revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-26 00:32:42 +01:00
Code Issues Releases Wiki Activity

Fix policy behavior of "slowvote.info" API method

Browse source 
Summary: Ref T13350. This ancient API method is missing modern policy checks.

Test Plan:
  - Set visibility of vote X to "Only: epriestley".
  - Called "slowvote.info" as another user.
  - Before: retrieved poll title and author.
  - After: policy error.
  - Called "slowvote.info" on a visible poll, got information before and after.

Maniphest Tasks: T13350

Differential Revision: https://secure.phabricator.com/D20684
This commit is contained in:
epriestley 2019-07-30 11:49:23 -07:00
parent f6621a5fdc
commit 7e09da3313
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/applications/slowvote/conduit/SlowvoteInfoConduitAPIMethod.php
View file

@ -27,8 +27,14 @@ final class SlowvoteInfoConduitAPIMethod extends SlowvoteConduitAPIMethod {
}
protected function execute(ConduitAPIRequest $request) {
$viewer = $this->getViewer();
$poll_id = $request->getValue('poll_id');
$poll = id(new PhabricatorSlowvotePoll())->load($poll_id);
$poll = id(new PhabricatorSlowvoteQuery())
->setViewer($viewer)
->withIDs(array($poll_id))
->executeOne();
if (!$poll) {
throw new ConduitException('ERR_BAD_POLL');
}