Page MenuHomePhabricator

Correct overbroad automatic capability grant of global settings objects
ClosedPublic

Authored by epriestley on May 9 2022, 10:10 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Apr 20, 5:56 PM
Unknown Object (File)
Sat, Apr 20, 4:46 PM
Unknown Object (File)
Fri, Apr 19, 8:44 AM
Unknown Object (File)
Mon, Apr 15, 10:36 PM
Unknown Object (File)
Mon, Apr 8, 3:10 AM
Unknown Object (File)
Sat, Apr 6, 7:48 PM
Unknown Object (File)
Sat, Apr 6, 4:16 PM
Unknown Object (File)
Fri, Apr 5, 3:41 AM
Subscribers
None

Details

Summary

Ref T13679. In D16983, global settings objects were given an exception to let logged-out users see them, even on installs with no "public" user role.

This exception is too broad and grants everyone all capabilities, not just "CAN_VIEW". In particular, it incorrectly grants "CAN_EDIT", so any user can edit global settings defaults.

Restrict this grant to "CAN_VIEW".

Test Plan
  • As a non-administrator, tried to edit global settings.
  • Before: could.
  • After: could not.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable