Page MenuHomePhabricator
Differential D15944

Prevent locked credentials from being made accessible via conduit
ClosedPublic
Actions

Authored by epriestley on May 18 2016, 7:35 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Apr 25, 12:37 AM
Unknown Object (File)
Wed, Apr 24, 3:42 AM
Unknown Object (File)
Wed, Apr 24, 3:42 AM
Unknown Object (File)
Wed, Apr 24, 3:42 AM
Unknown Object (File)
Wed, Apr 24, 3:42 AM
Unknown Object (File)
Fri, Apr 12, 2:27 AM
Unknown Object (File)
Thu, Apr 11, 8:31 AM
Unknown Object (File)
Apr 1 2024, 9:31 AM
View All Files
Subscribers
None

Details

Reviewers
chad
Commits
rP36006bcb8fcb: Prevent locked credentials from being made accessible via conduit
Summary

Via HackerOne. Currently, you can use "Lock Permanently" to lock a credential permanently, but you can still enable Conduit API access to it. This directly contradicts both intent of the setting and its description as presented to the user.

Instead:

  • When a credential is locked, revoke Conduit API access.
  • Prevent API access from being enabled for locked credentials.
  • Prevent API access to locked credentials, period.
Test Plan
  • Created a credential.
  • Enabled API access.
  • Locked credential.
  • Saw API access become disabled.
  • Tried to enable API access; was rebuffed.
  • Queried credential via API, wasn't granted access.

Diff Detail

Repository
rP Phabricator
Branch
pphrase1
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 12259
Build 15491: Run Core Tests
Build 15490: arc lint + arc unit

Event Timeline

epriestley updated this revision to Diff 38387.May 18 2016, 7:35 PM
epriestley retitled this revision from to Prevent locked credentials from being made accessible via conduit.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
epriestley updated this revision to Diff 38388.May 18 2016, 8:41 PM
  • Fix NoEffect exception if Conduit access is not enabled.
chad accepted this revision.May 18 2016, 9:33 PM
chad edited edge metadata.
This revision is now accepted and ready to land.May 18 2016, 9:33 PM
Closed by commit rP36006bcb8fcb: Prevent locked credentials from being made accessible via conduit (authored by epriestley, committed by epriestley). · Explain WhyMay 18 2016, 9:54 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Diff 38387

View Options

src/applications/passphrase/conduit/PassphraseQueryConduitAPIMethod.php

Loading...
View Options

src/applications/passphrase/controller/PassphraseCredentialConduitController.php

Loading...
View Options

src/applications/passphrase/controller/PassphraseCredentialEditController.php

Loading...
View Options

src/applications/passphrase/controller/PassphraseCredentialLockController.php

Loading...
View Options

src/applications/passphrase/controller/PassphraseCredentialViewController.php

Loading...
Phabricator · Built by Phacility