Page MenuHomePhabricator
Differential D15944

Prevent locked credentials from being made accessible via conduit
ClosedPublic
Actions

Authored by epriestley on May 18 2016, 7:35 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Apr 12, 2:27 AM
Unknown Object (File)
Thu, Apr 11, 8:31 AM
Unknown Object (File)
Mon, Apr 1, 9:31 AM
Unknown Object (File)
Sat, Mar 30, 11:48 PM
Unknown Object (File)
Fri, Mar 29, 3:27 AM
Unknown Object (File)
Mar 20 2024, 4:23 PM
Unknown Object (File)
Mar 8 2024, 1:32 AM
Unknown Object (File)
Mar 8 2024, 1:32 AM
View All Files
Subscribers
None

Details

Reviewers
chad
Commits
rP36006bcb8fcb: Prevent locked credentials from being made accessible via conduit
Summary

Via HackerOne. Currently, you can use "Lock Permanently" to lock a credential permanently, but you can still enable Conduit API access to it. This directly contradicts both intent of the setting and its description as presented to the user.

Instead:

  • When a credential is locked, revoke Conduit API access.
  • Prevent API access from being enabled for locked credentials.
  • Prevent API access to locked credentials, period.
Test Plan
  • Created a credential.
  • Enabled API access.
  • Locked credential.
  • Saw API access become disabled.
  • Tried to enable API access; was rebuffed.
  • Queried credential via API, wasn't granted access.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 38387.May 18 2016, 7:35 PM
epriestley retitled this revision from to Prevent locked credentials from being made accessible via conduit.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
epriestley updated this revision to Diff 38388.May 18 2016, 8:41 PM
  • Fix NoEffect exception if Conduit access is not enabled.
chad accepted this revision.May 18 2016, 9:33 PM
chad edited edge metadata.
This revision is now accepted and ready to land.May 18 2016, 9:33 PM
Closed by commit rP36006bcb8fcb: Prevent locked credentials from being made accessible via conduit (authored by epriestley, committed by epriestley). · Explain WhyMay 18 2016, 9:54 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Diff 38393

View Options

src/applications/passphrase/conduit/PassphraseQueryConduitAPIMethod.php

Loading...
View Options

src/applications/passphrase/controller/PassphraseCredentialConduitController.php

Loading...
View Options

src/applications/passphrase/controller/PassphraseCredentialEditController.php

Loading...
View Options

src/applications/passphrase/controller/PassphraseCredentialLockController.php

Loading...
View Options

src/applications/passphrase/controller/PassphraseCredentialViewController.php

Loading...
Phabricator · Built by Phacility