Fix a policy issue where permissions were not properly checked when disabling global builtin queries

Summary: See <https://hackerone.com/reports/1573143>. The pathway for disabling global builtin queries is missing a policy check. Add it. Test Plan: - Accessed the "/search/delete/id/.../" URI for a global builtin query as a non-administrator. - Before patch: could improperly disable queries. -After patch: proper policy exception. Differential Revision: https://secure.phabricator.com/D21851
2024-09-19 16:58:48 +02:00 · 2022-05-31 10:55:01 -07:00 · 2022-05-31 10:55:01 -07:00 · 944b257d5d
commit 944b257d5d
parent 3052ed1484
1 changed files with 13 additions and 0 deletions
--- a/src/applications/search/controller/PhabricatorSearchDeleteController.php
+++ b/src/applications/search/controller/PhabricatorSearchDeleteController.php
@ -42,6 +42,19 @@ final class PhabricatorSearchDeleteController
      }

      $named_query = $engine->getBuiltinQuery($key);
+
+      // After loading a global query, make sure the viewer actually has
+      // permission to view and edit it.
+
+      PhabricatorPolicyFilter::requireCapability(
+        $viewer,
+        $named_query,
+        PhabricatorPolicyCapability::CAN_VIEW);
+
+      PhabricatorPolicyFilter::requireCapability(
+        $viewer,
+        $named_query,
+        PhabricatorPolicyCapability::CAN_EDIT);
    }

    $builtin = null;