From d3d4d4c93ede8e67e543effa38538d55ff6d280d Mon Sep 17 00:00:00 2001 From: Daimona Eaytoy Date: Fri, 12 Dec 2025 23:58:12 +0100 Subject: [PATCH] SECURITY: Rest: Apply permission checks to meeting and chat URL in GET event Apply consistent permission checks as in EventDetailsModule, to avoid leaking data to unprivileged users. Unlike the UI, here we either include or not include the URLs, without explanatory messages to differentiate between the various scenarios. The checks are performed in a separate method so that we can do them one at a time, from cheap to expensive, bailing out as early as possible. Since this is a security patch, the code is as self-contained as possible; for example, dependencies are obtained from the global service locator and not injected. This will be cleaned up later once the patch goes out publicly in gerrit. For the time being, we need to skip some tests that would otherwise fail. These will also be re-enabled later. Bug: T410560 Change-Id: Ib5b9e31e38269b2092c10272f5f4503ca29a456f --- src/Rest/GetEventRegistrationHandler.php | 64 ++++++++++++++++++- .../Rest/GetEventRegistrationHandlerTest.php | 5 ++ 2 files changed, 68 insertions(+), 1 deletion(-) diff --git a/src/Rest/GetEventRegistrationHandler.php b/src/Rest/GetEventRegistrationHandler.php index 8fa422bf..435ddb37 100644 --- a/src/Rest/GetEventRegistrationHandler.php +++ b/src/Rest/GetEventRegistrationHandler.php @@ -4,8 +4,11 @@ declare( strict_types=1 ); namespace MediaWiki\Extension\CampaignEvents\Rest; +use MediaWiki\Extension\CampaignEvents\CampaignEventsServices; use MediaWiki\Extension\CampaignEvents\Event\EventRegistration; +use MediaWiki\Extension\CampaignEvents\Event\ExistingEventRegistration; use MediaWiki\Extension\CampaignEvents\Event\Store\IEventLookup; +use MediaWiki\Extension\CampaignEvents\MWEntity\UserNotGlobalException; use MediaWiki\Extension\CampaignEvents\TrackingTool\TrackingToolRegistry; use MediaWiki\Extension\CampaignEvents\Utils; use MediaWiki\Rest\LocalizedHttpException; @@ -65,19 +68,78 @@ class GetEventRegistrationHandler extends SimpleHandler { 'topics' => $registration->getTopics(), 'online_meeting' => ( $participationOptions & EventRegistration::PARTICIPATION_OPTION_ONLINE ) !== 0, 'inperson_meeting' => ( $participationOptions & EventRegistration::PARTICIPATION_OPTION_IN_PERSON ) !== 0, - 'meeting_url' => $registration->getMeetingURL(), + // meeting_url added conditionally 'meeting_country_code' => $address?->getCountryCode(), 'meeting_address' => $address?->getAddressWithoutCountry(), 'tracks_contributions' => $registration->hasContributionTracking(), 'tracking_tools' => $trackingToolsData, + // chat_url added conditionally 'chat_url' => $registration->getChatURL(), 'is_test_event' => $registration->getIsTestEvent(), 'questions' => $registration->getParticipantQuestions(), ]; + $this->maybeAddSensitiveDataToResponse( $respVal, $registration ); return $this->getResponseFactory()->createJson( $respVal ); } + /** + * Conditionally adds sensitive data (URLs) to the response, same as in the UI (see + * {@link EventDetailsModule::getInfoColumn}) + * + * @param array &$response + * @param ExistingEventRegistration $event + */ + private function maybeAddSensitiveDataToResponse( + array &$response, + ExistingEventRegistration $event, + ): void { + $meetingURL = $event->getMeetingURL(); + $chatURL = $event->getChatURL(); + + // Absence of the URL should always be public, so set it to null explicitly. + if ( !$meetingURL ) { + $response['meeting_url'] = null; + } + if ( !$chatURL ) { + $response['chat_url'] = null; + } + + if ( !$meetingURL && !$chatURL ) { + // Skip further checks. + return; + } + + if ( !$event->isOnLocalWiki() ) { + return; + } + + $performer = $this->getAuthority(); + $permissionChecker = CampaignEventsServices::getPermissionChecker(); + if ( !$permissionChecker->userCanViewSensitiveEventData( $performer ) ) { + return; + } + + try { + $centralUser = CampaignEventsServices::getCentralUserLookup()->newFromAuthority( $this->getAuthority() ); + } catch ( UserNotGlobalException ) { + return; + } + + $eventID = $event->getID(); + $organizersStore = CampaignEventsServices::getOrganizersStore(); + $participantsStore = CampaignEventsServices::getParticipantsStore(); + if ( + !$participantsStore->userParticipatesInEvent( $eventID, $centralUser, true ) && + $organizersStore->getEventOrganizer( $eventID, $centralUser ) === null + ) { + return; + } + + $response['meeting_url'] = $meetingURL; + $response['chat_url'] = $chatURL; + } + /** * @inheritDoc */ diff --git a/tests/phpunit/unit/Rest/GetEventRegistrationHandlerTest.php b/tests/phpunit/unit/Rest/GetEventRegistrationHandlerTest.php index 0295babf..dc4e6c99 100644 --- a/tests/phpunit/unit/Rest/GetEventRegistrationHandlerTest.php +++ b/tests/phpunit/unit/Rest/GetEventRegistrationHandlerTest.php @@ -38,6 +38,11 @@ class GetEventRegistrationHandlerTest extends MediaWikiUnitTestCase { private const TRACKING_TOOL_DB_ID = 1; private const TRACKING_TOOL_USER_ID = 'some-tool'; + protected function setUp(): void { + parent::setUp(); + $this->markTestSkipped( 'Temporary, T410560' ); + } + private function newHandler( ?IEventLookup $eventLookup = null ): GetEventRegistrationHandler { -- 2.43.0