mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 22:10:55 +01:00
Lock down MetaMTA functionality to administrators
Summary: We have a debug interface for sending various sorts of email, but normal users don't really need to use it. In particular, they can: - Send arbitrary email to other users; - Discover other users' email addresses fairly easily (CC everyone); - Send arbitrary email to arbitrary addresses in conjunction with "Mailing Lists" In fact, normal users don't need to get to the MetaMTA web interface at all and it has some somewhat-sensitive things beacuse it has a lot of detailed information about mail. For instance, users can look at mail records to discover things like password reset links and per-user object email addresses. We should smooth out the UI here but I think I can do something about T21 fairly soon and cover it then. Test Plan: Went to /mail/ with a non-admin, got 404'd. Went to /mail/ with an admin, everything works, got a red admin header. Reviewers: jungejason, btrahan Reviewed By: btrahan CC: aran, btrahan, jungejason Maniphest Tasks: T718 Differential Revision: https://secure.phabricator.com/D1292
This commit is contained in:
parent
890f0ff7fa
commit
71e1911dfc
6 changed files with 43 additions and 19 deletions
src/applications
feed/story
metamta/controller
|
@ -51,6 +51,20 @@ abstract class PhabricatorFeedStory {
|
|||
return $this->handles;
|
||||
}
|
||||
|
||||
final protected function getHandle($phid) {
|
||||
if (isset($this->handles[$phid])) {
|
||||
if ($this->handles[$phid] instanceof PhabricatorObjectHandle) {
|
||||
return $this->handles[$phid];
|
||||
}
|
||||
}
|
||||
|
||||
$handle = new PhabricatorObjectHandle();
|
||||
$handle->setPHID($phid);
|
||||
$handle->setName("Unloaded Object '{$phid}'");
|
||||
|
||||
return $handle;
|
||||
}
|
||||
|
||||
final protected function getObjects() {
|
||||
return $this->objects;
|
||||
}
|
||||
|
|
|
@ -20,11 +20,12 @@ class PhabricatorFeedStoryManiphest extends PhabricatorFeedStory {
|
|||
|
||||
public function getRequiredHandlePHIDs() {
|
||||
$data = $this->getStoryData();
|
||||
return array(
|
||||
$this->getStoryData()->getAuthorPHID(),
|
||||
$data->getValue('taskPHID'),
|
||||
$data->getValue('ownerPHID'),
|
||||
);
|
||||
return array_filter(
|
||||
array(
|
||||
$this->getStoryData()->getAuthorPHID(),
|
||||
$data->getValue('taskPHID'),
|
||||
$data->getValue('ownerPHID'),
|
||||
));
|
||||
}
|
||||
|
||||
public function getRequiredObjectPHIDs() {
|
||||
|
@ -36,7 +37,6 @@ class PhabricatorFeedStoryManiphest extends PhabricatorFeedStory {
|
|||
public function renderView() {
|
||||
$data = $this->getStoryData();
|
||||
|
||||
$handles = $this->getHandles();
|
||||
$author_phid = $data->getAuthorPHID();
|
||||
$owner_phid = $data->getValue('ownerPHID');
|
||||
$task_phid = $data->getValue('taskPHID');
|
||||
|
@ -47,18 +47,27 @@ class PhabricatorFeedStoryManiphest extends PhabricatorFeedStory {
|
|||
$view = new PhabricatorFeedStoryView();
|
||||
|
||||
$verb = ManiphestAction::getActionPastTenseVerb($action);
|
||||
$title =
|
||||
'<strong>'.$handles[$author_phid]->renderLink().'</strong>'.
|
||||
" {$verb} task ".
|
||||
'<strong>'.$handles[$task_phid]->renderLink().'</strong>';
|
||||
$extra = null;
|
||||
switch ($action) {
|
||||
case ManiphestAction::ACTION_ASSIGN:
|
||||
$title .=
|
||||
' to '.
|
||||
'<strong>'.$handles[$owner_phid]->renderLink().'</strong>';
|
||||
if ($owner_phid) {
|
||||
$extra =
|
||||
' to '.
|
||||
'<strong>'.$this->getHandle($owner_phid)->renderLink().'</strong>';
|
||||
} else {
|
||||
$verb = 'placed';
|
||||
$extra = ' up for grabs';
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
$title =
|
||||
'<strong>'.$this->getHandle($author_phid)->renderLink().'</strong>'.
|
||||
" {$verb} task ".
|
||||
'<strong>'.$this->getHandle($task_phid)->renderLink().'</strong>';
|
||||
$title .= $extra;
|
||||
$title .= '.';
|
||||
|
||||
$view->setTitle($title);
|
||||
|
||||
switch ($action) {
|
||||
|
|
|
@ -18,6 +18,10 @@
|
|||
|
||||
abstract class PhabricatorMetaMTAController extends PhabricatorController {
|
||||
|
||||
public function shouldRequireAdmin() {
|
||||
return true;
|
||||
}
|
||||
|
||||
public function buildStandardPageResponse($view, array $data) {
|
||||
$page = $this->buildStandardPageView();
|
||||
|
||||
|
|
|
@ -100,7 +100,9 @@ class PhabricatorMetaMTAListController extends PhabricatorMetaMTAController {
|
|||
$panel = new AphrontPanelView();
|
||||
$panel->appendChild($table);
|
||||
$panel->setHeader('MetaMTA Messages');
|
||||
$panel->setCreateButton('Send New Message', '/mail/send/');
|
||||
if ($user->getIsAdmin()) {
|
||||
$panel->setCreateButton('Send New Test Message', '/mail/send/');
|
||||
}
|
||||
$panel->appendChild($pager);
|
||||
|
||||
return $this->buildStandardPageResponse(
|
||||
|
|
|
@ -60,10 +60,6 @@ class PhabricatorMetaMTAViewController extends PhabricatorMetaMTAController {
|
|||
id(new AphrontFormStaticControl())
|
||||
->setLabel('Related PHID')
|
||||
->setValue($mail->getRelatedPHID()))
|
||||
->appendChild(
|
||||
id(new AphrontFormTextAreaControl())
|
||||
->setLabel('Parameters')
|
||||
->setValue(json_encode($mail->getParameters())))
|
||||
->appendChild(
|
||||
id(new AphrontFormSubmitControl())
|
||||
->addCancelButton('/mail/', 'Done'));
|
||||
|
|
|
@ -12,7 +12,6 @@ phutil_require_module('phabricator', 'applications/metamta/storage/mail');
|
|||
phutil_require_module('phabricator', 'view/form/base');
|
||||
phutil_require_module('phabricator', 'view/form/control/static');
|
||||
phutil_require_module('phabricator', 'view/form/control/submit');
|
||||
phutil_require_module('phabricator', 'view/form/control/textarea');
|
||||
phutil_require_module('phabricator', 'view/layout/panel');
|
||||
phutil_require_module('phabricator', 'view/utils');
|
||||
|
||||
|
|
Loading…
Reference in a new issue