⚓ T142275 Owner-only consumers should not expose the user's email address
Page MenuHomePhabricator
Create Task
Maniphest T142275

Owner-only consumers should not expose the user's email address
Closed, ResolvedPublic
Actions

Description

The email address field of an OAuth application cannot be left empty, cannot differ from the user's verified email address, and is publicly visible, even for owner-only consumers. Not all bot owners might want to publish their wiki email address.

Details

SubjectRepoBranchLines +/-
AccessControl: Hide email and security restrictionsmediawiki/extensions/OAuthmaster+71 -6
Add development stage, refactor approval workflowmediawiki/extensions/OAuthmaster+2 K -753
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Aug 6 2016, 2:14 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 6 2016, 2:14 AM
Tgr mentioned this in T142276: Owner-only consumers should not appear in lists.Aug 6 2016, 2:25 AM
Tgr mentioned this in T142279: Simplify OAuth registration form for owner-only consumers.Aug 6 2016, 2:29 AM
Tgr added a parent task: T142282: Improve consumer registration experience for bot owners (owner-only consumers).Aug 6 2016, 2:38 AM
Tgr added a comment.Aug 6 2016, 2:41 AM

See also T121330: OAuth consumer registration email address field seems pointless.

JJMC89 subscribed.Aug 6 2016, 3:09 AM
gerritbot subscribed.Oct 17 2016, 8:35 AM

Change 316302 had a related patch set uploaded (by Gergő Tisza):
[WIP] Add development stage, refactor approval workflow

https://gerrit.wikimedia.org/r/316302

gerritbot added a project: Patch-For-Review.Oct 17 2016, 8:35 AM
Tgr moved this task from Backlog to In Dev on the MediaWiki-extensions-OAuth board.Mar 7 2017, 3:19 AM
Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Mar 22 2023, 1:59 AM
Tgr added a project: MediaWiki-Platform-Team.Oct 22 2023, 7:54 PM

This is a pretty bad privacy leak and easy to fix.

Aklapper added a project: Privacy Engineering.Oct 22 2023, 8:13 PM
larissagaulia moved this task from Inbox, needs triage to Soon on the MediaWiki-Platform-Team board.Oct 23 2023, 2:58 PM
sguebo_WMF moved this task from Incoming to Watching on the Privacy Engineering board.Oct 30 2023, 2:44 PM
Tgr claimed this task.Jan 2 2024, 10:29 PM
Tgr moved this task from Soon to Current Sprint on the MediaWiki-Platform-Team board.
gerritbot added a comment.Feb 5 2024, 6:07 AM

Change 996975 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] AccessControl: Hide email and security restrictions

https://gerrit.wikimedia.org/r/996975

gerritbot added a project: Patch-For-Review.Feb 5 2024, 6:07 AM
Restricted Application removed a project: Patch-Needs-Improvement. · View Herald TranscriptFeb 5 2024, 6:07 AM
gerritbot added a comment.Feb 19 2024, 11:51 AM

Change 996975 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] AccessControl: Hide email and security restrictions

https://gerrit.wikimedia.org/r/996975

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.19; 2024-02-20).Feb 19 2024, 12:00 PM
Tgr closed this task as Resolved.Feb 19 2024, 1:53 PM
Tgr updated the task description. (Show Details)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits