Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F13198344
D21851.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
839 B
Referenced Files
None
Subscribers
None
D21851.diff
View Options
diff --git a/src/applications/search/controller/PhabricatorSearchDeleteController.php b/src/applications/search/controller/PhabricatorSearchDeleteController.php
--- a/src/applications/search/controller/PhabricatorSearchDeleteController.php
+++ b/src/applications/search/controller/PhabricatorSearchDeleteController.php
@@ -42,6 +42,19 @@
}
$named_query = $engine->getBuiltinQuery($key);
+
+ // After loading a global query, make sure the viewer actually has
+ // permission to view and edit it.
+
+ PhabricatorPolicyFilter::requireCapability(
+ $viewer,
+ $named_query,
+ PhabricatorPolicyCapability::CAN_VIEW);
+
+ PhabricatorPolicyFilter::requireCapability(
+ $viewer,
+ $named_query,
+ PhabricatorPolicyCapability::CAN_EDIT);
}
$builtin = null;
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Tue, May 14, 5:51 AM (2 w, 4 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6283307
Default Alt Text
D21851.diff (839 B)
Attached To
Mode
D21851: Fix a policy issue where permissions were not properly checked when disabling global builtin queries
Attached
Detach File
Event Timeline
Log In to Comment