Page MenuHomePhabricator

Prevent locked credentials from being made accessible via conduit
ClosedPublic

Authored by epriestley on May 18 2016, 7:35 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Dec 17, 6:39 AM
Unknown Object (File)
Sat, Dec 7, 6:38 AM
Unknown Object (File)
Mon, Nov 25, 12:02 PM
Unknown Object (File)
Thu, Nov 21, 2:48 PM
Unknown Object (File)
Nov 17 2024, 3:42 PM
Unknown Object (File)
Nov 1 2024, 9:29 PM
Unknown Object (File)
Nov 1 2024, 8:38 PM
Unknown Object (File)
Oct 24 2024, 7:46 PM
Subscribers
None

Details

Summary

Via HackerOne. Currently, you can use "Lock Permanently" to lock a credential permanently, but you can still enable Conduit API access to it. This directly contradicts both intent of the setting and its description as presented to the user.

Instead:

  • When a credential is locked, revoke Conduit API access.
  • Prevent API access from being enabled for locked credentials.
  • Prevent API access to locked credentials, period.
Test Plan
  • Created a credential.
  • Enabled API access.
  • Locked credential.
  • Saw API access become disabled.
  • Tried to enable API access; was rebuffed.
  • Queried credential via API, wasn't granted access.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Prevent locked credentials from being made accessible via conduit.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
  • Fix NoEffect exception if Conduit access is not enabled.
chad edited edge metadata.
This revision is now accepted and ready to land.May 18 2016, 9:33 PM
This revision was automatically updated to reflect the committed changes.