Page MenuHomePhabricator
Create Task
Maniphest T421631

Wikibase REST API bot parameter behavior is confusing and inconsistent with Action API
Closed, ResolvedPublic8 Estimated Story PointsFeature
Actions

Description

As a library or tool developer who is familiar with the MediaWiki Action API, I want to specify the bot flag with all automated requests to the REST API, so that the server can automatically mark them as automated if the user has the required permission, without me having to check the permission myself.

Problem:
The Wikibase REST API bot parameter apparently behaves differently from that of the Action API: if you include "bot": true in your request body without having the bot right, you get a HTTP 403 error.

{"code":"permission-denied","message":"Access to resource is denied","context":{"denial_reason":"unauthorized-bot-edit"}}

(AFAICT the error message actually used to be more informative, but T372999 changed it from “Unauthorized bot edit” to “Access to resource is denied”. Now only the context tells you that it’s even related to the bot parameter.)
As far as I can tell, this meaning of the bot parameter is not documented in the OpenAPI spec nor on Wikidata:REST API.

List of steps to reproduce (step by step, including full links if applicable):

I noticed this issue while working on T411325, in the commit Add deleteForJson(), deleteForText(), deleteForHtml() functions.

Describe the impact that solving this problem will have on users:
Tool authors will easily be able to mark requests as automated where appropriate. Whether a request is automated or not is often an inherent property of the tool that is used to make the request; consequently, it’s convenient if the tool can simply mark the request as automated regardless of user permissions, and trust the server side to either apply the bot flag or silently drop it, rather than the tool having to first check if the user has sufficient permission to use the bot flag or not.

Describe the implications/cost of not doing this request:
Some tools just won’t bother to send the bot flag at all, treating all edits as manual even when they’re really automated and the user has the permission to mark them as such. For instance, AFAICT QuickStatements v3 always sends bot=false.

Acceptance criteria:

  • The current error message will be removed
  • The feature as described above will be implemented i.e., requests containing bot=True for a non-bot account will not get an error but will go through and not be marked as a bot edit
  • Propose change to Quickstatements 3.0 to set bot=True as default
  • Update docs if necessary

Task breakdown notes:

  • Remove the bot check middleware
  • adjust EntityUpdater to not throw an exception when the user sent the bot flag but doesn't have the corresponding permission
  • change the $editEntity->attemptSave() call to only mark the edit as a bot edit if the bot flag was sent AND the user has bot permissions

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
CRUD: Don't reject bot flag requests made by non-botsmediawiki/extensions/Wikibasemaster+47 -229
Customize query in gerrit

Related Objects

Event Timeline

LucasWerkmeister created this task.Mar 29 2026, 12:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 29 2026, 12:27 PM
LucasWerkmeister added a project: Wikibase REST API (WPP).Mar 29 2026, 12:27 PM
Ifrahkhanyaree_WMDE moved this task from Backlog to User feedback on the Wikibase REST API (WPP) board.Apr 22 2026, 12:50 PM
Ifrahkhanyaree_WMDE added a project: Wikibase Reuse Team.Apr 27 2026, 9:13 AM
Ifrahkhanyaree_WMDE moved this task from Incoming tickets outside WPP to To polish on the Wikibase Reuse Team board.Apr 28 2026, 7:08 AM
Ifrahkhanyaree_WMDE subscribed.EditedMay 5 2026, 2:46 PM

@LucasWerkmeister hiya, sorry that I'm getting to this just now but let me see if I understood you correctly. You'd want the REST API to check on the server side whether a user has bot permissions or not, and if they do not they'd get an error (?) or the edit goes through but gets marked as "user" and if they do have bot permissions, the edit gets marked with bot? and this is in the scenario that they ARE using a tool (quickstatements 3.0 as an example)

Edited because I pressed submit too early -.-

LucasWerkmeister updated the task description. (Show Details)May 9 2026, 11:16 AM
In T421631#11889934, @Ifrahkhanyaree_WMDE wrote:

You'd want the REST API to check on the server side whether a user has bot permissions or not, and if they do not they'd get an error (?)

No, that’s the current behavior.

or the edit goes through but gets marked as "user" and if they do have bot permissions, the edit gets marked with bot?

Yes, that’s how the Action API behaves, and IMHO it’s more useful. This way, a tool or bot can just hard-code sending the bot parameter, and it will be marked as a bot edit if possible.

Jakob_WMDE subscribed.May 11 2026, 10:57 AM
Ifrahkhanyaree_WMDE updated the task description. (Show Details)Tue, May 19, 10:07 AM
Ifrahkhanyaree_WMDE moved this task from To polish to Polished on the Wikibase Reuse Team board.
Jakob_WMDE updated the task description. (Show Details)Tue, May 19, 12:05 PM
Jakob_WMDE set the point value for this task to 8.
Jakob_WMDE moved this task from Polished to Ready for planning on the Wikibase Reuse Team board.
Jakob_WMDE moved this task from Ready for planning to Sprint 70 on the Wikibase Reuse Team board.Wed, May 27, 9:57 AM
Jakob_WMDE edited projects, added: Wikibase Reuse Team (Sprint 70); removed: Wikibase Reuse Team.
Jakob_WMDE updated the task description. (Show Details)Wed, May 27, 12:23 PM
Jakob_WMDE claimed this task.Wed, May 27, 1:56 PM
Jakob_WMDE moved this task from To Do to Doing on the Wikibase Reuse Team (Sprint 70) board.
Jakob_WMDE added a comment.Fri, May 29, 10:47 AM

@LucasWerkmeister I understand the intended behavior but I'm struggling to see what effect this change would have for a tool like QuickStatements. Do people sign in using their bot accounts when they use it?

LucasWerkmeister added a comment.Fri, May 29, 12:08 PM

Yes, e.g. Josh404Bot has the fourth-most batches on QuickStatements:

lucaswerkmeister@tools-bastion-15:~$ sql tools
MariaDB [(none)]> SELECT user, COUNT(*) FROM s53220__quickstatements_p.batch GROUP BY user ORDER BY COUNT(*) DESC LIMIT 25;
+---------+----------+
| user    | COUNT(*) |
+---------+----------+
| 6000635 |    92597 |
| 2858362 |    21355 |
|   24057 |    14683 |
| 5012133 |     8303 |

I haven’t found any “bot” user names in the last 500 QuickStatements 3.0 batches (and AFAICT its toolsdb, unlike QuickStatements’, is not public), but FWIW, QuickCategories also gets occasional bot users (mainly one, admittedly):

lucaswerkmeister@tools-bastion-15:~$ become quickcategories
tools.quickcategories@tools-bastion-15:~$ sql tools
MariaDB [s53976__quickcategories]> SELECT localuser_user_name, COUNT(*) FROM batch JOIN localuser ON batch_localuser = localuser_id WHERE localuser_user_name LIKE '%Bot' GROUP BY localuser_user_name ORDER BY COUNT(*) DESC LIMIT 3;
+---------------------+----------+
| localuser_user_name | COUNT(*) |
+---------------------+----------+
| PereBot             |      998 |
| CañaBot             |       17 |
| MatSuBot            |       16 |
+---------------------+----------+
3 rows in set (0,010 sec)
Jakob_WMDE added a comment.Fri, May 29, 12:10 PM

That makes sense, thank you!

gerritbot added a comment.Fri, May 29, 1:22 PM

Change #1295461 had a related patch set uploaded (by Jakob; author: Jakob):

[mediawiki/extensions/Wikibase@master] CRUD: Don't reject bot flag requests made by non-bots

https://gerrit.wikimedia.org/r/1295461

gerritbot added a project: Patch-For-Review.Fri, May 29, 1:22 PM
Jakob_WMDE moved this task from Doing to Peer Review on the Wikibase Reuse Team (Sprint 70) board.Fri, May 29, 3:19 PM
gerritbot added a comment.Mon, Jun 1, 11:24 AM

Change #1295461 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@master] CRUD: Don't reject bot flag requests made by non-bots

https://gerrit.wikimedia.org/r/1295461

Maintenance_bot removed a project: Patch-For-Review.Mon, Jun 1, 11:30 AM
Jakob_WMDE moved this task from Peer Review to Product Verification on the Wikibase Reuse Team (Sprint 70) board.Tue, Jun 2, 9:02 AM
Ifrahkhanyaree_WMDE moved this task from User feedback to Happening now on the Wikibase REST API (WPP) board.Fri, Jun 5, 6:35 AM
Jakob_WMDE added a comment.Fri, Jun 5, 10:01 AM

I made a PR for QuickStatements 3.0 to send "bot": true for all edits: https://github.com/wikimediabrasil/quickstatements3/pull/440

Arcstur subscribed.Mon, Jun 8, 7:46 PM

And merged! :D

Ifrahkhanyaree_WMDE moved this task from Product Verification to Done on the Wikibase Reuse Team (Sprint 70) board.Tue, Jun 9, 7:53 AM
Ifrahkhanyaree_WMDE closed this task as Resolved.Thu, Jun 11, 10:44 AM
Ifrahkhanyaree_WMDE moved this task from Happening now to Done on the Wikibase REST API (WPP) board.Thu, Jun 11, 3:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits