1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 05:50:55 +01:00

Correct overbroad automatic capability grant of global settings objects

Summary:
Ref T13679. In D16983, global settings objects were given an exception to let logged-out users see them, even on installs with no "public" user role.

This exception is too broad and grants everyone all capabilities, not just "CAN_VIEW". In particular, it incorrectly grants "CAN_EDIT", so any user can edit global settings defaults.

Restrict this grant to "CAN_VIEW".

Test Plan:
  - As a non-administrator, tried to edit global settings.
  - Before: could.
  - After: could not.

Maniphest Tasks: T13679

Differential Revision: https://secure.phabricator.com/D21811
This commit is contained in:
epriestley 2022-05-09 15:00:10 -07:00
parent 01253d533b
commit 698ada2470

View file

@ -219,11 +219,15 @@ final class PhabricatorUserPreferences
}
}
switch ($this->getBuiltinKey()) {
case self::BUILTIN_GLOBAL_DEFAULT:
// NOTE: Without this policy exception, the logged-out viewer can not
// see global preferences.
return true;
$builtin_key = $this->getBuiltinKey();
$is_global = ($builtin_key === self::BUILTIN_GLOBAL_DEFAULT);
$is_view = ($capability === PhabricatorPolicyCapability::CAN_VIEW);
if ($is_global && $is_view) {
// NOTE: Without this policy exception, the logged-out viewer can not
// see global preferences.
return true;
}
return false;