Page MenuHomePhabricator

Add some missing capability checks for repository mirror edits
ClosedPublic

Authored by epriestley on Dec 10 2014, 5:04 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Mar 6, 9:55 AM
Unknown Object (File)
Jan 24 2024, 3:13 AM
Unknown Object (File)
Jan 10 2024, 5:06 PM
Unknown Object (File)
Dec 30 2023, 5:36 PM
Unknown Object (File)
Dec 26 2023, 7:37 PM
Unknown Object (File)
Dec 25 2023, 7:45 PM
Unknown Object (File)
Dec 23 2023, 9:19 AM
Unknown Object (File)
Dec 15 2023, 2:37 PM
Subscribers

Details

Summary

Via HackerOne. These endpoints have insufficient policy checks.

Test Plan

Verified endpoints now check policies correctly.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Add some missing capability checks for repository mirror edits.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.

The underlying edit check in the Editor prevents this from being materially bad. An attacker could remove a mirror (annoying), but can't add or edit a mirror (which would have been severe).

btrahan edited edge metadata.
This revision is now accepted and ready to land.Dec 10 2014, 9:29 PM
This revision was automatically updated to reflect the committed changes.