I posted the topic below at https://www.mediawiki.org/wiki/Extension_talk:ReadingLists and was hoping for some feedback
I'm trying to use the readinglists setup command and running in to a permission denied message.
I think the problem is that my bot does not have editmyprivateinfo enabled.
Now that I think about it, it looks like Special:BotPasswords requires editmyprivateinfo be set by the user before a bot password is created. If a bot had this permission, then it could set its own password, which might be bad. This suggests that perhaps the ReadingList functionality should use a different permission?
Below are the details.
This is a bit of a newbie question as I'm just starting out with the api. Please forgive me if this is not the right place to start this discussion. I considered adding something to Phabricator, but this issue is more of a user problem then a problem with the software.
Anyway...
I have a test program where I get a login token, login, get a csrf token and then call setup.
#!/opt/local/bin/python3
""" setup.py
Invoke the readinglists setup command
MIT License
"""
import requests
URL = "https://en.wikipedia.org/w/api.php" #URL = "https://www.mediawiki.org/w/api.php"
S = requests.Session()
# Retrieve login token first PARAMS_LOGIN_TOKEN = { 'action':"query", 'meta':"tokens", 'type':"login", 'format':"json" }
R = S.get(url=URL, params=PARAMS_LOGIN_TOKEN) DATA = R.json()
LOGIN_TOKEN = DATA['query']['tokens']['logintoken']
print("Got logintoken")
# Send a post request to login. Using the main account for login is not # supported. Obtain credentials via Special:BotPasswords # (https://www.mediawiki.org/wiki/Special:BotPasswords) for lgname & lgpassword
PARAMS_LOGIN = { 'action':"login", 'lgname': BOT_NAME_HERE, 'lgpassword': BOT_PASSWORD_HERE, 'lgtoken':LOGIN_TOKEN, 'format':"json" }
R = S.post(URL, data=PARAMS_LOGIN) DATA = R.json()
print("After login") print(DATA)
# GET the CSRF Token PARAMS_CSRF = { "action": "query", "meta": "tokens", "format": "json" }
R = S.get(url=URL, params=PARAMS_CSRF) DATA = R.json()
CSRF_TOKEN = DATA['query']['tokens']['csrftoken']
# Call setup PARAMS_SETUP = { "action": "readinglists", "command": "setup", "format": "json", "token": CSRF_TOKEN }
print("About to setup") R = S.post(URL, data=PARAMS_SETUP) print("After attempting to call setup") print(R) print(R.text)
The message I get is:
|bash-3.2$ ./setup.py Got logintoken After login {'login': {'result': 'Success', 'lguserid': 208882, 'lgusername': 'Cxbrx'}} About to setup After attempting to call setup <Response [200]> {"error":{"code":"permissiondenied","info":"You don't have permission to edit your private information.","*":"See https://en.wikipedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce%3E; for notice of API deprecations and breaking changes."},"servedby":"mw1316"} bash-3.2$ |
In a separate script, I'm able to retrieve my readinglists, so I know that logging in is working.
I think the problem is that my bot does not have editmyprivateinfo enabled.
Looking at the code, I can see ApiReadingLists.php at https://github.com/wikimedia/mediawiki-extensions-ReadingLists/blob/869ffc54... checks for editmyprivateinfo
Does anyone know if editmyprivateinfo is the problem? If so, is it possible to enable it for a bot?
_Christopher