Page MenuHomePhabricator

Fix a policy issue where permissions were not properly checked when disabling global builtin queries
ClosedPublic

Authored by epriestley on May 31 2022, 5:59 PM.
Tags
None
Referenced Files
F18423492: D21851.id52080.diff
Sat, Aug 30, 7:44 PM
F18367730: D21851.id52080.diff
Thu, Aug 28, 12:02 AM
F18364949: D21851.diff
Wed, Aug 27, 8:08 PM
F18090427: D21851.id52081.diff
Wed, Aug 6, 3:46 PM
F18090150: D21851.id52081.diff
Wed, Aug 6, 2:27 PM
F18083570: D21851.id.diff
Tue, Aug 5, 10:40 AM
F18046015: D21851.diff
Sun, Aug 3, 10:13 AM
F17674422: D21851.diff
Jul 13 2025, 7:16 AM
Subscribers
None

Details

Summary

See https://hackerone.com/reports/1573143. The pathway for disabling global builtin queries is missing a policy check. Add it.

Test Plan
  • Accessed the "/search/delete/id/.../" URI for a global builtin query as a non-administrator.
  • Before patch: could improperly disable queries. -After patch: proper policy exception.

Diff Detail

Repository
rP Phabricator
Branch
query1
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 25759
Build 35587: arc lint + arc unit

Event Timeline

epriestley created this revision.
This revision was not accepted when it landed; it landed in state Needs Review.May 31 2022, 6:00 PM
This revision was automatically updated to reflect the committed changes.