Last modified: 2014-03-19 14:37:08 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T64826, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 62826 - OAuth API upload fails for some (not all!) users
OAuth API upload fails for some (not all!) users
Status: RESOLVED INVALID
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
unspecified
All All
: Unprioritized major (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-19 11:53 UTC by Magnus Manske
Modified: 2014-03-19 14:37 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Magnus Manske 2014-03-19 11:53:41 UTC
I have an OAuth consumer named "OAuth Uploader":
https://www.mediawiki.org/wiki/Special:OAuthListConsumers/view/74a4d433d0ab9f9fad720e1c4eb8159a

It checks the login, gets an edit token, and the uploads a file from a remote URL via API.

As [[User:Magnus Manske]], it works fine. However, other people have reported that it doesn't work for them. I created a new Commons user [[User:Testuser-MM]]:
https://commons.wikimedia.org/wiki/User:Testuser-MM

It can upload files to Commons:
https://commons.wikimedia.org/wiki/File:Screen_Shot_2014-03-19_at_11.32.41.png

I registered the consumer for this user (clean Chrome browser), and sure enough, upload fails with "permission denied".

POST data follows (oauth token/signature replaced with "..."):

Header:
Authorization: OAuth oauth_consumer_key="74a4d433d0ab9f9fad720e1c4eb8159a", oauth_token="...", oauth_version="1.0", oauth_nonce="a70af0f0a7e11192a6803fdc0b31c2d2", oauth_timestamp="1395229010", oauth_signature_method="HMAC-SHA1", oauth_signature="..."

Payload:
Array
(
    [format] => json
    [action] => upload
    [filename] => House_in_Lüneburg_(4838105025).jpg
    [comment] => Transferred from Flickr
    [text] => Dummy_description
    [token] => 46b3fd6cdb67e05407c442b03eeb3230+\
    [url] => https://farm5.staticflickr.com/4085/4838105025_b46921d90c_o.jpg
)

Result:
{"servedby":"mw1193","error":{"code":"permissiondenied","info":"Permission denied"}}



So, some questions:
* Is the permission denied for the user, or for the OAuth consumer? 
* Why is the permission denied?
* Why does it work for some users, but not others?

So far, I know it does seem to be related to browser plugins, or for how long the Commons user exists.
Comment 1 Brad Jorsch 2014-03-19 14:37:08 UTC
> * Is the permission denied for the user, or for the OAuth consumer? 

Short answer: It's the user here.

Long answer: That's a bit of a hard question. A permissions error for the OAuth consumer would begin with "mwoauth-". The "permissiondenied" error is given when the user lacks the necessary rights.

But it could be that the OAuth consumer didn't ask for the right grants, so the user-via-consumer wouldn't have the rights that the user would have when making the same query directly. That *could* be considered that the permissions were denied for the consumer.

In this particular case, though, the consumer does have the necessary grant ("Upload, replace, and move files"). It's just that some users lack the necessary right and OAuth never adds rights the user doesn't have normally, it just removes them when not granted.

> * Why is the permission denied?
> * Why does it work for some users, but not others?

Uploading from a url via the API requires the "upload_by_url" user right. [[commons:User:Magnus Manske]] has this right, while [[commons:User:Testuser-MM]] does not.

According to [[commons:Special:ListGroupRights]], the following groups have this right: sysop, Image-reviewer, gwtoolset.

Your tool can use meta=userinfo&uiprop=rights to check if the user has the necessary right.


I'm going to close this as "INVALID" because there's no MediaWiki core or OAuth extension bug here, just a misunderstanding of the user rights required. But feel free to reply if you need further clarification.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links