A partial archive of https://discourse-mediawiki.wmflabs.org as of Saturday May 21, 2022.

Permissiondenied on rollback API

LucasWerkmeisterWMDE

(Private activity, I just can’t be bothered to create a non-work account right now, sorry.)

I’m working on a tool to patrol recent changes, which includes making API calls to rollback some edits. Python snippet:

    session = authenticated_session()
    token = session.get(action='query',
                        meta='tokens',
                        type='rollback')['query']['tokens']['rollbacktoken']
    results = session.get(action='query',
                          revids=[str(id)],
                          prop='revisions',
                          rvprop='user',
                          formatversion='2')
    for page in results['query']['pages']:
        pageid = page['pageid']
        user = page['revisions'][0]['user']
        break
    session.post(action='rollback',
                 pageid=pageid,
                 user=user,
                 token=token)

However, I’m getting the following error:

mwapi.errors.APIError: permissiondenied: The action you have requested is limited to users in one of the groups: *, [[Wikidata:Users|Users]].

This doesn’t make any sense to me. The session I’m using to make this request is authenticated (I can verify this with a manual call to action=query&meta=userinfo), and the user account has the rollback right (the tool explicitly verifies this with a call to action=query&meta=userinfo&uiprop=rights). Furthermore, surely my account would be considered both a “user” and an “anything”, which I assume must be what the * means?

I tried looking through the MediaWiki source, but couldn’t figure out where this error is being thrown. Does anyone have a clue what’s going on? (The wiki is Wikidata, if it matters, and specifically I’m testing with revision 820157734.)

Tgr

Well, rollback is definitely not available to all users so that error message is a bug. (Or is that configured differently for Wikidata?) As for the error itself, I’d guess your bot has limited permissions (it uses a bot password or OAuth login).

LucasWerkmeisterWMDE

Rollback on Wikidata is limited to the rollbackers group, in which I’m a member (per request). My tool uses OAuth, and the consumer has the “rollback” grant.

LucasWerkmeisterWMDE

I tried logging out and back in again on Wikidata, and re-authenticating via the tool, just in case my group memberships were being cached somewhere in some session, but it didn’t help.

Tgr

In any case an OAuth tool’s session has nothing to do with your web session.

Can you try making a request with the X-Wikimedia-Debug header?

LucasWerkmeisterWMDE

Done. Request ID is XCdQFApAAC4AACCVgFcAAAAK, debug log is copied to ~lucaswerkmeister-wmde/XWikimediaDebug.log on mwlog1001 (because /srv/mw-log/XWikimediaDebug.log looks like the next debug request will overwrite it).

Tgr

The problem is that your OAuth consumer has rollback but not edit and WikiPage::doRollback() checks for both. (The weird “*, users” error message is because the edit right is assigned to those groups).

LucasWerkmeisterWMDE

Ah, okay, thanks for figuring it out! I think it makes more sense to continue the discussion on Phabricator now, so I’ve filed T212851.