Page MenuHomePhabricator

Add some missing capability checks for repository mirror edits
ClosedPublic

Authored by epriestley on Dec 10 2014, 5:04 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Dec 20, 9:12 AM
Unknown Object (File)
Thu, Dec 19, 1:22 PM
Unknown Object (File)
Thu, Dec 19, 1:22 PM
Unknown Object (File)
Thu, Dec 12, 7:30 AM
Unknown Object (File)
Nov 30 2024, 8:08 AM
Unknown Object (File)
Nov 25 2024, 5:58 AM
Unknown Object (File)
Nov 23 2024, 11:33 PM
Unknown Object (File)
Nov 21 2024, 12:28 AM
Subscribers

Details

Summary

Via HackerOne. These endpoints have insufficient policy checks.

Test Plan

Verified endpoints now check policies correctly.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Add some missing capability checks for repository mirror edits.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.

The underlying edit check in the Editor prevents this from being materially bad. An attacker could remove a mirror (annoying), but can't add or edit a mirror (which would have been severe).

btrahan edited edge metadata.
This revision is now accepted and ready to land.Dec 10 2014, 9:29 PM
This revision was automatically updated to reflect the committed changes.