Page MenuHomePhabricator
Create Task
Maniphest T321807

action=growthsetmentor ignores blocks
Closed, ResolvedPublicSecurity
Actions

Description

While working on T321799, I noticed that action=growthsetmentor API ignores blocks, ie. blocked users can make use of the API.

In the case of action=growthsetmentor, this means:

  • Blocked mentors can harass users by claiming them (this triggers notifications)
  • Blocked mentees can change their own mentor (this does not trigger any notification, so the only issue is the entries in Special:Log).

Details

Author Affiliation
WMF Product
SubjectRepoBranchLines +/-
ApiSetMentor: Respect blocksmediawiki/extensions/GrowthExperimentsmaster+6 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedSecurity Urbanecm_WMFT321807 action=growthsetmentor ignores blocks

Event Timeline

Urbanecm_WMF claimed this task.Oct 27 2022, 1:44 PM
Urbanecm_WMF triaged this task as High priority.
Urbanecm_WMF created this task.
Urbanecm_WMF added projects: GrowthExperiments-Mentorship, Growth-Team (Sprint 0 (Growth Team)).
Urbanecm_WMF updated the task description. (Show Details)Oct 27 2022, 1:46 PM
Urbanecm_WMF added a subscriber: Maintenance_bot.Oct 27 2022, 1:49 PM
Maintenance_bot moved this task from New Tasks to In Progress on the GrowthExperiments-Mentorship board.Oct 27 2022, 1:55 PM
sbassett edited projects, added SecTeam-Processed, Vuln-MissingAuthz; removed Security-Team.Nov 1 2022, 6:43 PM
KStoller-WMF changed the task status from Open to In Progress.Nov 3 2022, 9:01 PM
KStoller-WMF moved this task from Incoming to In Progress on the Growth-Team (Sprint 0 (Growth Team)) board.
Urbanecm_WMF added a subscriber: gerritbot.Dec 1 2022, 7:20 PM
gerritbot added a comment.Dec 1 2022, 7:21 PM

Change 863025 had a related patch set uploaded (by Urbanecm; author: Urbanecm):

[mediawiki/extensions/GrowthExperiments@master] ApiSetMentor: Respect blocks

https://gerrit.wikimedia.org/r/863025

gerritbot added a project: Patch-For-Review.Dec 1 2022, 7:21 PM
Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 1 2022, 7:22 PM
Urbanecm changed the edit policy from "Custom Policy" to "All Users".
kostajh moved this task from In Progress to QA on the Growth-Team (Sprint 0 (Growth Team)) board.Dec 2 2022, 11:39 AM
gerritbot added a comment.Dec 2 2022, 11:58 AM

Change 863025 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] ApiSetMentor: Respect blocks

https://gerrit.wikimedia.org/r/863025

ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.13; 2022-12-05).Dec 2 2022, 12:00 PM
Maintenance_bot removed a project: Patch-For-Review.Dec 2 2022, 12:31 PM
Urbanecm_WMF moved this task from In Progress to Ready for QA on the GrowthExperiments-Mentorship board.Dec 2 2022, 6:45 PM
Urbanecm_WMF closed this task as Resolved.Feb 2 2023, 10:22 PM
Urbanecm_WMF removed a subscriber: MShilova_WMF.Jul 31 2023, 6:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits