1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-27 09:12:41 +01:00

When creating a new Phame blog post, check that the author has permission to post to the blog

Summary:
Via HackerOne. We're missing this permissions check, so you can sneak around it with URL editing right now.

I checked the other queries in this application and they seem OK.

Test Plan: Tried to post to a blog I had no permission to join.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D8423
This commit is contained in:
epriestley 2014-03-06 14:06:07 -08:00
parent 270929dd6b
commit 5801176edc

View file

@ -36,6 +36,11 @@ final class PhamePostEditController
$blog = id(new PhameBlogQuery()) $blog = id(new PhameBlogQuery())
->setViewer($user) ->setViewer($user)
->withIDs(array($request->getInt('blog'))) ->withIDs(array($request->getInt('blog')))
->requireCapabilities(
array(
PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_JOIN,
))
->executeOne(); ->executeOne();
if (!$blog) { if (!$blog) {
return new Aphront404Response(); return new Aphront404Response();