Diffusion Phabricator 698ada2470b1

Correct overbroad automatic capability grant of global settings objects
698ada2470b1
Actions

Tags

None

Referenced Files

None

Subscribers

None

Description

Correct overbroad automatic capability grant of global settings objects

Summary:
Ref T13679. In D16983, global settings objects were given an exception to let logged-out users see them, even on installs with no "public" user role.

This exception is too broad and grants everyone all capabilities, not just "CAN_VIEW". In particular, it incorrectly grants "CAN_EDIT", so any user can edit global settings defaults.

Restrict this grant to "CAN_VIEW".

Test Plan:

As a non-administrator, tried to edit global settings.
Before: could.
After: could not.

Maniphest Tasks: T13679

Differential Revision: https://secure.phabricator.com/D21811

Details

Provenance

epriestley	Authored on May 9 2022, 10:00 PM
epriestley	Pushed on May 9 2022, 10:10 PM

Differential Revision

D21811: Correct overbroad automatic capability grant of global settings objects

Parents

rP01253d533bbc: Prevent embedded remarkup content from cycling when it contains embedded self…

Branches

Unknown

Tags

Unknown

Tasks

T13679: Non-administrators can incorrectly edit default global settings

Event Timeline

epriestley committed rP698ada2470b1: Correct overbroad automatic capability grant of global settings objects (authored by epriestley).May 9 2022, 10:10 PM

epriestley added a task: T13679: Non-administrators can incorrectly edit default global settings.

epriestley added an edge: D21811: Correct overbroad automatic capability grant of global settings objects.

Changes (1)

Path

Size

src/

applications/

settings/

storage/

PhabricatorUserPreferences.php

rP698ada2470b1

src/applications/settings/storage/PhabricatorUserPreferences.php

Loading...