Page MenuHomePhabricator
Create Task
Maniphest T359946

Make all event-dependent organizer permission checks fail if the event is not local
Closed, ResolvedPublic
Actions

Assigned To
MHorsey-WMF
Authored By
Daimona
Mar 12 2024, 2:55 PM
Tags
Referenced Files
F54567760: Screenshot 2024-05-28 at 4.35.09 PM.png
May 28 2024, 9:45 PM
F54567463: Screenshot 2024-05-28 at 4.31.04 PM.png
May 28 2024, 9:45 PM
F54567610: Screenshot 2024-05-28 at 4.33.26 PM.png
May 28 2024, 9:45 PM
F54567652: Screenshot 2024-05-28 at 4.33.54 PM.png
May 28 2024, 9:45 PM
Subscribers
Aklapper
Daimona
ifried
vaughnwalters

Description

For T323228, we are making it so that all organizer actions (like being able to edit the event, remove participants, send messages, etc.) will have to be made on the wiki where the event was created. While the other subtasks of T323228 cover the UI aspect of this (and also some specific REST API responses), the backend for permission checks should always fail when the event is nonlocal, as a last line of defense.

Acceptance criteria

  • The internal PermissionChecker methods should disallow the action (= return false) for all the following actions when the event is not local:
    • Edit event
    • Delete event
    • Register for event
    • Message participants
    • Remove participants
    • View private participants
    • View participants' non-PII answers
    • View aggregated answers

Note: in theory, it should not be possible to test these changes. As mentioned above, these are just the last line of defense, and the event wiki check should normally be done separately in the interface.

Details

SubjectRepoBranchLines +/-
refactor permissionChecker methods to take ExistingEventRegistrationmediawiki/extensions/CampaignEventsmaster+90 -78
Edit endpoints to use new signature for permission methodsmediawiki/extensions/WikimediaCampaignEventsmaster+6 -6
Reject permission for actions if on non-local wikimediawiki/extensions/CampaignEventsmaster+182 -72
Improve test coverage of PermissionCheckermediawiki/extensions/CampaignEventsmaster+129 -5
Customize query in gerrit

Related Objects
Search...

Event Timeline

Daimona created this task.Mar 12 2024, 2:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 12 2024, 2:55 PM
Daimona added a parent task: T323228: [EPIC] Support global implementation for CampaignEvents extension.Mar 12 2024, 2:56 PM
Daimona updated the task description. (Show Details)Mar 13 2024, 5:40 PM
Daimona updated the task description. (Show Details)
gerritbot added a comment.Mar 13 2024, 7:08 PM

Change 1010923 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/extensions/CampaignEvents@master] Improve test coverage of PermissionChecker

https://gerrit.wikimedia.org/r/1010923

gerritbot added a project: Patch-For-Review.Mar 13 2024, 7:08 PM
Daimona added a comment.Mar 14 2024, 4:41 PM

On second thought, I'm not sure if this can be considered a permission thing. Maybe it should be in the behaviour layer instead (i.e., command classes). Need to think about this more.

gerritbot added a comment.Mar 27 2024, 4:43 PM

Change #1010923 merged by jenkins-bot:

[mediawiki/extensions/CampaignEvents@master] Improve test coverage of PermissionChecker

https://gerrit.wikimedia.org/r/1010923

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.25; 2024-04-02).Mar 27 2024, 5:00 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 27 2024, 5:30 PM
Daimona changed the task status from Open to In Progress.Mar 29 2024, 3:51 PM
Daimona moved this task from Upcoming / refining 💡 to Development In Progress 💻 on the Campaigns-Product-Team (Campaign-Tools-Current-Sprint) board.
cmelo moved this task from Development In Progress 💻 to Ready for development on the Campaigns-Product-Team (Campaign-Tools-Current-Sprint) board.Apr 4 2024, 12:21 PM
Daimona removed Daimona as the assignee of this task.Apr 4 2024, 12:21 PM
MHorsey-WMF claimed this task.Apr 16 2024, 2:43 PM
MHorsey-WMF moved this task from Ready for development to Development In Progress 💻 on the Campaigns-Product-Team (Campaign-Tools-Current-Sprint) board.
gerritbot added a comment.Apr 24 2024, 11:50 AM

Change #1023831 had a related patch set uploaded (by Mhorsey; author: Mhorsey):

[mediawiki/extensions/CampaignEvents@master] Reject permission for actions if on non-local wiki

https://gerrit.wikimedia.org/r/1023831

gerritbot added a project: Patch-For-Review.Apr 24 2024, 11:50 AM
MHorsey-WMF moved this task from Development In Progress 💻 to Code Review 💬 on the Campaigns-Product-Team (Campaign-Tools-Current-Sprint) board.Apr 24 2024, 11:53 AM
gerritbot added a comment.Apr 30 2024, 2:30 PM

Change #1025797 had a related patch set uploaded (by Mhorsey; author: Mhorsey):

[mediawiki/extensions/WikimediaCampaignEvents@master] Edit endpoints to use new signature for permission methods

https://gerrit.wikimedia.org/r/1025797

gerritbot added a comment.May 1 2024, 10:14 AM

Change #1026099 had a related patch set uploaded (by Mhorsey; author: Mhorsey):

[mediawiki/extensions/CampaignEvents@master] refactor permissionChecker methods to take ExistingEventRegistration

https://gerrit.wikimedia.org/r/1026099

gerritbot added a comment.May 21 2024, 8:29 PM

Change #1025797 merged by Daimona Eaytoy:

[mediawiki/extensions/WikimediaCampaignEvents@master] Edit endpoints to use new signature for permission methods

https://gerrit.wikimedia.org/r/1025797

MHorsey-WMF mentioned this in rEWCE83048bf912f7: Edit endpoints to use new signature for permission methods.May 21 2024, 8:30 PM
gerritbot added a comment.May 21 2024, 8:34 PM

Change #1023831 merged by jenkins-bot:

[mediawiki/extensions/CampaignEvents@master] Reject permission for actions if on non-local wiki

https://gerrit.wikimedia.org/r/1023831

Daimona moved this task from Code Review 💬 to QA 🐛 on the Campaigns-Product-Team (Campaign-Tools-Current-Sprint) board.May 21 2024, 8:37 PM
ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.7; 2024-05-28).May 21 2024, 9:00 PM
gerritbot added a comment.May 22 2024, 10:55 AM

Change #1026099 abandoned by Mhorsey:

[mediawiki/extensions/CampaignEvents@master] refactor permissionChecker methods to take ExistingEventRegistration

Reason:

No longer required

https://gerrit.wikimedia.org/r/1026099

Maintenance_bot removed a project: Patch-For-Review.May 22 2024, 11:30 AM
vaughnwalters moved this task from QA 🐛 to Product sign-off 🖌️ on the Campaigns-Product-Team (Campaign-Tools-Current-Sprint) board.May 28 2024, 9:45 PM
vaughnwalters subscribed.

✅ Edit event

Screenshot 2024-05-28 at 4.33.54 PM.png (820×1 px, 118 KB)

✅ Delete event
Screenshot 2024-05-28 at 4.33.26 PM.png (608×1 px, 118 KB)

✅ Register for event
Screenshot 2024-05-28 at 4.31.04 PM.png (910×2 px, 178 KB)

✅ Message participants
✅ Remove participants
✅ View private participants
✅ View participants' non-PII answers
✅ View aggregated answers
Screenshot 2024-05-28 at 4.35.09 PM.png (1×1 px, 312 KB)

Working as expected, sending to product sign off. Noting that Special:EditEventRegistration does not display the same Please edit your event registration on en.wikipedia.beta.wmflabs.org, the wiki where the event was created. that the other special pages display.

ifried closed this task as Resolved.Jun 7 2024, 7:04 PM
ifried moved this task from Product sign-off 🖌️ to Done 🏁 on the Campaigns-Product-Team (Campaign-Tools-Current-Sprint) board.
ifried subscribed.

The global implementation work is complete and we have released to another wiki (Igbo Wikipedia), so I'm marking this work as Done.

ifried mentioned this in T366969: Update text for Special:EditEventRegistration on non-local wiki.Jun 7 2024, 10:43 PM

Also, thanks for that catch, @vaughnwalters! I have created a separate ticket to update the language in T366969.

vaughnwalters added a comment.Jun 7 2024, 10:57 PM
In T359946#9872611, @ifried wrote:

Also, thanks for that catch, @vaughnwalters! I have created a separate ticket to update the language in T366969.

Ah, sorry Ilana to make you write that ticket - I forgot to tag it here that I created a task for that in T366185! I closed the one I made as a duplicate of the one you just created.

ifried added a comment.Jun 7 2024, 11:01 PM

Aaaaah, okay, sounds good; thanks, @vaughnwalters!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits