mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 05:50:55 +01:00
Add some missing capability checks for repository mirror edits
Summary: Via HackerOne. These endpoints have insufficient policy checks. Test Plan: Verified endpoints now check policies correctly. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D10957
This commit is contained in:
parent
9b865f18e8
commit
d151c88040
2 changed files with 15 additions and 0 deletions
|
@ -19,6 +19,11 @@ final class DiffusionMirrorDeleteController
|
|||
$mirror = id(new PhabricatorRepositoryMirrorQuery())
|
||||
->setViewer($viewer)
|
||||
->withIDs(array($this->id))
|
||||
->requireCapabilities(
|
||||
array(
|
||||
PhabricatorPolicyCapability::CAN_VIEW,
|
||||
PhabricatorPolicyCapability::CAN_EDIT,
|
||||
))
|
||||
->executeOne();
|
||||
if (!$mirror) {
|
||||
return new Aphront404Response();
|
||||
|
|
|
@ -16,10 +16,20 @@ final class DiffusionMirrorEditController
|
|||
$drequest = $this->diffusionRequest;
|
||||
$repository = $drequest->getRepository();
|
||||
|
||||
PhabricatorPolicyFilter::requireCapability(
|
||||
$viewer,
|
||||
$repository,
|
||||
PhabricatorPolicyCapability::CAN_EDIT);
|
||||
|
||||
if ($this->id) {
|
||||
$mirror = id(new PhabricatorRepositoryMirrorQuery())
|
||||
->setViewer($viewer)
|
||||
->withIDs(array($this->id))
|
||||
->requireCapabilities(
|
||||
array(
|
||||
PhabricatorPolicyCapability::CAN_VIEW,
|
||||
PhabricatorPolicyCapability::CAN_EDIT,
|
||||
))
|
||||
->executeOne();
|
||||
if (!$mirror) {
|
||||
return new Aphront404Response();
|
||||
|
|
Loading…
Reference in a new issue