Page MenuHomePhabricator

Correct overbroad automatic capability grant of global settings objects
ClosedPublic

Authored by epriestley on May 9 2022, 10:10 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, May 28, 10:49 PM
Unknown Object (File)
Sun, May 28, 10:48 PM
Unknown Object (File)
Sun, May 28, 10:48 PM
Unknown Object (File)
Tue, May 23, 9:01 AM
Unknown Object (File)
Mon, May 22, 5:58 PM
Unknown Object (File)
Mon, May 22, 12:56 PM
Unknown Object (File)
Sun, May 14, 10:55 PM
Unknown Object (File)
Sun, May 14, 8:22 PM
Subscribers
None

Details

Summary

Ref T13679. In D16983, global settings objects were given an exception to let logged-out users see them, even on installs with no "public" user role.

This exception is too broad and grants everyone all capabilities, not just "CAN_VIEW". In particular, it incorrectly grants "CAN_EDIT", so any user can edit global settings defaults.

Restrict this grant to "CAN_VIEW".

Test Plan
  • As a non-administrator, tried to edit global settings.
  • Before: could.
  • After: could not.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable