Correct overbroad automatic capability grant of global settings objects
ClosedPublic
Actions

Authored by epriestley on May 9 2022, 10:10 PM.

Details

Reviewers: None
Maniphest Tasks: T13679: Non-administrators can incorrectly edit default global settings
Commits: rP698ada2470b1: Correct overbroad automatic capability grant of global settings objects

Summary

Ref T13679. In D16983, global settings objects were given an exception to let logged-out users see them, even on installs with no "public" user role.

This exception is too broad and grants everyone all capabilities, not just "CAN_VIEW". In particular, it incorrectly grants "CAN_EDIT", so any user can edit global settings defaults.

Restrict this grant to "CAN_VIEW".

Test Plan

As a non-administrator, tried to edit global settings.
Before: could.
After: could not.

Diff Detail

Repository

rP Phabricator

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley requested review of this revision.May 9 2022, 10:10 PM

epriestley created this revision.

Harbormaster completed remote builds in B25708: Diff 51987.May 9 2022, 10:10 PM

This revision was not accepted when it landed; it landed in state Needs Review.May 9 2022, 10:10 PM

Closed by commit rP698ada2470b1: Correct overbroad automatic capability grant of global settings objects (authored by epriestley). · Explain Why

This revision was automatically updated to reflect the committed changes.

epriestley added a commit: rP698ada2470b1: Correct overbroad automatic capability grant of global settings objects.

epriestley mentioned this in T13679: Non-administrators can incorrectly edit default global settings.May 9 2022, 10:19 PM

Revision Contents
Changeset List

Path

Size

src/

applications/

settings/

storage/

PhabricatorUserPreferences.php

14 lines

Diff 51988

View Options

src/applications/settings/storage/PhabricatorUserPreferences.php

Correct overbroad automatic capability grant of global settings objectsClosedPublicActions