Page MenuHomePhabricator
Files F15463104

D9881.diff
No OneTemporary
Actions

D9881.diff
View Options

diff --git a/src/applications/conduit/controller/PhabricatorConduitAPIController.php b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
--- a/src/applications/conduit/controller/PhabricatorConduitAPIController.php
+++ b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
@@ -164,6 +164,11 @@
ConduitAPIRequest $api_request,
$user_name) {
+ $config_key = 'security.allow-conduit-act-as-user';
+ if (!PhabricatorEnv::getEnvConfig($config_key)) {
+ throw new Exception('security.allow-conduit-act-as-user is disabled');
+ }
+
if (!$api_request->getUser()->getIsAdmin()) {
throw new Exception('Only administrators can use actAsUser');
}
diff --git a/src/applications/config/option/PhabricatorSecurityConfigOptions.php b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
--- a/src/applications/config/option/PhabricatorSecurityConfigOptions.php
+++ b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
@@ -219,11 +219,27 @@
))
->setLocked(true)
->setSummary(
- pht('Allow outbound HTTP requests'))
+ pht('Allow outbound HTTP requests.'))
->setDescription(
pht(
'If you enable this, you are allowing Phabricator to '.
'potentially make requests to external servers.')),
+ $this->newOption('security.allow-conduit-act-as-user', 'bool', false)
+ ->setBoolOptions(
+ array(
+ pht('Allow'),
+ pht('Disallow'),
+ ))
+ ->setLocked(true)
+ ->setSummary(
+ pht('Allow administrators to use the Conduit API as other users.'))
+ ->setDescription(
+ pht(
+ 'DEPRECATED - if you enable this, you are allowing '.
+ 'administrators to act as any user via the Conduit API. '.
+ 'Enabling this is not advised as it introduces a huge policy '.
+ 'violation and has been obsoleted in functionality.')),
+
);
}

File Metadata

Mime Type
text/plain
Expires
Wed, Apr 2, 8:19 PM (6 d, 22 h ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7724415
Default Alt Text
D9881.diff (2 KB)

Event Timeline

Phabricator · Built by Phacility