Page MenuHomePhabricator
Create Task
Maniphest T415108

Apply proper permission checks for meeting and chat URLs in GET event endpoint
Open, Needs TriagePublic
Actions

Description

In T410560, the meeting and chat URLs have been removed from the "GET event" endpoint because we weren't applying proper permission checks to them. Now that the immediate leak has been addressed, this task tracks the follow-up work of restoring those fields in the response with proper permission checks.

Acceptance criteria

  • Meeting and chat URL in the "GET event" endpoint response should be subject to the same permission checks as the UI (user must not be blocked and either organizer or participant; and the event should be on the current wiki):
    • When there is no URL, the value shall always be null regardless of permissions
    • When there is an URL, the field shall be set in the response iff the user has the necessary permissions
  • The endpoint documentation should be updated.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Rest: Apply permission checks to meeting and chat URL in GET eventmediawiki/extensions/CampaignEventsmaster+232 -6
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.Jan 20 2026, 6:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 20 2026, 6:26 PM
Daimona moved this task from Upcoming / refining 💡 to Code Review 💬 on the Connection-Team (Connection-Current-Sprint) board.Jan 20 2026, 6:26 PM
gerritbot added a comment.Jan 20 2026, 6:26 PM

Change #1225026 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/extensions/CampaignEvents@master] Rest: Apply permission checks to meeting and chat URL in GET event

https://gerrit.wikimedia.org/r/1225026

gerritbot added a project: Patch-For-Review.Jan 20 2026, 6:26 PM
Daimona claimed this task.Jan 20 2026, 6:26 PM
Daimona mentioned this in T410560: CVE-2026-0817: CampaignEvents API missing authorization exposes meeting and chat URLs.
gerritbot added a comment.Jan 21 2026, 2:40 PM

Change #1225026 merged by jenkins-bot:

[mediawiki/extensions/CampaignEvents@master] Rest: Apply permission checks to meeting and chat URL in GET event

https://gerrit.wikimedia.org/r/1225026

Daimona moved this task from Code Review 💬 to QA 🐛 on the Connection-Team (Connection-Current-Sprint) board.Jan 21 2026, 3:22 PM
Maintenance_bot removed a project: Patch-For-Review.Jan 21 2026, 3:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits