Maniphest T418025

Validate IDs in donor portal API calls
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Ejegg
	Feb 20 2026, 9:07 PM

Tags

Referenced Files

None

Subscribers

Description

Ensure donors can only submit recurring-modify queue messages with contact_id and contribution_recur_id that correspond to their checksum link.

Creating this ticket for posterity, as the fix is already up in production
Related gerrit patches:

https://gerrit.wikimedia.org/r/1241025
https://gerrit.wikimedia.org/r/1241028

Related Objects

Mentioned In: T418798: Priorities: Sprint D
T417215: Priorities: Sprint C

Event Timeline

Ejegg created this task.Feb 20 2026, 9:07 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 20 2026, 9:07 PM

Ejegg moved this task from Backlog to Done on the Fundraising Tech - Chaos Crew board.Feb 20 2026, 9:08 PM

Ejegg moved this task from Backlog to Done on the FR-Donor-portal board.

Ejegg moved this task from Triage to Chaos Crew Backlog on the Fundraising-Backlog board.

XenoRyet closed this task as Resolved.Feb 23 2026, 9:01 PM

XenoRyet set Final Story Points to 4.

Damilare mentioned this in T417215: Priorities: Sprint C.Feb 24 2026, 7:16 PM

Damilare mentioned this in T418798: Priorities: Sprint D.Mar 10 2026, 7:12 PM