mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 14:00:56 +01:00
Fix a policy issue where permissions were not properly checked when disabling global builtin queries
Summary: See <https://hackerone.com/reports/1573143>. The pathway for disabling global builtin queries is missing a policy check. Add it. Test Plan: - Accessed the "/search/delete/id/.../" URI for a global builtin query as a non-administrator. - Before patch: could improperly disable queries. -After patch: proper policy exception. Differential Revision: https://secure.phabricator.com/D21851
This commit is contained in:
parent
3052ed1484
commit
944b257d5d
1 changed files with 13 additions and 0 deletions
|
@ -42,6 +42,19 @@ final class PhabricatorSearchDeleteController
|
||||||
}
|
}
|
||||||
|
|
||||||
$named_query = $engine->getBuiltinQuery($key);
|
$named_query = $engine->getBuiltinQuery($key);
|
||||||
|
|
||||||
|
// After loading a global query, make sure the viewer actually has
|
||||||
|
// permission to view and edit it.
|
||||||
|
|
||||||
|
PhabricatorPolicyFilter::requireCapability(
|
||||||
|
$viewer,
|
||||||
|
$named_query,
|
||||||
|
PhabricatorPolicyCapability::CAN_VIEW);
|
||||||
|
|
||||||
|
PhabricatorPolicyFilter::requireCapability(
|
||||||
|
$viewer,
|
||||||
|
$named_query,
|
||||||
|
PhabricatorPolicyCapability::CAN_EDIT);
|
||||||
}
|
}
|
||||||
|
|
||||||
$builtin = null;
|
$builtin = null;
|
||||||
|
|
Loading…
Reference in a new issue