[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T170603

API Edit Requires a Captcha, but on Wiki edit does not
Open, MediumPublic
Actions

Description

I'm making an edit to my user page on test2.wikipedia.org
https://test2.wikipedia.org/wiki/User_talk:DBarratt_(WMF)

and I can do this without a problem when I am on-wiki.

However, if I make an edit to the same page with the API (logged in as the same user with OAuth) I get a request for a captcha

array:1 [
  "edit" => array:2 [
    "captcha" => array:4 [
      "type" => "image"
      "mime" => "image/png"
      "id" => "1221847824"
      "url" => "/w/index.php?title=Special:Captcha/image&wpCaptchaId=1221847824"
    ]
    "result" => "Failure"
  ]
]

I see that this is one of the possible responses from the API:
https://www.mediawiki.org/wiki/API:Edit#CAPTCHAs_and_extension_errors
but why does this happen if you are logged in with OAuth and not when logged in directly?
Is there a way to avoid this?

Related Objects

Event Timeline

dbarratt created this task.Jul 13 2017, 4:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 13 2017, 4:52 PM
Tgr subscribed.Jul 13 2017, 6:11 PM

You have some user right preventing the captcha from showing up (skipcaptcha probably) that's masked out because the OAuth app doesn't have the corresponding grant. (cf T142308: Most extensions which add a user right should also add or extend a grant)

dbarratt added a comment.Jul 13 2017, 6:20 PM

@Tgr Looks like it:
https://www.mediawiki.org/wiki/Extension:ConfirmEdit#Wikimedia_projects

Is there anyway to add that grant to the OAuth application? Or does ConfirmEdit (CAPTCHA extension) need to be updated to support that grant?

Seems weird that skipping Captcha would be a grant...

TBolliger subscribed.Jul 13 2017, 6:28 PM
Tgr added a comment.Jul 13 2017, 8:22 PM

Yeah, you'd need to update ConfirmEdit. It's a simple config change, see the linked task for examples.

Every user right has to be part of a grant, OAuth works on a whitelist basis. basic is the catch-all grant that's given to all applications and contains lots of basic rights. Now that I look at it, it actually contains skipcaptcha already, so either that's broken somehow (unlikely) or your user does not have it and the difference is caused by some other user right. Or difference is not related to OAuth at all (maybe some kind of throttling? Some captcha rules are based on frequency). Or maybe the action is failing for some captcha-unrelated reason, and ConfirmEdit is just not clever enough to not add the captcha field to the response when the user is exempt. You should test the API with a non-OAuth request to see which is the case.

Anomie moved this task from Unsorted to Non-core-API stuff on the MediaWiki-Action-API board.Jul 17 2017, 2:03 PM
Restricted Application added a project: Platform Engineering. · View Herald TranscriptJan 5 2020, 1:24 AM
Eevans triaged this task as Medium priority.Jan 10 2020, 5:33 PM
CCicalese_WMF removed a project: Platform Engineering.Jan 16 2020, 6:44 PM
CCicalese_WMF subscribed.

Removing CPT tag automatically added by Herald.

Reedy moved this task from Backlog to Bugs on the ConfirmEdit (CAPTCHA extension) board.Thu, Oct 24, 1:26 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits