...also adds policies on who can view and who can edit an action. Fixes T6949.
Details
Details
- Reviewers
epriestley - Maniphest Tasks
- T6949: Hide OAuth server secrets behind "Show Secret" to defuse screenshot/over-the-shoulder leaks
- Commits
- Restricted Diffusion Commit
rP1cc81b1d0ae4: OAuthServer - hide client secret behind a "View Secret" action
viewed a secret through the new UI and it worked
Diff Detail
Diff Detail
- Repository
- rP Phabricator
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
resources/sql/autopatches/20150114.oauthserver.client.policy.sql | ||
---|---|---|
6 | these could maybe be admin since no one is using this probably so its cool to break behavior? i'd also have to make the default be admin in the app code. |
resources/sql/autopatches/20150114.oauthserver.client.policy.sql | ||
---|---|---|
6 | I think "users" is a sensible default. | |
12 | This could be editPolicy = creatorPHID (only allow the user who created the object to edit it), which I think mostly preserves existing behavior. | |
src/applications/oauthserver/controller/client/PhabricatorOAuthClientEditController.php | ||
34 | This should probably set defaults -- I guess USERS for view, and the viewer's PHID for edit? |