mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 05:50:55 +01:00
Add some missing capability checks for repository mirror edits
Summary: Via HackerOne. These endpoints have insufficient policy checks. Test Plan: Verified endpoints now check policies correctly. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D10957
This commit is contained in:
parent
9b865f18e8
commit
d151c88040
2 changed files with 15 additions and 0 deletions
|
@ -19,6 +19,11 @@ final class DiffusionMirrorDeleteController
|
||||||
$mirror = id(new PhabricatorRepositoryMirrorQuery())
|
$mirror = id(new PhabricatorRepositoryMirrorQuery())
|
||||||
->setViewer($viewer)
|
->setViewer($viewer)
|
||||||
->withIDs(array($this->id))
|
->withIDs(array($this->id))
|
||||||
|
->requireCapabilities(
|
||||||
|
array(
|
||||||
|
PhabricatorPolicyCapability::CAN_VIEW,
|
||||||
|
PhabricatorPolicyCapability::CAN_EDIT,
|
||||||
|
))
|
||||||
->executeOne();
|
->executeOne();
|
||||||
if (!$mirror) {
|
if (!$mirror) {
|
||||||
return new Aphront404Response();
|
return new Aphront404Response();
|
||||||
|
|
|
@ -16,10 +16,20 @@ final class DiffusionMirrorEditController
|
||||||
$drequest = $this->diffusionRequest;
|
$drequest = $this->diffusionRequest;
|
||||||
$repository = $drequest->getRepository();
|
$repository = $drequest->getRepository();
|
||||||
|
|
||||||
|
PhabricatorPolicyFilter::requireCapability(
|
||||||
|
$viewer,
|
||||||
|
$repository,
|
||||||
|
PhabricatorPolicyCapability::CAN_EDIT);
|
||||||
|
|
||||||
if ($this->id) {
|
if ($this->id) {
|
||||||
$mirror = id(new PhabricatorRepositoryMirrorQuery())
|
$mirror = id(new PhabricatorRepositoryMirrorQuery())
|
||||||
->setViewer($viewer)
|
->setViewer($viewer)
|
||||||
->withIDs(array($this->id))
|
->withIDs(array($this->id))
|
||||||
|
->requireCapabilities(
|
||||||
|
array(
|
||||||
|
PhabricatorPolicyCapability::CAN_VIEW,
|
||||||
|
PhabricatorPolicyCapability::CAN_EDIT,
|
||||||
|
))
|
||||||
->executeOne();
|
->executeOne();
|
||||||
if (!$mirror) {
|
if (!$mirror) {
|
||||||
return new Aphront404Response();
|
return new Aphront404Response();
|
||||||
|
|
Loading…
Reference in a new issue