CVE-2021-36129

An attacker with the `translate-manage` right sends an API request to the Aggregategroups module with `action=remove` and an arbitrary `aggregategroup` parameter. Because the module does not validate that the supplied group belongs to the caller or that the caller is allowed to delete its metadata, the request reaches `TranslateMetadata::set` and silently deletes all rows for that group from the `translate_metadata` table. The advisory [ref_id=1] shows real-world binlog evidence of such deletions occurring on May 8, 2021, where rows for `page-Wikimedia CEE Spring 2021` (maxid, priorityforce, prioritylangs, priorityreason, transclusion, version) were removed without any corresponding log entry.

The Aggregategroups Action API module in the Translate extension (MediaWiki through 1.36) fails to validate the `aggregategroup` parameter when `action=remove` is set. The advisory [ref_id=1] identifies the vulnerable function as `TranslateMetadata::set`, which issues `DELETE` queries against the `translate_metadata` table without verifying that the caller is authorized to remove metadata for the specified group.

The patch adds validation of the `aggregategroup` parameter when `action=remove` is used, ensuring that only authorized groups can have their metadata deleted. Without this check, any user with the `translate-manage` right could remove metadata for any group, including translatable page groups they do not own, causing silent data loss. The advisory [ref_id=1] confirms that the deletion was performed through `TranslateMetadata::set` and left no trace in the logging table.