When creating a new Phame blog post, check that the author has permission to post to the blog
ClosedPublic
Actions

Authored by epriestley on Mar 6 2014, 2:54 PM.

Tags

None

Referenced Files

	F18832273: D8423.diff
	Sat, Oct 25, 9:05 PM

	F18780610: D8423.id20014.diff
	Sun, Oct 12, 5:51 PM

	F18777629: D8423.id.diff
	Sat, Oct 11, 4:02 AM

	F18769705: D8423.diff
	Wed, Oct 8, 8:45 AM

	F18753596: D8423.diff
	Sat, Oct 4, 7:35 PM

	F18748418: D8423.id20001.diff
	Fri, Oct 3, 9:54 PM

	F18745404: D8423.id20001.diff
	Fri, Oct 3, 6:33 AM

	F18625010: D8423.id20001.diff
	Sep 15 2025, 9:39 PM

View All Files

Subscribers

aran

Details

Reviewers

btrahan

Commits

Restricted Diffusion Commit
rP5801176edc13: When creating a new Phame blog post, check that the author has permission to…

Summary

Via HackerOne. We're missing this permissions check, so you can sneak around it.

Test Plan

Tried to post to a blog I had no permission to join.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

thanks!

This revision is now accepted and ready to land.Mar 6 2014, 9:57 PM

(This one was almost certainly my fault.)

Closed by commit rP5801176edc13 (authored by @epriestley).

• Robinpuri updated this object.Apr 10 2014, 3:43 PM

• Robinpuri edited edge metadata.

epriestley updated this object.Apr 10 2014, 3:51 PM

Revision Contents
Changeset List

Path

Size

src/

applications/

phame/

controller/

post/

PhamePostEditController.php

5 lines

Diff 20014

View Options

src/applications/phame/controller/post/PhamePostEditController.php

When creating a new Phame blog post, check that the author has permission to post to the blogClosedPublicActions