mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-10 08:52:39 +01:00
Fix a CSRF issue with adding new email addresses
Summary: The first dialog was being given the wrong user (`$user`, should be `$viewer`), leading to a CSRF issue. (The CSRF token it generated was invalid in all validation contexts, so this wasn't a security problem or a way to capture CSRF tokens for other users.) Use `newDialog()` instead. (This seems completely unrelated to the vaguely-similar-looking issues we saw earlier this week.) Test Plan: - Added a new email address. - Clicked "Done" on the last step. - Completed workflow instead of getting a CSRF error. Reviewers: chad, tide Reviewed By: tide Differential Revision: https://secure.phabricator.com/D16200
This commit is contained in:
parent
922822bd2d
commit
4f8d07594e
1 changed files with 2 additions and 4 deletions
|
@ -227,8 +227,7 @@ final class PhabricatorEmailAddressesSettingsPanel
|
||||||
|
|
||||||
$object->sendVerificationEmail($user);
|
$object->sendVerificationEmail($user);
|
||||||
|
|
||||||
$dialog = id(new AphrontDialogView())
|
$dialog = $this->newDialog()
|
||||||
->setUser($user)
|
|
||||||
->addHiddenInput('new', 'verify')
|
->addHiddenInput('new', 'verify')
|
||||||
->setTitle(pht('Verification Email Sent'))
|
->setTitle(pht('Verification Email Sent'))
|
||||||
->appendChild(phutil_tag('p', array(), pht(
|
->appendChild(phutil_tag('p', array(), pht(
|
||||||
|
@ -259,8 +258,7 @@ final class PhabricatorEmailAddressesSettingsPanel
|
||||||
->setCaption(PhabricatorUserEmail::describeAllowedAddresses())
|
->setCaption(PhabricatorUserEmail::describeAllowedAddresses())
|
||||||
->setError($e_email));
|
->setError($e_email));
|
||||||
|
|
||||||
$dialog = id(new AphrontDialogView())
|
$dialog = $this->newDialog()
|
||||||
->setUser($viewer)
|
|
||||||
->addHiddenInput('new', 'true')
|
->addHiddenInput('new', 'true')
|
||||||
->setTitle(pht('New Address'))
|
->setTitle(pht('New Address'))
|
||||||
->appendChild($errors)
|
->appendChild($errors)
|
||||||
|
|
Loading…
Reference in a new issue