HomePhabricator
Diffusion Phabricator 2dc8065d1143

Prevent Repository local path edit from the web UI
2dc8065d1143
Actions

Description

Prevent Repository local path edit from the web UI

Summary:
Ref T4039. This fixes an issue where a user with the ability to create repositories could view repositories he is otherwise not permitted to see, by following these steps:

  • Suppose you want to see repository "A".
  • Create a repository with the same VCS, called "B".
  • Edit the local path, changing "/var/repo/B" to "/var/repo/A".
  • Now it points at a working copy of a repository you can't see.
  • Although you won't be able to make it through discovery (the pull will fail with the wrong credentials), you can read some information out of the repository directly through the Diffusion UI, probably?

I'm not sure this was really practical to execute since there are a bunch of sanity checks along most/all of the major pathways, but lock it down since normal users shouldn't be editing it anyway. In the best case, this would make a mess.

Test Plan: {F81391}

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4039

Differential Revision: https://secure.phabricator.com/D7580

Details

Provenance
epriestleyAuthored on Nov 13 2013, 7:26 PM
Reviewer
btrahan
Differential Revision
D7580: Prevent Repository local path edit from the web UI
Parents
rPf5ca647d2c52: Add `bin/repository edit` for CLI repository editing
Branches
Unknown
Tags
Unknown
Tasks
T4039: Prevent a repository from being set to the same "local path" as some other repository

Event Timeline

Changes (1)

PathSize
src/
applications/
diffusion/
controller/

rP2dc8065d1143

View Options

src/applications/diffusion/controller/DiffusionRepositoryEditLocalController.php

Loading...
Phabricator ยท Built by Phacility