Page MenuHomePhabricator

Permissions info should not be stored in JSON
Closed, DeclinedPublic

Description

Although "user" is treated correctly, the "permissions" object is currently written and returned directly from the JSON.

It should also be stripped on create/update, and generated from the user column in populateAnnotation. This is for security reasons; as is the owner of the annotation can e.g. give update and admin rights to anyone.


Version: unspecified
Severity: normal

Details

Reference
bz53068

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 2:00 AM
bzimport set Reference to bz53068.

Also, $annotation->user should start as an empty object (so there are no stray properties besides id and username).

Change 110378 had a related patch set uploaded by Chiborg:
Remove permission info from JSON

https://gerrit.wikimedia.org/r/110378

Aklapper added subscribers: Rjain, Aklapper.

@Rjain: I am resetting the assignee of this task because there has not been progress lately (please correct me if I am wrong!).
Resetting the assignee avoids the impression that somebody is already working on this task. It also allows others to potentially work towards fixing this task.
Please claim this task again when you plan to work on it (via Add Action...Assign / Claim in the dropdown menu) - it would be welcome! Thanks for your understanding!

MarcoAurelio subscribed.

Declining per T189753: Archive the Annotator extension. The extension is no longer maintained and has been archived.