mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-27 09:12:41 +01:00
When creating a new Phame blog post, check that the author has permission to post to the blog
Summary: Via HackerOne. We're missing this permissions check, so you can sneak around it with URL editing right now. I checked the other queries in this application and they seem OK. Test Plan: Tried to post to a blog I had no permission to join. Reviewers: btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D8423
This commit is contained in:
parent
270929dd6b
commit
5801176edc
1 changed files with 5 additions and 0 deletions
|
@ -36,6 +36,11 @@ final class PhamePostEditController
|
||||||
$blog = id(new PhameBlogQuery())
|
$blog = id(new PhameBlogQuery())
|
||||||
->setViewer($user)
|
->setViewer($user)
|
||||||
->withIDs(array($request->getInt('blog')))
|
->withIDs(array($request->getInt('blog')))
|
||||||
|
->requireCapabilities(
|
||||||
|
array(
|
||||||
|
PhabricatorPolicyCapability::CAN_VIEW,
|
||||||
|
PhabricatorPolicyCapability::CAN_JOIN,
|
||||||
|
))
|
||||||
->executeOne();
|
->executeOne();
|
||||||
if (!$blog) {
|
if (!$blog) {
|
||||||
return new Aphront404Response();
|
return new Aphront404Response();
|
||||||
|
|
Loading…
Reference in a new issue