mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-26 16:52:41 +01:00
Phortune - require high security sessions for subscription edits
Summary: Ref T7202. Test Plan: Visited edit subscription page and it worked. Clicked edit link from subscription view page and got to the right place. Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T7202 Differential Revision: https://secure.phabricator.com/D11803
This commit is contained in:
parent
eefead7721
commit
7f1914540f
3 changed files with 12 additions and 2 deletions
|
@ -18,6 +18,10 @@ final class PhortuneSubscriptionEditController extends PhortuneController {
|
|||
return new Aphront404Response();
|
||||
}
|
||||
|
||||
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
||||
$viewer,
|
||||
$request,
|
||||
$this->getApplicationURI($subscription->getEditURI()));
|
||||
$merchant = $subscription->getMerchant();
|
||||
$account = $subscription->getAccount();
|
||||
|
||||
|
|
|
@ -35,8 +35,7 @@ final class PhortuneSubscriptionViewController extends PhortuneController {
|
|||
->setUser($viewer)
|
||||
->setObjectURI($request->getRequestURI());
|
||||
|
||||
$edit_uri = $this->getApplicationURI(
|
||||
"{$account_id}/subscription/edit/{$subscription_id}/");
|
||||
$edit_uri = $this->getApplicationURI($subscription->getEditURI());
|
||||
|
||||
$actions->addAction(
|
||||
id(new PhabricatorActionView())
|
||||
|
|
|
@ -187,6 +187,13 @@ final class PhortuneSubscription extends PhortuneDAO
|
|||
return "/phortune/{$account_id}/subscription/view/{$id}/";
|
||||
}
|
||||
|
||||
public function getEditURI() {
|
||||
$account_id = $this->getAccount()->getID();
|
||||
$id = $this->getID();
|
||||
|
||||
return "/phortune/{$account_id}/subscription/edit/{$id}/";
|
||||
}
|
||||
|
||||
public function getMerchantURI() {
|
||||
$merchant_id = $this->getMerchant()->getID();
|
||||
$id = $this->getID();
|
||||
|
|
Loading…
Reference in a new issue