Page MenuHomePhabricator

Non-administrators can incorrectly edit default global settings
Closed, ResolvedPublic

Description

See also: https://hackerone.com/reports/1563139. (This link may not work if the report has not yet been disclosed.)

Non-administrators can incorrectly view and edit global default settings by navigating directly to the underlying well-known management URIs.

Viewing these settings is unconcerning: all users can view the underlying objects, they're just normally shown contextually as "Language: Default (English)" -- rather than as a separate UI -- to keep things simple for normal users.

In practice, editing these settings is also not very concerning: none have a significant security impact and few could do more than cause minor inconvenience if edited maliciously.

Most of the underlying code here is sensible and makes the correct checks, but D16983 carved out too wide of an automatic capability exception when fixing logged-out users viewing non-public installs (who need to see Settings so we can, e.g., pick a default language -- even though they normally can't see any other objects). The automatic capability granted in D16983 should be for "CAN_VIEW" only, not for all capabilities.