are therefore particularly well-suited for extension REST API definitions, which are already self contained.

The CheckUser REST API endpoints are particularly well-suited to become an API Module, because it is not available for all MediaWIki users and developers. By breaking out these endpoints into their own API module, we can present additional context to users to explain their restricted access. Additionally, creating an API module is a prerequisite for future changes to allow for more programmatically restricted API access via API audiences (WIP).

Conditions of acceptance

  • CheckUser API module is created
  • A high(er) quality spec is generated for CheckUser API:
    • See: https://www.mediawiki.org/wiki/Documentation/API_documentation/Reference
    • A high level module description is created, with a link to the CheckUser extension documentation.
    • Endpoints all have short descriptions and summaries
    • Parameter descriptions are helpful to human readers
    • Schemas are defined, with useful descriptions for all properties
    • Examples are created where needed
  • CheckUser API module is included in the spec discovery list (for now; confirm this behavior with the PSI team)
  • CheckUser API module is NOT available in the REST Sandbox dropdown (module override required to keep it hidden)
  • CheckUser endpoints are removed from the "flat" MediaWiki definition

Helpful documentation

NOTE: We do not yet expect full compliance with the "required" fields in the OAD style guide. These guidelines were created to support the related linter work, but are not yet enforced.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
REST: Document CheckUser REST API handlers and add module unit testsmediawiki/extensions/CheckUsermaster+1 K -0
REST: Allow 'rest-param-example' in `RestStructureTest`mediawiki/coremaster+1 -0
REST: Address PSI comments on CheckUser module localisationmediawiki/extensions/CheckUsermaster+6 -6
REST: Migrate CheckUser REST endpoints to a REST API Modulemediawiki/extensions/CheckUsermaster+172 -119
Customize query in gerrit

Related Objects
Search...

Event Timeline

HCoplin-WMF created this task.May 7 2026, 7:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 7 2026, 7:56 PM
NguoiDungKhongDinhDanh updated the task description. (Show Details)May 8 2026, 12:44 AM
Reedy added a project: CheckUser.May 8 2026, 1:56 PM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptMay 8 2026, 1:56 PM
Dreamy_Jazz closed this task as Declined.EditedMay 8 2026, 2:00 PM
Dreamy_Jazz subscribed.

We disabled the CheckUser API (i.e. action=checkuser) by default and for WMF wikis in T396010 due to security concerns and lack of usage, so don't think we (Product Safety and Integrity) should spend time on this. Boldy declining this task

Dreamy_Jazz added a comment.EditedMay 8 2026, 2:03 PM

Unless you mean the temporary account IP reveal endpoints? If so, these are internal anyway so ideally no documentation would exist for them to avoid implying they are stable to use

The only REST API endpoints in CheckUser are specifically only intended to be interacted with by frontend code that calls the API and if we could have we would mark them internal in any automatically generated documentation (like in the normal API). Therefore, creating the documentation is probably going to give the wrong idea that these API endpoints are stable and can be called by code outside CheckUser

Additionally most of these endpoints do very different things (IP reveal for temporary accounts, a card showing mostly public information about a user, allowing any user to send http-client-hints for the action they perform) so I don't think grouping these for documentation would make much sense (as they are for different users and do very different things)

HCoplin-WMF added a comment.EditedMay 8 2026, 8:29 PM

This is explicitly for the REST endpoints, yes. Apologies that wasn't clear in the description -- this ticket was supposed to be more of a placeholder for now, and just realized that I did not call the REST framework as clearly as I could have.

Totally understand that these endpoints are for internal usage. That is basically the purpose of this ticket -- we are starting to break apart extension APIs so that we can have clearer indications of the levels of access, instead of presenting everything as a flat list with no indicators of such. For example, explicitly marking internal endpoints, and/or fully restricting the endpoint so that they can only be used by specific features. This is the first step towards that migration and the ability to apply additional access control.

Updating the docs gives us the opportunity to indicate they are internal in the first place. I also think that it is still worth documenting APIs for internal users, to a degree. That being said, we are totally open to being more lenient with the documentation completeness, because they're for internal users. However, the request to make a module still stands for other reasons, so that we can also do things like hiding the docs or making them an internal 'opt-in' instead of being displayed alongside our truly public endpoints, which is what gives the impression of stability and availability for developers who should perhaps not be using them.

HCoplin-WMF updated the task description. (Show Details)May 8 2026, 8:33 PM
HCoplin-WMF reopened this task as Open.May 8 2026, 8:41 PM
Dreamy_Jazz moved this task from Inbox to Triaged (backlog) on the Product Safety and Integrity board.May 8 2026, 9:12 PM

which is what gives the impression of stability and availability for developers who should perhaps not be using them.

Yeah, we do not support any stability or intend for any developers to use them except through the JS code that we write, so I'd prefer that these just don't appear in the REST sandbox at all

Dreamy_Jazz renamed this task from Create CheckUser API Module to Create CheckUser API Module for the REST APIs in the extension.May 8 2026, 9:13 PM
Dreamy_Jazz updated the task description. (Show Details)

I've updated the title of this to make it clearer this is just for REST API modules. I also don't think Product Safety and Integrity would have any capacity in the short-term to help on this, though confirming with a PM would best if our input is needed

Dreamy_Jazz updated the task description. (Show Details)May 8 2026, 9:16 PM
BPirkle triaged this task as Medium priority.May 8 2026, 10:03 PM
BPirkle moved this task from Incoming (Needs Triage) to Backlog on the MW-Interfaces-Team board.
HCoplin-WMF moved this task from Backlog to To Refine on the MW-Interfaces-Team board.May 12 2026, 1:03 PM
Atieno subscribed.May 12 2026, 2:57 PM
  • No config changes meaning it won't be displayed on the REST Sandbox
  • Good for onboarding onto REST modules
  • We could get the Product Safety and Integrity to review the patch
  • Should we then remove it from the extension json so it does not appear anywhere?
  • We are just matching what we have right now
Atieno moved this task from To Refine to To Estimate on the MW-Interfaces-Team board.May 12 2026, 2:58 PM
HCoplin-WMF added a parent task: T422400: [Hypothesis] 5.2.8b: API Module Refinement.May 14 2026, 3:01 AM
HCoplin-WMF updated the task description. (Show Details)Thu, May 28, 5:25 PM
HCoplin-WMF moved this task from To Estimate to MWI-Sprint-35 (2026-06-02 to 2026-06-16) on the MW-Interfaces-Team board.Tue, Jun 2, 1:17 PM
HCoplin-WMF edited projects, added: MW-Interfaces-Team (MWI-Sprint-35 (2026-06-02 to 2026-06-16)); removed: MW-Interfaces-Team.
BPirkle set the point value for this task to 5.Tue, Jun 2, 2:47 PM
BPirkle subscribed.

Estimated synchronously during sprint planning.

One significant purpose of story points is to overload developers, so estimating a little high is safer in this case.

KineticPelagic claimed this task.Wed, Jun 3, 9:40 AM
KineticPelagic changed the task status from Open to In Progress.Wed, Jun 10, 9:49 AM
KineticPelagic moved this task from Committed to In Progress on the MW-Interfaces-Team (MWI-Sprint-35 (2026-06-02 to 2026-06-16)) board.
BPirkle added a comment.Wed, Jun 10, 2:06 PM

From the task description:

  • CheckUser API module is created
  • A high(er) quality spec is generated for CheckUser API:

After conversation with @KineticPelagic , we decided to do these as two separate gerrit patches, both under this task.

gerritbot added a comment.Wed, Jun 10, 4:42 PM

Change #1300204 had a related patch set uploaded (by KineticPelagic; author: KineticPelagic):

[mediawiki/extensions/CheckUser@master] REST: Migrate CheckUser REST endpoints to a REST API Module

https://gerrit.wikimedia.org/r/1300204

gerritbot added a project: Patch-For-Review.Wed, Jun 10, 4:42 PM
gerritbot added a comment.Wed, Jun 10, 5:39 PM

Change #1300204 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] REST: Migrate CheckUser REST endpoints to a REST API Module

https://gerrit.wikimedia.org/r/1300204

ReleaseTaggerBot added a project: MW-1.47-notes (1.47.0-wmf.7; 2026-06-16).Wed, Jun 10, 6:00 PM
Maintenance_bot removed a project: Patch-For-Review.Wed, Jun 10, 6:31 PM
gerritbot added a comment.Thu, Jun 11, 12:08 AM

Change #1300279 had a related patch set uploaded (by KineticPelagic; author: KineticPelagic):

[mediawiki/extensions/CheckUser@master] REST: Document CheckUser REST API handlers and add module unit tests

https://gerrit.wikimedia.org/r/1300279

gerritbot added a project: Patch-For-Review.Thu, Jun 11, 12:08 AM
KineticPelagic moved this task from In Progress to Code Review on the MW-Interfaces-Team (MWI-Sprint-35 (2026-06-02 to 2026-06-16)) board.Thu, Jun 11, 12:09 AM
KineticPelagic added a comment.Thu, Jun 11, 12:16 AM

Change https://gerrit.wikimedia.org/r/1300204 fulfills:

  • CheckUser API module is created
  • CheckUser API module is included in the spec discovery list (for now; confirm this behavior with the PSI team)
  • CheckUser API module is NOT available in the REST Sandbox dropdown (module override required to keep it hidden)
  • CheckUser endpoints are removed from the "flat" MediaWiki definition

Change https://gerrit.wikimedia.org/r/1300279 fulfills:

  • A high(er) quality spec is generated for CheckUser API:
In T425736#12004875, @BPirkle wrote:

From the task description:

  • CheckUser API module is created
  • A high(er) quality spec is generated for CheckUser API:

After conversation with @KineticPelagic , we decided to do these as two separate gerrit patches, both under this task.

KineticPelagic mentioned this in T428965: MediaWiki REST Framework: Localize requestBody descriptions in OpenAPI document generation.Thu, Jun 11, 8:35 PM
gerritbot added a comment.Fri, Jun 12, 8:27 AM

Change #1301299 had a related patch set uploaded (by KineticPelagic; author: KineticPelagic):

[mediawiki/core@master] REST: Allow 'rest-param-example' in `RestStructureTest`

https://gerrit.wikimedia.org/r/1301299

gerritbot added a comment.Fri, Jun 12, 10:11 AM

Change #1301332 had a related patch set uploaded (by KineticPelagic; author: KineticPelagic):

[mediawiki/extensions/CheckUser@master] REST: Address PSI comments on CheckUser module localisation

https://gerrit.wikimedia.org/r/1301332

gerritbot added a comment.Fri, Jun 12, 10:54 AM

Change #1301332 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] REST: Address PSI comments on CheckUser module localisation

https://gerrit.wikimedia.org/r/1301332

gerritbot added a comment.Fri, Jun 12, 7:24 PM

Change #1301299 merged by jenkins-bot:

[mediawiki/core@master] REST: Allow 'rest-param-example' in `RestStructureTest`

https://gerrit.wikimedia.org/r/1301299

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits