1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-25 00:02:41 +01:00
phorge-phorge/src/applications
epriestley 2dc8065d11 Prevent Repository local path edit from the web UI
Summary:
Ref T4039. This fixes an issue where a user with the ability to create repositories could view repositories he is otherwise not permitted to see, by following these steps:

  - Suppose you want to see repository "A".
  - Create a repository with the same VCS, called "B".
  - Edit the local path, changing "/var/repo/B" to "/var/repo/A".
  - Now it points at a working copy of a repository you can't see.
  - Although you won't be able to make it through discovery (the pull will fail with the wrong credentials), you can read some information out of the repository directly through the Diffusion UI, probably?

I'm not sure this was really practical to execute since there are a bunch of sanity checks along most/all of the major pathways, but lock it down since normal users shouldn't be editing it anyway. In the best case, this would make a mess.

Test Plan: {F81391}

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4039

Differential Revision: https://secure.phabricator.com/D7580
2013-11-13 11:26:22 -08:00
..
arcanist/conduit Move Conduit methods inside applications 2012-12-21 12:21:59 -08:00
audit Make event-triggered actions more aware of application access 2013-10-21 17:00:50 -07:00
auth Respect "can edit username" in registration UI 2013-11-13 11:25:43 -08:00
base Show an "approval queue" item on the home page for admins, and sort out menu item visibility 2013-11-13 11:24:38 -08:00
cache Provide 'bin/cache', for managing caches 2013-05-20 10:16:35 -07:00
calendar Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
chatlog Fix chatlog application query integration 2013-10-22 13:47:47 -07:00
conduit Improve handling of email verification and "activated" accounts 2013-11-12 14:37:04 -08:00
config Implement an approval queue 2013-11-13 11:24:56 -08:00
conpherence Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
countdown Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
daemon Lock policy queries to their applications 2013-10-21 17:20:27 -07:00
differential Remove differential.anonymous-access 2013-11-11 16:05:19 -08:00
diffusion Prevent Repository local path edit from the web UI 2013-11-13 11:26:22 -08:00
directory/controller Hide Audit information on Home when the application is uninstalled 2013-10-09 15:25:03 -07:00
diviner Lock policy queries to their applications 2013-10-21 17:20:27 -07:00
doorkeeper Lock policy queries to their applications 2013-10-21 17:20:27 -07:00
draft/storage Add draft support to ApplicationTransactions 2012-12-21 05:57:14 -08:00
drydock PHUIPropertyListView 2013-10-11 07:53:56 -07:00
fact Convert AphrontTableView to safe HTML 2013-02-09 15:11:38 -08:00
feed Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
files Add filter by object ability to flag query 2013-10-25 12:52:00 -07:00
flag Work around a bug in PHP 5.3-ish with abstract methods in interfaces 2013-10-25 15:58:17 -07:00
harbormaster Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
help/controller Make Differential views capability-sensitive 2013-09-26 18:45:04 -07:00
herald Improve handling of email verification and "activated" accounts 2013-11-12 14:37:04 -08:00
legalpad Clean up legalpad sign UI 2013-10-30 15:50:46 -07:00
lipsum Kill PhabricatorObjectDataHandle 2013-09-11 12:27:28 -07:00
macro Fix incorrect check for CAN_EDIT in macro enable/disable controller 2013-11-09 16:34:26 -08:00
mailinglists Lock policy queries to their applications 2013-10-21 17:20:27 -07:00
maniphest Fix handle loads in ManiphestTaskListView 2013-11-13 11:25:57 -08:00
meta Update Apps Installed icons to match Projects. 2013-10-23 13:28:47 -07:00
metamta Add bin/repository edit for CLI repository editing 2013-11-13 11:26:05 -08:00
notification Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
nuance Naunce - capalities for Source object 2013-11-08 12:45:14 -08:00
oauthserver Initialize used variable 2013-07-09 21:55:27 -07:00
owners Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
paste Add filter by object ability to flag query 2013-10-25 12:52:00 -07:00
people Implement an approval queue 2013-11-13 11:24:56 -08:00
phame Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
phid Work around a bug in PHP 5.3-ish with abstract methods in interfaces 2013-10-25 15:58:17 -07:00
phlux Add filter by object ability to flag query 2013-10-25 12:52:00 -07:00
pholio Pholio - fix a bug replacing multiple images 2013-11-08 17:13:36 -08:00
phortune Lock policy queries to their applications 2013-10-21 17:20:27 -07:00
phpast Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
phrequent Lock policy queries to their applications 2013-10-21 17:20:27 -07:00
phriction Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
policy Work around a bug in PHP 5.3-ish with abstract methods in interfaces 2013-10-25 15:58:17 -07:00
ponder Fix an issue where Ponder rename stories tried to render question bodies 2013-11-11 11:17:06 -08:00
project Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
releeph Lock policy queries to their applications 2013-10-21 17:20:27 -07:00
remarkup/conduit Support processing Remarkup in bulk with remarkup.processbulk Conduit method 2013-11-02 16:30:11 -07:00
repository Add bin/repository edit for CLI repository editing 2013-11-13 11:26:05 -08:00
search Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
settings Show an "approval queue" item on the home page for admins, and sort out menu item visibility 2013-11-13 11:24:38 -08:00
slowvote Add filter by object ability to flag query 2013-10-25 12:52:00 -07:00
subscriptions Tie application event listeners to the applications they listen for 2013-10-21 17:00:21 -07:00
system Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
tokens Lock policy queries to their applications 2013-10-21 17:20:27 -07:00
transactions Select all available bodies when rendering a feed story 2013-11-05 09:03:59 -08:00
typeahead Use herald to trigger builds of revisions and commits. 2013-11-08 16:58:39 -08:00
uiexample PHUIInfoPanel 2013-10-25 11:09:06 -07:00
xhprof Make most file reads policy-aware 2013-09-30 09:38:13 -07:00