1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-26 16:52:41 +01:00

Phortune - require high security sessions for subscription edits

Summary: Ref T7202.

Test Plan: Visited edit subscription page and it worked. Clicked edit link from subscription view page and got to the right place.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7202

Differential Revision: https://secure.phabricator.com/D11803
This commit is contained in:
Bob Trahan 2015-02-18 11:37:30 -08:00
parent eefead7721
commit 7f1914540f
3 changed files with 12 additions and 2 deletions

View file

@ -18,6 +18,10 @@ final class PhortuneSubscriptionEditController extends PhortuneController {
return new Aphront404Response();
}
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$viewer,
$request,
$this->getApplicationURI($subscription->getEditURI()));
$merchant = $subscription->getMerchant();
$account = $subscription->getAccount();

View file

@ -35,8 +35,7 @@ final class PhortuneSubscriptionViewController extends PhortuneController {
->setUser($viewer)
->setObjectURI($request->getRequestURI());
$edit_uri = $this->getApplicationURI(
"{$account_id}/subscription/edit/{$subscription_id}/");
$edit_uri = $this->getApplicationURI($subscription->getEditURI());
$actions->addAction(
id(new PhabricatorActionView())

View file

@ -187,6 +187,13 @@ final class PhortuneSubscription extends PhortuneDAO
return "/phortune/{$account_id}/subscription/view/{$id}/";
}
public function getEditURI() {
$account_id = $this->getAccount()->getID();
$id = $this->getID();
return "/phortune/{$account_id}/subscription/edit/{$id}/";
}
public function getMerchantURI() {
$merchant_id = $this->getMerchant()->getID();
$id = $this->getID();