Page MenuHomePhabricator
Differential D21288

In Phortune accounts, prevent self-removal more narrowly
ClosedPublic
Actions

Authored by epriestley on May 26 2020, 2:05 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Apr 10, 2:53 AM
Unknown Object (File)
Wed, Apr 3, 12:31 AM
Unknown Object (File)
Jan 9 2024, 8:09 AM
Unknown Object (File)
Jan 5 2024, 11:45 PM
Unknown Object (File)
Jan 5 2024, 1:23 PM
Unknown Object (File)
Dec 28 2023, 6:10 PM
Unknown Object (File)
Dec 22 2023, 6:36 AM
Unknown Object (File)
Dec 21 2023, 4:49 AM
View All 92 Files
Subscribers
None

Details

Reviewers
None
Commits
rP621f9de4bb9c: (stable) In Phortune accounts, prevent self-removal more narrowly
rPf686a0b8275e: In Phortune accounts, prevent self-removal more narrowly
Summary

Currently, Phortune attempts to prevent users from removing themselves as account managers. It does this by checking that the new list includes them.

Usually this is sufficient, because you can't normally edit an account unless you're already a manager. However, we get the wrong result (incorrect rejection of the edit) if the actor is omnipotent and the acting user was not already a member.

It's okay to edit an account into a state which doesn't include you if you have permission to edit the account and aren't already a manager.

Specifically, this supports more formal tooling around staff modifications to billing accounts, where the actor has staff-omnipotence and the acting user is a staff member and only used for purposes of leaving a useful audit trail.

Test Plan

Elsewhere, ran staff tooling to modify accounts and was able to act as "alice" to add "bailey", even though "alice" was not herself a manager.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley created this revision.May 26 2020, 2:05 PM
Harbormaster completed remote builds in B24513: Diff 50693.May 26 2020, 2:07 PM
epriestley requested review of this revision.May 26 2020, 2:07 PM
epriestley edited the summary of this revision. (Show Details)May 26 2020, 2:07 PM
epriestley edited the summary of this revision. (Show Details)
This revision was not accepted when it landed; it landed in state Needs Review.May 26 2020, 2:09 PM
Closed by commit rPf686a0b8275e: In Phortune accounts, prevent self-removal more narrowly (authored by epriestley). · Explain Why
This revision was automatically updated to reflect the committed changes.
epriestley added a commit: rPf686a0b8275e: In Phortune accounts, prevent self-removal more narrowly.
epriestley added a commit: rP621f9de4bb9c: (stable) In Phortune accounts, prevent self-removal more narrowly.

Revision Contents
Changeset List

PathSize
src/
applications/
phortune/
editor/
2 lines

Diff 50694

View Options

src/applications/phortune/editor/PhortuneAccountEditor.php

Loading...
Phabricator · Built by Phacility