Require application "Can Use" capability to call Conduit methods
ClosedPublic
Actions

Authored by epriestley on Oct 17 2013, 7:47 PM.

Details

Reviewers

btrahan

Maniphest Tasks

T603: Support permissions/policies in all Phabricator applications

Commits

Restricted Diffusion Commit
rP5171e3684c58: Require application "Can Use" capability to call Conduit methods

Summary

Ref T603. If you don't have access to an application, prevent execution of its (authenticated) methods.

Test Plan

Restricted Tokens to only admins, then tried to view/call Token methods as a non-admin.

Diff Detail

Branch

pconduit

Lint

Lint Passed

Severity	Location	Code	Message
Advice	src/applications/conduit/call/ConduitCall.php:94	XHP16	TODO Comment

Unit

Tests Passed

Event Timeline

btrahan accepted this revision.Oct 17 2013, 7:48 PM

I want to clean up Conduit auth at some point -- and maybe sooner than later -- but there are a few related changes (the SSH version, making a more cURL-able version of the API available, formalizing the non-connect version, typechecking, getting rid of differential.anonymous-access, cleaning up the way tokens cycle and we deal with out-of-range client timestmaps) that probably make sense to bundle most of together so all the testing can overlap. That should let us run more of these checks through less total code.

Closed by commit rP5171e3684c58 (authored by @epriestley).

Revision Contents
Changeset List

Path

Size

src/

applications/

conduit/

call/

ConduitCall.php

31 lines

method/

ConduitAPIMethod.php

20 lines

Diff 16535

View Options

src/applications/conduit/call/ConduitCall.php