Page MenuHomePhabricator

OAuthServer - hide client secret behind a "View Secret" action
ClosedPublic

Authored by btrahan on Jan 14 2015, 10:51 PM.
Tags
None
Referenced Files
F14034494: D11401.diff
Sun, Nov 10, 12:38 AM
F14021330: D11401.diff
Wed, Nov 6, 7:41 AM
F14011947: D11401.diff
Fri, Nov 1, 6:13 AM
F13996674: D11401.diff
Wed, Oct 23, 11:03 PM
F13987143: D11401.id27385.diff
Mon, Oct 21, 7:43 AM
Unknown Object (File)
Oct 10 2024, 10:21 PM
Unknown Object (File)
Oct 6 2024, 8:48 AM
Unknown Object (File)
Oct 6 2024, 8:48 AM
Subscribers
Tokens
"Doubloon" token, awarded by epriestley.

Details

Summary

...also adds policies on who can view and who can edit an action. Fixes T6949.

Test Plan

viewed a secret through the new UI and it worked

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

btrahan retitled this revision from to OAuthServer - hide client secret behind a "View Secret" action.
btrahan updated this object.
btrahan edited the test plan for this revision. (Show Details)
btrahan added a reviewer: epriestley.
resources/sql/autopatches/20150114.oauthserver.client.policy.sql
6

these could maybe be admin since no one is using this probably so its cool to break behavior? i'd also have to make the default be admin in the app code.

epriestley edited edge metadata.
epriestley added inline comments.
resources/sql/autopatches/20150114.oauthserver.client.policy.sql
6

I think "users" is a sensible default.

12

This could be editPolicy = creatorPHID (only allow the user who created the object to edit it), which I think mostly preserves existing behavior.

src/applications/oauthserver/controller/client/PhabricatorOAuthClientEditController.php
34

This should probably set defaults -- I guess USERS for view, and the viewer's PHID for edit?

This revision is now accepted and ready to land.Jan 15 2015, 1:08 AM
btrahan edited edge metadata.

changes as requested. thanks!

This revision was automatically updated to reflect the committed changes.