Last modified: 2014-03-19 14:37:08 UTC
I have an OAuth consumer named "OAuth Uploader": https://www.mediawiki.org/wiki/Special:OAuthListConsumers/view/74a4d433d0ab9f9fad720e1c4eb8159a It checks the login, gets an edit token, and the uploads a file from a remote URL via API. As [[User:Magnus Manske]], it works fine. However, other people have reported that it doesn't work for them. I created a new Commons user [[User:Testuser-MM]]: https://commons.wikimedia.org/wiki/User:Testuser-MM It can upload files to Commons: https://commons.wikimedia.org/wiki/File:Screen_Shot_2014-03-19_at_11.32.41.png I registered the consumer for this user (clean Chrome browser), and sure enough, upload fails with "permission denied". POST data follows (oauth token/signature replaced with "..."): Header: Authorization: OAuth oauth_consumer_key="74a4d433d0ab9f9fad720e1c4eb8159a", oauth_token="...", oauth_version="1.0", oauth_nonce="a70af0f0a7e11192a6803fdc0b31c2d2", oauth_timestamp="1395229010", oauth_signature_method="HMAC-SHA1", oauth_signature="..." Payload: Array ( [format] => json [action] => upload [filename] => House_in_Lüneburg_(4838105025).jpg [comment] => Transferred from Flickr [text] => Dummy_description [token] => 46b3fd6cdb67e05407c442b03eeb3230+\ [url] => https://farm5.staticflickr.com/4085/4838105025_b46921d90c_o.jpg ) Result: {"servedby":"mw1193","error":{"code":"permissiondenied","info":"Permission denied"}} So, some questions: * Is the permission denied for the user, or for the OAuth consumer? * Why is the permission denied? * Why does it work for some users, but not others? So far, I know it does seem to be related to browser plugins, or for how long the Commons user exists.
> * Is the permission denied for the user, or for the OAuth consumer? Short answer: It's the user here. Long answer: That's a bit of a hard question. A permissions error for the OAuth consumer would begin with "mwoauth-". The "permissiondenied" error is given when the user lacks the necessary rights. But it could be that the OAuth consumer didn't ask for the right grants, so the user-via-consumer wouldn't have the rights that the user would have when making the same query directly. That *could* be considered that the permissions were denied for the consumer. In this particular case, though, the consumer does have the necessary grant ("Upload, replace, and move files"). It's just that some users lack the necessary right and OAuth never adds rights the user doesn't have normally, it just removes them when not granted. > * Why is the permission denied? > * Why does it work for some users, but not others? Uploading from a url via the API requires the "upload_by_url" user right. [[commons:User:Magnus Manske]] has this right, while [[commons:User:Testuser-MM]] does not. According to [[commons:Special:ListGroupRights]], the following groups have this right: sysop, Image-reviewer, gwtoolset. Your tool can use meta=userinfo&uiprop=rights to check if the user has the necessary right. I'm going to close this as "INVALID" because there's no MediaWiki core or OAuth extension bug here, just a misunderstanding of the user rights required. But feel free to reply if you need further clarification.