Add some missing capability checks for repository mirror edits

Summary: Via HackerOne. These endpoints have insufficient policy checks. Test Plan: Verified endpoints now check policies correctly. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D10957
2024-11-10 00:42:41 +01:00 · 2014-12-10 15:23:55 -08:00 · 2014-12-10 15:23:55 -08:00 · d151c88040
commit d151c88040
parent 9b865f18e8
2 changed files with 15 additions and 0 deletions
--- a/src/applications/diffusion/controller/DiffusionMirrorDeleteController.php
+++ b/src/applications/diffusion/controller/DiffusionMirrorDeleteController.php
@ -19,6 +19,11 @@ final class DiffusionMirrorDeleteController
    $mirror = id(new PhabricatorRepositoryMirrorQuery())
      ->setViewer($viewer)
      ->withIDs(array($this->id))
+      ->requireCapabilities(
+        array(
+          PhabricatorPolicyCapability::CAN_VIEW,
+          PhabricatorPolicyCapability::CAN_EDIT,
+        ))
      ->executeOne();
    if (!$mirror) {
      return new Aphront404Response();
--- a/src/applications/diffusion/controller/DiffusionMirrorEditController.php
+++ b/src/applications/diffusion/controller/DiffusionMirrorEditController.php
@ -16,10 +16,20 @@ final class DiffusionMirrorEditController
    $drequest = $this->diffusionRequest;
    $repository = $drequest->getRepository();

+    PhabricatorPolicyFilter::requireCapability(
+      $viewer,
+      $repository,
+      PhabricatorPolicyCapability::CAN_EDIT);
+
    if ($this->id) {
      $mirror = id(new PhabricatorRepositoryMirrorQuery())
        ->setViewer($viewer)
        ->withIDs(array($this->id))
+        ->requireCapabilities(
+          array(
+            PhabricatorPolicyCapability::CAN_VIEW,
+            PhabricatorPolicyCapability::CAN_EDIT,
+          ))
        ->executeOne();
      if (!$mirror) {
        return new Aphront404Response();