Page MenuHomePhabricator

Fix a policy issue where permissions were not properly checked when disabling global builtin queries
ClosedPublic

Authored by epriestley on May 31 2022, 5:59 PM.
Tags
None
Referenced Files
F13508509: D21851.id52080.diff
Wed, Jul 24, 2:00 AM
F13507650: D21851.id.diff
Tue, Jul 23, 11:13 PM
F13507447: D21851.diff
Tue, Jul 23, 10:50 PM
Unknown Object (File)
Mon, Jul 22, 1:31 PM
Unknown Object (File)
Sun, Jul 21, 6:03 AM
Unknown Object (File)
Mon, Jul 15, 4:22 AM
Unknown Object (File)
Sat, Jul 13, 5:21 AM
Unknown Object (File)
Thu, Jul 11, 3:06 AM
Subscribers
None

Details

Summary

See https://hackerone.com/reports/1573143. The pathway for disabling global builtin queries is missing a policy check. Add it.

Test Plan
  • Accessed the "/search/delete/id/.../" URI for a global builtin query as a non-administrator.
  • Before patch: could improperly disable queries. -After patch: proper policy exception.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley created this revision.
This revision was not accepted when it landed; it landed in state Needs Review.May 31 2022, 6:00 PM
This revision was automatically updated to reflect the committed changes.