1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-30 01:10:58 +01:00

Policy - lock down loadCommit() from DiffusionRequest objects

Summary: Ref T7094. The class DiffusionRequest has other public methods which use getUser() in an unguarded way. Code inspection of the call sites for loadCommit() also leads me to believe the $user is properly set.

Test Plan: clicked around diffusion a bunch and everything seemed to work okay. (happy to test any particular esoteric endpoints that come to mind)

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7094

Differential Revision: https://secure.phabricator.com/D11585
This commit is contained in:
Bob Trahan 2015-02-01 09:33:12 -08:00
parent 93e6a9b3ca
commit 8573d5b0c1

View file

@ -387,12 +387,11 @@ abstract class DiffusionRequest {
if (empty($this->repositoryCommit)) { if (empty($this->repositoryCommit)) {
$repository = $this->getRepository(); $repository = $this->getRepository();
// TODO: (T603) This should be a real query, but we need to sort out $commit = id(new DiffusionCommitQuery())
// the viewer. ->setViewer($this->getUser())
$commit = id(new PhabricatorRepositoryCommit())->loadOneWhere( ->withRepositoryIDs(array($repository->getID()))
'repositoryID = %d AND commitIdentifier = %s', ->withIdentifiers(array($this->getStableCommit()))
$repository->getID(), ->executeOne();
$this->getStableCommit());
if ($commit) { if ($commit) {
$commit->attachRepository($repository); $commit->attachRepository($repository);
} }