Page MenuHomePhabricator
Create Task
Maniphest T321723

Implement permission checks to determine if user should be able to see privately registered participants
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

This is only for the backend code, and would not be exposed in the UI or anywhere else.

Acceptance criteria

  • Only the organizer of an event should be able to see privately registered participants
  • If the organizer is blocked, they should not be able to see private registrations
    • Note: This would occur if the organizer is blocked after they create the event and enable registration

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Implement perm check to determine if user can see private participantsmediawiki/extensions/CampaignEventsmaster+60 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Daimona created this task.Oct 26 2022, 6:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 26 2022, 6:30 PM
Daimona renamed this task from Determine if a blocked organizer should be able to see privately registered participants to Implement permission checks to determine if user should be able to see privately registered participants.Oct 26 2022, 6:33 PM
Daimona claimed this task.
Daimona updated the task description. (Show Details)
Daimona added a parent task: T316405: [EPIC] Allow participant option of joining event privately.
gerritbot added a comment.Oct 26 2022, 9:07 PM

Change 849656 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/extensions/CampaignEvents@master] [WIP] Implement perm check to determine if user can see private participants

https://gerrit.wikimedia.org/r/849656

gerritbot added a project: Patch-For-Review.Oct 26 2022, 9:07 PM
Daimona set the point value for this task to 1.Oct 26 2022, 9:07 PM

(The patch is WIP due to the question in the task description)

Daimona added a comment.EditedOct 28 2022, 2:19 PM

TBD: What if the organizer was blocked?

@ifried Do we have an answer on this? If not, can we just disallow blocked organizers for now?

Daimona added a subscriber: ifried.Oct 28 2022, 2:20 PM
vyuen moved this task from Backlog to V1 (MVP) on the Campaign-Registration board.Oct 31 2022, 4:46 PM
vyuen changed the task status from Open to In Progress.Oct 31 2022, 4:52 PM
vyuen moved this task from Upcoming / refining 💡 to Development In Progress 💻 on the Connection-Team (Connection-Current-Sprint) board.
ifried updated the task description. (Show Details)Nov 2 2022, 1:03 PM
Daimona moved this task from Development In Progress 💻 to Code Review 💬 on the Connection-Team (Connection-Current-Sprint) board.Nov 2 2022, 10:46 PM
gerritbot added a comment.Nov 3 2022, 10:23 AM

Change 849656 merged by jenkins-bot:

[mediawiki/extensions/CampaignEvents@master] Implement perm check to determine if user can see private participants

https://gerrit.wikimedia.org/r/849656

Daimona mentioned this in rUCAMc5cce3ac86f4: Implement perm check to determine if user can see private participants.Nov 3 2022, 10:24 AM
Maintenance_bot removed a project: Patch-For-Review.Nov 3 2022, 10:30 AM
ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.10; 2022-11-14).Nov 3 2022, 11:00 AM
Daimona moved this task from Code Review 💬 to QA 🐛 on the Connection-Team (Connection-Current-Sprint) board.Nov 3 2022, 12:28 PM

This can be tested indirectly together with T321625.

vaughnwalters subscribed.EditedNov 4 2022, 8:27 PM

✅ Only the organizer of an event should be able to see privately registered participants

See test notes at T321625#8368773 which went through this (it is working as expected)

✅ If the organizer is blocked, they should not be able to see private registrations

Organizer blocked after creating event and cannot see private participants:

Screen Shot 2022-11-04 at 2.34.18 PM.png (1×1 px, 241 KB)

@Daimona when the organizer is blocked after creating an event, they can still see publicly registered participants with ?include_private=false (just like any non-organizer would be able to see, or when logged out and viewing the event). I believe this is the correct behavior, but checking to make sure?

Daimona added a comment.Nov 4 2022, 8:37 PM
In T321723#8371373, @vaughnwalters wrote:

@Daimona when the organizer is blocked after creating an event, they can still see publicly registered participants with ?include_private=false (just like any non-organizer would be able to see, or when logged out and viewing the event). I believe this is the correct behavior, but checking to make sure?

Yes, because as you mentioned, that information is publicly available.

vaughnwalters closed this task as Resolved.Nov 4 2022, 9:55 PM
vaughnwalters moved this task from QA 🐛 to Done 🏁 on the Connection-Team (Connection-Current-Sprint) board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits