1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 14:00:56 +01:00

Fix a policy issue where permissions were not properly checked when disabling global builtin queries

Summary: See <https://hackerone.com/reports/1573143>. The pathway for disabling global builtin queries is missing a policy check. Add it.

Test Plan:
  - Accessed the "/search/delete/id/.../" URI for a global builtin query as a non-administrator.
  - Before patch: could improperly disable queries.
   -After patch: proper policy exception.

Differential Revision: https://secure.phabricator.com/D21851
This commit is contained in:
epriestley 2022-05-31 10:55:01 -07:00
parent 3052ed1484
commit 944b257d5d

View file

@ -42,6 +42,19 @@ final class PhabricatorSearchDeleteController
} }
$named_query = $engine->getBuiltinQuery($key); $named_query = $engine->getBuiltinQuery($key);
// After loading a global query, make sure the viewer actually has
// permission to view and edit it.
PhabricatorPolicyFilter::requireCapability(
$viewer,
$named_query,
PhabricatorPolicyCapability::CAN_VIEW);
PhabricatorPolicyFilter::requireCapability(
$viewer,
$named_query,
PhabricatorPolicyCapability::CAN_EDIT);
} }
$builtin = null; $builtin = null;