mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 05:50:55 +01:00
Correct overbroad automatic capability grant of global settings objects
Summary: Ref T13679. In D16983, global settings objects were given an exception to let logged-out users see them, even on installs with no "public" user role. This exception is too broad and grants everyone all capabilities, not just "CAN_VIEW". In particular, it incorrectly grants "CAN_EDIT", so any user can edit global settings defaults. Restrict this grant to "CAN_VIEW". Test Plan: - As a non-administrator, tried to edit global settings. - Before: could. - After: could not. Maniphest Tasks: T13679 Differential Revision: https://secure.phabricator.com/D21811
This commit is contained in:
parent
01253d533b
commit
698ada2470
1 changed files with 9 additions and 5 deletions
|
@ -219,11 +219,15 @@ final class PhabricatorUserPreferences
|
|||
}
|
||||
}
|
||||
|
||||
switch ($this->getBuiltinKey()) {
|
||||
case self::BUILTIN_GLOBAL_DEFAULT:
|
||||
// NOTE: Without this policy exception, the logged-out viewer can not
|
||||
// see global preferences.
|
||||
return true;
|
||||
$builtin_key = $this->getBuiltinKey();
|
||||
|
||||
$is_global = ($builtin_key === self::BUILTIN_GLOBAL_DEFAULT);
|
||||
$is_view = ($capability === PhabricatorPolicyCapability::CAN_VIEW);
|
||||
|
||||
if ($is_global && $is_view) {
|
||||
// NOTE: Without this policy exception, the logged-out viewer can not
|
||||
// see global preferences.
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
|
|
Loading…
Reference in a new issue