When an OAuth consumer with the “rollback” grant but without the “edit” grant attempts to roll back an edit, the following error ensues:
> mwapi.errors.APIError: permissiondenied: The action you have requested is limited to users in one of the groups: *, [[Wikidata:Users|Users]].
This error is highly confusing; it took @tgr and me a while to [figure out](https://discourse-mediawiki.wmflabs.org/t/permissiondenied-on-rollback-api/1005) that it’s because `WikiPage::doRollback()` checks for both “edit” and “rollback”, and the groups mentioned in the error message are those of “edit”, even though the requested action is “rollback”.
Possible solutions I can think of:
- Continue to require both rights, but improve the error message and the documentation of the “rollback” grant on [Special:OAuthConsumerRegistration/propose](https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose).
- Continue to require both rights, but make it impossible to request a consumer with “rollback” and without “edit” grant.
- Make the “rollback” grant include the “edit” right, or even all rights of the “edit” grant.
- Change `WikiPage::doRollback()` to only require the “rollback” right.
- Change `WikiPage::doRollback()` to only require the “edit” right on the user, but not necessarily on the consumer. (“rollback” continues to be required on both.)
As a tool author, I want my tool to be as little privileged as possible, so I prefer any solution that doesn’t give my consumer the “edit” right. No longer requiring “edit” at all for rollback sounds possibly risky for wikis where some user groups, for some reason, have the “rollback” right but not the “edit” right (I would consider this a configuration error – are there valid uses for this?), so the last solution mentioned is a sort of compromise to alleviate that, though I’m not sure if it’s easy to implement with the current permissions structure.