Page MenuHomePhabricator

Correct overbroad automatic capability grant of global settings objects
ClosedPublic

Authored by epriestley on May 9 2022, 10:10 PM.
Tags
None
Referenced Files
F15513454: D21811.diff
Thu, Apr 17, 7:12 PM
F15502958: D21811.diff
Mon, Apr 14, 5:45 AM
F15495256: D21811.id51988.diff
Sun, Apr 13, 3:29 AM
F15494263: D21811.diff
Sat, Apr 12, 11:05 PM
F15476358: D21811.id51987.diff
Mon, Apr 7, 5:52 AM
F15452516: D21811.id51988.diff
Sat, Mar 29, 5:28 AM
F15452508: D21811.id51987.diff
Sat, Mar 29, 5:24 AM
F15452502: D21811.id.diff
Sat, Mar 29, 5:21 AM
Subscribers
None

Details

Summary

Ref T13679. In D16983, global settings objects were given an exception to let logged-out users see them, even on installs with no "public" user role.

This exception is too broad and grants everyone all capabilities, not just "CAN_VIEW". In particular, it incorrectly grants "CAN_EDIT", so any user can edit global settings defaults.

Restrict this grant to "CAN_VIEW".

Test Plan
  • As a non-administrator, tried to edit global settings.
  • Before: could.
  • After: could not.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable