I posted the topic below at https://www.mediawiki.org/wiki/Extension_talk:ReadingLists and was hoping for some feedback

I'm trying to use the readinglists setup command and running in to a permission denied message.

I think the problem is that my bot does not have editmyprivateinfo enabled.

Now that I think about it, it looks like Special:BotPasswords requires editmyprivateinfo be set by the user before a bot password is created.  If a bot had this permission, then it could set its own password, which might be bad.  This suggests that perhaps the ReadingList functionality should use a different permission?

Below are the details.

This is a bit of a newbie question as I'm just starting out with the api. Please forgive me if this is not the right place to start this discussion. I considered adding something to Phabricator, but this issue is more of a user problem then a problem with the software.

Anyway...

I have a test program where I get a login token, login, get a csrf token and then call setup.

#!/opt/local/bin/python3

"""
    setup.py

    Invoke the readinglists setup command

    MIT License

"""

import requests

URL = "https://en.wikipedia.org/w/api.php"
#URL = "https://www.mediawiki.org/w/api.php"

S = requests.Session()

# Retrieve login token first
PARAMS_LOGIN_TOKEN = {
    'action':"query",
    'meta':"tokens",
    'type':"login",
    'format':"json"
}

R = S.get(url=URL, params=PARAMS_LOGIN_TOKEN)
DATA = R.json()

LOGIN_TOKEN = DATA['query']['tokens']['logintoken']

print("Got logintoken")

# Send a post request to login. Using the main account for login is not
# supported. Obtain credentials via Special:BotPasswords
# (https://www.mediawiki.org/wiki/Special:BotPasswords) for lgname & lgpassword

PARAMS_LOGIN = {
    'action':"login",
    'lgname': BOT_NAME_HERE,
    'lgpassword': BOT_PASSWORD_HERE,
    'lgtoken':LOGIN_TOKEN,
    'format':"json"
}

R = S.post(URL, data=PARAMS_LOGIN)
DATA = R.json()

print("After login")
print(DATA)

# GET the CSRF Token
PARAMS_CSRF = {
    "action": "query",
    "meta": "tokens",
    "format": "json"
}

R = S.get(url=URL, params=PARAMS_CSRF)
DATA = R.json()

CSRF_TOKEN = DATA['query']['tokens']['csrftoken']

# Call setup
PARAMS_SETUP = {
    "action": "readinglists",
    "command": "setup",
    "format": "json",
    "token": CSRF_TOKEN
}

print("About to setup")
R = S.post(URL, data=PARAMS_SETUP)
print("After attempting to call setup")
print(R)
print(R.text)



The message I get is:

bash-3.2$ ./setup.py
Got logintoken
After login
{'login': {'result': 'Success', 'lguserid': 208882, 'lgusername': 'Cxbrx'}}
About to setup
After attempting to call setup
<Response [200]>
{"error":{"code":"permissiondenied","info":"You don't have permission to edit your private information.","*":"See https://en.wikipedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce&gt; for notice of API deprecations and breaking changes."},"servedby":"mw1316"}
bash-3.2$

In a separate script, I'm able to retrieve my readinglists, so I know that logging in is working.

I think the problem is that my bot does not have editmyprivateinfo enabled.

Looking at the code, I can see ApiReadingLists.php at https://github.com/wikimedia/mediawiki-extensions-ReadingLists/blob/869ffc5462fd33303ea8a822040704ef4489bec0/src/Api/ApiReadingLists.php checks for editmyprivateinfo

Does anyone know if editmyprivateinfo is the problem? If so, is it possible to enable it for a bot?
_Christopher