1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 22:10:55 +01:00

Lock down MetaMTA functionality to administrators

Summary:
We have a debug interface for sending various sorts of email, but normal users
don't really need to use it. In particular, they can:

  - Send arbitrary email to other users;
  - Discover other users' email addresses fairly easily (CC everyone);
  - Send arbitrary email to arbitrary addresses in conjunction with "Mailing
Lists"

In fact, normal users don't need to get to the MetaMTA web interface at all and
it has some somewhat-sensitive things beacuse it has a lot of detailed
information about mail. For instance, users can look at mail records to discover
things like password reset links and per-user object email addresses.

We should smooth out the UI here but I think I can do something about T21 fairly
soon and cover it then.

Test Plan:
Went to /mail/ with a non-admin, got 404'd. Went to /mail/ with an
admin, everything works, got a red admin header.

Reviewers: jungejason, btrahan

Reviewed By: btrahan

CC: aran, btrahan, jungejason

Maniphest Tasks: T718

Differential Revision: https://secure.phabricator.com/D1292
This commit is contained in:
Evan Priestley 2011-12-29 14:01:57 -08:00 committed by Bob Trahan
parent 890f0ff7fa
commit 71e1911dfc
6 changed files with 43 additions and 19 deletions

View file

@ -51,6 +51,20 @@ abstract class PhabricatorFeedStory {
return $this->handles;
}
final protected function getHandle($phid) {
if (isset($this->handles[$phid])) {
if ($this->handles[$phid] instanceof PhabricatorObjectHandle) {
return $this->handles[$phid];
}
}
$handle = new PhabricatorObjectHandle();
$handle->setPHID($phid);
$handle->setName("Unloaded Object '{$phid}'");
return $handle;
}
final protected function getObjects() {
return $this->objects;
}

View file

@ -20,11 +20,12 @@ class PhabricatorFeedStoryManiphest extends PhabricatorFeedStory {
public function getRequiredHandlePHIDs() {
$data = $this->getStoryData();
return array(
$this->getStoryData()->getAuthorPHID(),
$data->getValue('taskPHID'),
$data->getValue('ownerPHID'),
);
return array_filter(
array(
$this->getStoryData()->getAuthorPHID(),
$data->getValue('taskPHID'),
$data->getValue('ownerPHID'),
));
}
public function getRequiredObjectPHIDs() {
@ -36,7 +37,6 @@ class PhabricatorFeedStoryManiphest extends PhabricatorFeedStory {
public function renderView() {
$data = $this->getStoryData();
$handles = $this->getHandles();
$author_phid = $data->getAuthorPHID();
$owner_phid = $data->getValue('ownerPHID');
$task_phid = $data->getValue('taskPHID');
@ -47,18 +47,27 @@ class PhabricatorFeedStoryManiphest extends PhabricatorFeedStory {
$view = new PhabricatorFeedStoryView();
$verb = ManiphestAction::getActionPastTenseVerb($action);
$title =
'<strong>'.$handles[$author_phid]->renderLink().'</strong>'.
" {$verb} task ".
'<strong>'.$handles[$task_phid]->renderLink().'</strong>';
$extra = null;
switch ($action) {
case ManiphestAction::ACTION_ASSIGN:
$title .=
' to '.
'<strong>'.$handles[$owner_phid]->renderLink().'</strong>';
if ($owner_phid) {
$extra =
' to '.
'<strong>'.$this->getHandle($owner_phid)->renderLink().'</strong>';
} else {
$verb = 'placed';
$extra = ' up for grabs';
}
break;
}
$title =
'<strong>'.$this->getHandle($author_phid)->renderLink().'</strong>'.
" {$verb} task ".
'<strong>'.$this->getHandle($task_phid)->renderLink().'</strong>';
$title .= $extra;
$title .= '.';
$view->setTitle($title);
switch ($action) {

View file

@ -18,6 +18,10 @@
abstract class PhabricatorMetaMTAController extends PhabricatorController {
public function shouldRequireAdmin() {
return true;
}
public function buildStandardPageResponse($view, array $data) {
$page = $this->buildStandardPageView();

View file

@ -100,7 +100,9 @@ class PhabricatorMetaMTAListController extends PhabricatorMetaMTAController {
$panel = new AphrontPanelView();
$panel->appendChild($table);
$panel->setHeader('MetaMTA Messages');
$panel->setCreateButton('Send New Message', '/mail/send/');
if ($user->getIsAdmin()) {
$panel->setCreateButton('Send New Test Message', '/mail/send/');
}
$panel->appendChild($pager);
return $this->buildStandardPageResponse(

View file

@ -60,10 +60,6 @@ class PhabricatorMetaMTAViewController extends PhabricatorMetaMTAController {
id(new AphrontFormStaticControl())
->setLabel('Related PHID')
->setValue($mail->getRelatedPHID()))
->appendChild(
id(new AphrontFormTextAreaControl())
->setLabel('Parameters')
->setValue(json_encode($mail->getParameters())))
->appendChild(
id(new AphrontFormSubmitControl())
->addCancelButton('/mail/', 'Done'));

View file

@ -12,7 +12,6 @@ phutil_require_module('phabricator', 'applications/metamta/storage/mail');
phutil_require_module('phabricator', 'view/form/base');
phutil_require_module('phabricator', 'view/form/control/static');
phutil_require_module('phabricator', 'view/form/control/submit');
phutil_require_module('phabricator', 'view/form/control/textarea');
phutil_require_module('phabricator', 'view/layout/panel');
phutil_require_module('phabricator', 'view/utils');