When creating a new Phame blog post, check that the author has permission to post to the blog
ClosedPublic
Actions

Authored by epriestley on Mar 6 2014, 2:54 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Sat, Dec 14, 11:08 PM

	Unknown Object (File)
	Thu, Dec 12, 9:21 PM

	Unknown Object (File)
	Wed, Dec 11, 1:06 PM

	Unknown Object (File)
	Sat, Dec 7, 7:01 AM

	Unknown Object (File)
	Sat, Dec 7, 7:01 AM

	Unknown Object (File)
	Sat, Dec 7, 6:18 AM

	Unknown Object (File)
	Sat, Dec 7, 6:17 AM

	Unknown Object (File)
	Sat, Dec 7, 3:49 AM

View All Files

Subscribers

aran

Details

Reviewers

btrahan

Commits

Restricted Diffusion Commit
rP5801176edc13: When creating a new Phame blog post, check that the author has permission to…

Summary

Via HackerOne. We're missing this permissions check, so you can sneak around it.

Test Plan

Tried to post to a blog I had no permission to join.

Diff Detail

Repository

rP Phabricator

Branch

phame

Lint

Lint Passed

Unit

No Test Coverage

Event Timeline

thanks!

This revision is now accepted and ready to land.Mar 6 2014, 9:57 PM

(This one was almost certainly my fault.)

Closed by commit rP5801176edc13 (authored by @epriestley).

• Robinpuri updated this object.Apr 10 2014, 3:43 PM

• Robinpuri edited edge metadata.

epriestley updated this object.Apr 10 2014, 3:51 PM

Revision Contents
Changeset List

Path

Size

src/

applications/

phame/

controller/

post/

PhamePostEditController.php

5 lines

Diff 20001

View Options

src/applications/phame/controller/post/PhamePostEditController.php

When creating a new Phame blog post, check that the author has permission to post to the blogClosedPublicActions