Maniphest T13350

Ancient "slowvote.info" API method bypasses policy checks
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	epriestley
	Jul 30 2019, 6:46 PM

Tags

Referenced Files

None

Subscribers

Description

See https://hackerone.com/reports/661978. The ancient slowvote.info API endpoint predates policies and was never updated to use a proper Query; instead, it uses a raw load() call which ignores policy checks.

This call should also be deprecated in favor of a modern slowvote.search call.

Revisions and Commits

rP Phabricator
	D20687	rP2ec39afcd12b Deprecate ancient "slowvote.info" API method
	D20686	rPf92480fb7740 Fix two minor display issues with the Conduit "*.search" API documentation
	D20685	rP0b0ab1bd7cfd Add a "slowvote.poll.search" API method
	D20684	rP7e09da3313fb Fix policy behavior of "slowvote.info" API method

Event Timeline

epriestley triaged this task as Low priority.Jul 30 2019, 6:46 PM

epriestley created this task.

Herald added subscribers: amckinley, cburroughs, andypuettmann, revi. · View Herald TranscriptJul 30 2019, 6:46 PM

epriestley added a revision: D20684: Fix policy behavior of "slowvote.info" API method.Jul 30 2019, 6:53 PM

epriestley added a commit: rP7e09da3313fb: Fix policy behavior of "slowvote.info" API method.Jul 30 2019, 6:56 PM

epriestley added a revision: D20685: Add a "slowvote.poll.search" API method.Jul 31 2019, 6:17 PM

epriestley added a revision: D20686: Fix two minor display issues with the Conduit "*.search" API documentation.Jul 31 2019, 6:22 PM

epriestley added a revision: D20687: Deprecate ancient "slowvote.info" API method.Jul 31 2019, 6:25 PM

epriestley closed this task as Resolved by committing rP2ec39afcd12b: Deprecate ancient "slowvote.info" API method.Jul 31 2019, 6:26 PM

epriestley added a commit: rP0b0ab1bd7cfd: Add a "slowvote.poll.search" API method.

epriestley added a commit: rPf92480fb7740: Fix two minor display issues with the Conduit "*.search" API documentation.

epriestley added a commit: rP2ec39afcd12b: Deprecate ancient "slowvote.info" API method.