mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 05:50:55 +01:00
Fix a policy issue where permissions were not properly checked when disabling global builtin queries
Summary: See <https://hackerone.com/reports/1573143>. The pathway for disabling global builtin queries is missing a policy check. Add it. Test Plan: - Accessed the "/search/delete/id/.../" URI for a global builtin query as a non-administrator. - Before patch: could improperly disable queries. -After patch: proper policy exception. Differential Revision: https://secure.phabricator.com/D21851
This commit is contained in:
parent
3052ed1484
commit
944b257d5d
1 changed files with 13 additions and 0 deletions
|
@ -42,6 +42,19 @@ final class PhabricatorSearchDeleteController
|
|||
}
|
||||
|
||||
$named_query = $engine->getBuiltinQuery($key);
|
||||
|
||||
// After loading a global query, make sure the viewer actually has
|
||||
// permission to view and edit it.
|
||||
|
||||
PhabricatorPolicyFilter::requireCapability(
|
||||
$viewer,
|
||||
$named_query,
|
||||
PhabricatorPolicyCapability::CAN_VIEW);
|
||||
|
||||
PhabricatorPolicyFilter::requireCapability(
|
||||
$viewer,
|
||||
$named_query,
|
||||
PhabricatorPolicyCapability::CAN_EDIT);
|
||||
}
|
||||
|
||||
$builtin = null;
|
||||
|
|
Loading…
Reference in a new issue