Differential D10957

Add some missing capability checks for repository mirror edits
ClosedPublic
Actions

Authored by epriestley on Dec 10 2014, 5:04 PM.

Details

Reviewers

btrahan

Commits

Restricted Diffusion Commit
rPd151c88040d1: Add some missing capability checks for repository mirror edits

Summary

Via HackerOne. These endpoints have insufficient policy checks.

Test Plan

Verified endpoints now check policies correctly.

Diff Detail

Repository

rP Phabricator

Branch

mirrorperm

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 3211
Build 3217: [Placeholder Plan] Wait for 30 Seconds

Event Timeline

epriestley updated this revision to Diff 26311.Dec 10 2014, 5:04 PM

epriestley retitled this revision from to Add some missing capability checks for repository mirror edits.

epriestley updated this object.

epriestley edited the test plan for this revision. (Show Details)

epriestley added a reviewer: btrahan.

Herald added a subscriber: epriestley. · View Herald TranscriptDec 10 2014, 5:04 PM

The underlying edit check in the Editor prevents this from being materially bad. An attacker could remove a mirror (annoying), but can't add or edit a mirror (which would have been severe).

btrahan accepted this revision.Dec 10 2014, 9:29 PM

btrahan edited edge metadata.

This revision is now accepted and ready to land.Dec 10 2014, 9:29 PM

Closed by commit rPd151c88040d1: Add some missing capability checks for repository mirror edits (authored by epriestley, committed by epriestley). · Explain WhyDec 10 2014, 11:24 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

applications/

diffusion/

controller/

DiffusionMirrorDeleteController.php

5 lines

DiffusionMirrorEditController.php

10 lines

Diff 26311

View Options

src/applications/diffusion/controller/DiffusionMirrorDeleteController.php