1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 05:50:55 +01:00

Add some missing capability checks for repository mirror edits

Summary: Via HackerOne. These endpoints have insufficient policy checks.

Test Plan: Verified endpoints now check policies correctly.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D10957
This commit is contained in:
epriestley 2014-12-10 15:23:55 -08:00
parent 9b865f18e8
commit d151c88040
2 changed files with 15 additions and 0 deletions

View file

@ -19,6 +19,11 @@ final class DiffusionMirrorDeleteController
$mirror = id(new PhabricatorRepositoryMirrorQuery())
->setViewer($viewer)
->withIDs(array($this->id))
->requireCapabilities(
array(
PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT,
))
->executeOne();
if (!$mirror) {
return new Aphront404Response();

View file

@ -16,10 +16,20 @@ final class DiffusionMirrorEditController
$drequest = $this->diffusionRequest;
$repository = $drequest->getRepository();
PhabricatorPolicyFilter::requireCapability(
$viewer,
$repository,
PhabricatorPolicyCapability::CAN_EDIT);
if ($this->id) {
$mirror = id(new PhabricatorRepositoryMirrorQuery())
->setViewer($viewer)
->withIDs(array($this->id))
->requireCapabilities(
array(
PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT,
))
->executeOne();
if (!$mirror) {
return new Aphront404Response();