Page MenuHomePhabricator

Check read permissions for from and to revision in comparison endpoint
Closed, DeclinedPublic

Description

Description
In the MediaWiki REST API comparison endpoint, we're not checking the read permissions for the from and to revision.

Requirements

  • Implement read permission checks for the from and to revision
  • Add integration test covering this behaviour

Event Timeline

eprodromou added a subscriber: daniel.

@daniel You say "pages", but this endpoint is defined for comparison across revisions of a single page. I assume we need one permission check for the page, and a second and third for each revision?

@daniel You say "pages", but this endpoint is defined for comparison across revisions of a single page. I assume we need one permission check for the page, and a second and third for each revision?

Ah, right, in the new API both revisions always belong to the same page. In that case, it's sufficient to check the 'read' permission for that page. The permission checks that enforce revision suppression are built into the storage backend.

It would be worth considering to do away with this inconsistency, and also enforce the 'read' permission at the storage layer level. That would resolve a lot of long standing issues around T88016: Handle read access for private wikis. But that's a tangential can of worms.

WDoranWMF triaged this task as Medium priority.Oct 16 2019, 1:56 PM
WDoranWMF updated the task description. (Show Details)
WDoranWMF moved this task from Backlog to Next Sprint on the Platform Team Workboards (Green) board.
WDoranWMF added a subscriber: WDoranWMF.

This is being declined in favour of T235663, as permission checks already exist for from and to use case but not for page read itself.