mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-20 12:30:56 +01:00
Policy - lock down loadCommit() from DiffusionRequest objects
Summary: Ref T7094. The class DiffusionRequest has other public methods which use getUser() in an unguarded way. Code inspection of the call sites for loadCommit() also leads me to believe the $user is properly set. Test Plan: clicked around diffusion a bunch and everything seemed to work okay. (happy to test any particular esoteric endpoints that come to mind) Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T7094 Differential Revision: https://secure.phabricator.com/D11585
This commit is contained in:
parent
93e6a9b3ca
commit
8573d5b0c1
1 changed files with 5 additions and 6 deletions
|
@ -387,12 +387,11 @@ abstract class DiffusionRequest {
|
|||
if (empty($this->repositoryCommit)) {
|
||||
$repository = $this->getRepository();
|
||||
|
||||
// TODO: (T603) This should be a real query, but we need to sort out
|
||||
// the viewer.
|
||||
$commit = id(new PhabricatorRepositoryCommit())->loadOneWhere(
|
||||
'repositoryID = %d AND commitIdentifier = %s',
|
||||
$repository->getID(),
|
||||
$this->getStableCommit());
|
||||
$commit = id(new DiffusionCommitQuery())
|
||||
->setViewer($this->getUser())
|
||||
->withRepositoryIDs(array($repository->getID()))
|
||||
->withIdentifiers(array($this->getStableCommit()))
|
||||
->executeOne();
|
||||
if ($commit) {
|
||||
$commit->attachRepository($repository);
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue