Page MenuHomePhabricator

Cannot use API action "wbsetlabel" on Wikidata via OAuth despite edit rights
Closed, ResolvedPublic

Description

I have an OAuth consumer that has edit rights on Wikidata:

Setting claims (action=wbcreateclaim) works just fine. However, action=wbsetlabel (using a copy of the working code) gets me:

stdClass Object ( [servedby] => mw1139 [error] => stdClass Object ( [code] => permissiondenied [info] => You do not have sufficient permissions ) )

As a user, I can edit labels manually, so I do have that right. And the API doc states that wbsetlabel needs edits rights, which both I and the consumer have.

So, that should work, but doesn't.

I'm marking this "blocker" because it blocks the function of one of my tools.


Version: wmf-deployment
Severity: normal
Whiteboard: u=dev c=backend p=0

Details

Reference
bz60392

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:59 AM
bzimport added a project: Wikidata.org.
bzimport set Reference to bz60392.
bzimport added a subscriber: Unknown Object (MLST).

Not a bug in OAuth, it's just a configuration issue. What needs to happen in a patch against wmf-config/CommonSettings.php (in operations/mediawiki-config) that adds Wikidata's permissions into the appropriate subarrays of $wgMWOAuthGrantPermissions.

Not being familiar with Wikidata's perimssions, I wouldn't know which ones should go in $wgMWOAuthGrantPermissions['useoauth'] (like core's 'read'), which should go in $wgMWOAuthGrantPermissions['editpage'] (like core's 'edit'), which should go in $wgMWOAuthGrantPermissions['createeditmovepage'] (like core's 'create' and 'move'), and so on, or whether one or more new groups should be created for some/all of them so clients can explicitly request "interact with Wikidata" (which would then need a message added to extension/WikimediaMessages).

Adjusting priority and importance to match bug 59929 and bug 59981, and reassigning to Wikimedia/Wikidata so the right people can decide how $wgMWOAuthGrantPermissions should be set up. Gerrit change 109308 might serve as an example as to where and how exactly to add it.

Change 109333 had a related patch set (by Addshore) published:
Add wikibase permissions to MWOAuthGrantPermissions

https://gerrit.wikimedia.org/r/109333

Change 109333 merged by jenkins-bot:
Add wikibase permissions to MWOAuthGrantPermissions

https://gerrit.wikimedia.org/r/109333

Any news as to when this is going live?

@Magnus: It is merged and live. If it is still not working we need to investigate some more.

(In reply to comment #7)

@Magnus: It is merged and live. If it is still not working we need to
investigate some more.

Still getting "You do not have sufficient permissions". Do the WiDaR consumer settings need to be updated on the OAuth side?

I'm not sure. I'll try to find out.

Will be discussed in weekly call on Thursday, Feb, 6th

Magnus, can you use your OAuth consumer to run api.php?action=query&meta=userinfo&uiprop=blockinfo|groups|rights for the user? That will give a list of rights that the current user has, and we can start tracking down what is missing.

Here it is:

[rights] => Array
(

		[0] => read
		[1] => edit
		[2] => writeapi
		[3] => minoredit
		[4] => purge
		[5] => autopatrol
		[6] => autoconfirmed
		[7] => editsemiprotected
		[8] => skipcaptcha

)

You can check for changes (if you make any) yourself:
http://tools.wmflabs.org/widar/?action=get_rights

Change 113117 had a related patch set uploaded by Aude:
Fix OAuth rights for Wikidata

https://gerrit.wikimedia.org/r/113117

Aaaand... bug is back. "You do not have sufficient permissions". Statement adding works fine.

Without any real looking into the issue, I'd suspect that the "deployment note" on Gerrit Change 112470 wasn't taken care of.

Change 121086 had a related patch set uploaded by Aude:
Update Wikidata OAuth grants

https://gerrit.wikimedia.org/r/121086

hmmm, thought we already updated these settings but apparently not yet.

We shall do that now

Change 121086 merged by jenkins-bot:
Update Wikidata OAuth grants

https://gerrit.wikimedia.org/r/121086

@Magnus please check that oauth works again. I don't think there is any thing you need to update or do.