revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-26 00:32:42 +01:00
Code Issues Releases Wiki Activity

Correct overbroad automatic capability grant of global settings objects

Browse source 
Summary:
Ref T13679. In D16983, global settings objects were given an exception to let logged-out users see them, even on installs with no "public" user role.

This exception is too broad and grants everyone all capabilities, not just "CAN_VIEW". In particular, it incorrectly grants "CAN_EDIT", so any user can edit global settings defaults.

Restrict this grant to "CAN_VIEW".

Test Plan:
  - As a non-administrator, tried to edit global settings.
  - Before: could.
  - After: could not.

Maniphest Tasks: T13679

Differential Revision: https://secure.phabricator.com/D21811
This commit is contained in:
epriestley 2022-05-09 15:00:10 -07:00
parent 01253d533b
commit 698ada2470
1 changed files with 9 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/applications/settings/storage/PhabricatorUserPreferences.php
View file

@ -219,11 +219,15 @@ final class PhabricatorUserPreferences
} }
} }
switch ($this->getBuiltinKey()) { $builtin_key = $this->getBuiltinKey();
case self::BUILTIN_GLOBAL_DEFAULT:
// NOTE: Without this policy exception, the logged-out viewer can not $is_global = ($builtin_key === self::BUILTIN_GLOBAL_DEFAULT);
// see global preferences. $is_view = ($capability === PhabricatorPolicyCapability::CAN_VIEW);
return true;
if ($is_global && $is_view) {
// NOTE: Without this policy exception, the logged-out viewer can not
// see global preferences.
return true;
} }
return false; return false;