Differential D10957

Add some missing capability checks for repository mirror edits
ClosedPublic
Actions

Authored by epriestley on Dec 10 2014, 5:04 PM.

Details

Reviewers

btrahan

Commits

Restricted Diffusion Commit
rPd151c88040d1: Add some missing capability checks for repository mirror edits

Summary

Via HackerOne. These endpoints have insufficient policy checks.

Test Plan

Verified endpoints now check policies correctly.

Diff Detail

Repository

rP Phabricator

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 26311.Dec 10 2014, 5:04 PM

epriestley retitled this revision from to Add some missing capability checks for repository mirror edits.

epriestley updated this object.

epriestley edited the test plan for this revision. (Show Details)

epriestley added a reviewer: btrahan.

Herald added a subscriber: epriestley. · View Herald TranscriptDec 10 2014, 5:04 PM

The underlying edit check in the Editor prevents this from being materially bad. An attacker could remove a mirror (annoying), but can't add or edit a mirror (which would have been severe).

btrahan accepted this revision.Dec 10 2014, 9:29 PM

btrahan edited edge metadata.

This revision is now accepted and ready to land.Dec 10 2014, 9:29 PM

Closed by commit rPd151c88040d1: Add some missing capability checks for repository mirror edits (authored by epriestley, committed by epriestley). · Explain WhyDec 10 2014, 11:24 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

applications/

diffusion/

controller/

DiffusionMirrorDeleteController.php

5 lines

DiffusionMirrorEditController.php

10 lines

Diff 26324

View Options

src/applications/diffusion/controller/DiffusionMirrorDeleteController.php