Phortune - require high security sessions for subscription edits

Summary: Ref T7202.

Test Plan: Visited edit subscription page and it worked. Clicked edit link from subscription view page and got to the right place.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7202

Differential Revision: https://secure.phabricator.com/D11803

src/applications/phortune/controller/PhortuneSubscriptionEditController.php

@@ -18,6 +18,10 @@ final class PhortuneSubscriptionEditController extends PhortuneController {
       return new Aphront404Response();
     }
 
+    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $viewer,
+      $request,
+      $this->getApplicationURI($subscription->getEditURI()));
     $merchant = $subscription->getMerchant();
     $account = $subscription->getAccount();
 

src/applications/phortune/controller/PhortuneSubscriptionViewController.php

@@ -35,8 +35,7 @@ final class PhortuneSubscriptionViewController extends PhortuneController {
       ->setUser($viewer)
       ->setObjectURI($request->getRequestURI());
 
-    $edit_uri = $this->getApplicationURI(
-      "{$account_id}/subscription/edit/{$subscription_id}/");
+    $edit_uri = $this->getApplicationURI($subscription->getEditURI());
 
     $actions->addAction(
       id(new PhabricatorActionView())

src/applications/phortune/storage/PhortuneSubscription.php

@@ -187,6 +187,13 @@ final class PhortuneSubscription extends PhortuneDAO
     return "/phortune/{$account_id}/subscription/view/{$id}/";
   }
 
+  public function getEditURI() {
+    $account_id = $this->getAccount()->getID();
+    $id = $this->getID();
+
+    return "/phortune/{$account_id}/subscription/edit/{$id}/";
+  }
+
   public function getMerchantURI() {
     $merchant_id = $this->getMerchant()->getID();
     $id = $this->getID();