Require application "Can Use" capability to call Conduit methods

Summary: Ref T603. If you don't have access to an application, prevent execution of its (authenticated) methods. Test Plan: Restricted Tokens to only admins, then tried to view/call Token methods as a non-admin. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T603 Differential Revision: https://secure.phabricator.com/D7342
2024-11-20 13:52:40 +01:00 · 2013-10-17 12:51:19 -07:00 · 2013-10-17 12:51:19 -07:00 · 5171e3684c
commit 5171e3684c
parent 32dca4b553
2 changed files with 42 additions and 9 deletions
--- a/src/applications/conduit/call/ConduitCall.php
+++ b/src/applications/conduit/call/ConduitCall.php
@ -79,12 +79,35 @@ final class ConduitCall {
  }

  public function execute() {
-    if (!$this->getUser()) {
-      if ($this->shouldRequireAuthentication()) {
+    $user = $this->getUser();
+    if (!$user) {
+      $user = new PhabricatorUser();
+    }
+
+    $this->request->setUser($user);
+
+    if ($this->shouldRequireAuthentication()) {
+      if (!$user->isLoggedIn()) {
        throw new ConduitException("ERR-INVALID-AUTH");
      }
-    } else {
-      $this->request->setUser($this->getUser());
+
+      // TODO: This would be slightly cleaner by just using a Query, but the
+      // Conduit auth workflow requires the Call and User be built separately.
+      // Just do it this way for the moment.
+      $application = $this->handler->getApplication();
+      if ($application) {
+        $can_view = PhabricatorPolicyFilter::hasCapability(
+          $user,
+          $application,
+          PhabricatorPolicyCapability::CAN_VIEW);
+
+        if (!$can_view) {
+          throw new ConduitException(
+            pht(
+              "You do not have access to the application which provides this ".
+              "API method."));
+        }
+      }
    }

    if (!$this->shouldForceLocal() && $this->servers) {
--- a/src/applications/conduit/method/ConduitAPIMethod.php
+++ b/src/applications/conduit/method/ConduitAPIMethod.php
@ -177,14 +177,24 @@ abstract class ConduitAPIMethod
  }

  public function getPolicy($capability) {
-    return PhabricatorPolicies::POLICY_USER;
+    // Application methods get application visibility; other methods get open
+    // visibility.
+
+    $application = $this->getApplication();
+    if ($application) {
+      return $application->getPolicy($capability);
+    }
+
+    return PhabricatorPolicies::getMostOpenPolicy();
  }

  public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
-    // The policy interface on Conduit calls is currently just to let us hook
-    // into ApplicationSearch. Calls are always visible (even to logged out
-    // users).
-    return true;
+    if (!$this->shouldRequireAuthentication()) {
+      // Make unauthenticated methods univerally visible.
+      return true;
+    }
+
+    return false;
  }

  public function describeAutomaticCapability($capability) {