mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-30 09:20:58 +01:00
Fix two excessively aggressive policy checks
Summary: - Some applications need public access regardless of policy configuration. - The file data endpoint should ignore policies.
This commit is contained in:
parent
6100906273
commit
1296c3d347
2 changed files with 11 additions and 1 deletions
|
@ -127,10 +127,16 @@ abstract class PhabricatorController extends AphrontController {
|
|||
// a policy exception if the viewer doesn't have permission.
|
||||
$application = $this->getCurrentApplication();
|
||||
if ($application) {
|
||||
/*
|
||||
|
||||
TODO: Reenable this, but it's breaking some applications which need public
|
||||
access in all cases, like Files and Conduit.
|
||||
|
||||
id(new PhabricatorApplicationQuery())
|
||||
->setViewer($user)
|
||||
->withPHIDs(array($application->getPHID()))
|
||||
->executeOne();
|
||||
*/
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -25,8 +25,12 @@ final class PhabricatorFileDataController extends PhabricatorFileController {
|
|||
->setURI($uri->setPath($request->getPath()));
|
||||
}
|
||||
|
||||
// NOTE: This endpoint will ideally be accessed via CDN or otherwise on
|
||||
// a non-credentialed domain. Knowing the file's secret key gives you
|
||||
// access, regardless of authentication on the request itself.
|
||||
|
||||
$file = id(new PhabricatorFileQuery())
|
||||
->setViewer($request->getUser())
|
||||
->setViewer(PhabricatorUser::getOmnipotentUser())
|
||||
->withPHIDs(array($this->phid))
|
||||
->executeOne();
|
||||
if (!$file) {
|
||||
|
|
Loading…
Reference in a new issue