OAuth API upload fails for some (not all!) users
Closed, InvalidPublic
Actions

Assigned To

None

Authored By

	Magnus
	Mar 19 2014, 11:53 AM

Description

I have an OAuth consumer named "OAuth Uploader":
https://www.mediawiki.org/wiki/Special:OAuthListConsumers/view/74a4d433d0ab9f9fad720e1c4eb8159a

It checks the login, gets an edit token, and the uploads a file from a remote URL via API.

As [[User:Magnus Manske]], it works fine. However, other people have reported that it doesn't work for them. I created a new Commons user [[User:Testuser-MM]]:
https://commons.wikimedia.org/wiki/User:Testuser-MM

It can upload files to Commons:
https://commons.wikimedia.org/wiki/File:Screen_Shot_2014-03-19_at_11.32.41.png

I registered the consumer for this user (clean Chrome browser), and sure enough, upload fails with "permission denied".

POST data follows (oauth token/signature replaced with "..."):

Header:
Authorization: OAuth oauth_consumer_key="74a4d433d0ab9f9fad720e1c4eb8159a", oauth_token="...", oauth_version="1.0", oauth_nonce="a70af0f0a7e11192a6803fdc0b31c2d2", oauth_timestamp="1395229010", oauth_signature_method="HMAC-SHA1", oauth_signature="..."

Payload:
Array
(

[format] => json
[action] => upload
[filename] => House_in_LÃ¼neburg_(4838105025).jpg
[comment] => Transferred from Flickr
[text] => Dummy_description
[token] => 46b3fd6cdb67e05407c442b03eeb3230+\
[url] => https://farm5.staticflickr.com/4085/4838105025_b46921d90c_o.jpg

)

Result:
{"servedby":"mw1193","error":{"code":"permissiondenied","info":"Permission denied"}}

So, some questions:

Is the permission denied for the user, or for the OAuth consumer?
Why is the permission denied?
Why does it work for some users, but not others?

So far, I know it does seem to be related to browser plugins, or for how long the Commons user exists.

Version: unspecified
Severity: major

Details

Reference: bz62826

Event Timeline

• bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:02 AM

• bzimport added a project: MediaWiki-Action-API.

• bzimport set Reference to bz62826.

• bzimport added a subscriber: Unknown Object (MLST).

Magnus created this task.Mar 19 2014, 11:53 AM

Is the permission denied for the user, or for the OAuth consumer?

Short answer: It's the user here.

Long answer: That's a bit of a hard question. A permissions error for the OAuth consumer would begin with "mwoauth-". The "permissiondenied" error is given when the user lacks the necessary rights.

But it could be that the OAuth consumer didn't ask for the right grants, so the user-via-consumer wouldn't have the rights that the user would have when making the same query directly. That *could* be considered that the permissions were denied for the consumer.

In this particular case, though, the consumer does have the necessary grant ("Upload, replace, and move files"). It's just that some users lack the necessary right and OAuth never adds rights the user doesn't have normally, it just removes them when not granted.

Why is the permission denied?

Why does it work for some users, but not others?

Uploading from a url via the API requires the "upload_by_url" user right. [[commons:User:Magnus Manske]] has this right, while [[commons:User:Testuser-MM]] does not.

According to [[commons:Special:ListGroupRights]], the following groups have this right: sysop, Image-reviewer, gwtoolset.

Your tool can use meta=userinfo&uiprop=rights to check if the user has the necessary right.

I'm going to close this as "INVALID" because there's no MediaWiki core or OAuth extension bug here, just a misunderstanding of the user rights required. But feel free to reply if you need further clarification.

Aklapper removed subscribers: Anomie, • wikibugs-l-list.Oct 16 2020, 5:28 PM

OAuth API upload fails for some (not all!) usersClosed, InvalidPublicActions

Description

Details

Event Timeline

OAuth API upload fails for some (not all!) users
Closed, InvalidPublic
Actions