mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-26 23:40:57 +01:00
Fix policy behavior of "slowvote.info" API method
Summary: Ref T13350. This ancient API method is missing modern policy checks. Test Plan: - Set visibility of vote X to "Only: epriestley". - Called "slowvote.info" as another user. - Before: retrieved poll title and author. - After: policy error. - Called "slowvote.info" on a visible poll, got information before and after. Maniphest Tasks: T13350 Differential Revision: https://secure.phabricator.com/D20684
This commit is contained in:
parent
f6621a5fdc
commit
7e09da3313
1 changed files with 7 additions and 1 deletions
|
@ -27,8 +27,14 @@ final class SlowvoteInfoConduitAPIMethod extends SlowvoteConduitAPIMethod {
|
|||
}
|
||||
|
||||
protected function execute(ConduitAPIRequest $request) {
|
||||
$viewer = $this->getViewer();
|
||||
|
||||
$poll_id = $request->getValue('poll_id');
|
||||
$poll = id(new PhabricatorSlowvotePoll())->load($poll_id);
|
||||
|
||||
$poll = id(new PhabricatorSlowvoteQuery())
|
||||
->setViewer($viewer)
|
||||
->withIDs(array($poll_id))
|
||||
->executeOne();
|
||||
if (!$poll) {
|
||||
throw new ConduitException('ERR_BAD_POLL');
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue