1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-10 17:02:41 +01:00
phorge-phorge/src
epriestley 36006bcb8f Prevent locked credentials from being made accessible via conduit
Summary:
Via HackerOne. Currently, you can use "Lock Permanently" to lock a credential permanently, but you can still enable Conduit API access to it. This directly contradicts both intent of the setting and its description as presented to the user.

Instead:

  - When a credential is locked, revoke Conduit API access.
  - Prevent API access from being enabled for locked credentials.
  - Prevent API access to locked credentials, period.

Test Plan:
  - Created a credential.
  - Enabled API access.
  - Locked credential.
  - Saw API access become disabled.
  - Tried to enable API access; was rebuffed.
  - Queried credential via API, wasn't granted access.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15944
2016-05-18 14:54:44 -07:00
..
__tests__ Use PhutilClassMapQuery instead of PhutilSymbolLoader 2015-08-14 07:49:01 +10:00
aphront Fix "acccess" spelling error 2016-04-30 09:07:51 -07:00
applications Prevent locked credentials from being made accessible via conduit 2016-05-18 14:54:44 -07:00
docs Update Owners auditing rules for multiple reviewers 2016-05-17 13:46:06 -07:00
extensions Add src/extensions/ to Phabricator 2013-08-14 15:38:06 -07:00
infrastructure Before executing svnserve, change the CWD to a readable directory 2016-05-11 06:48:18 -07:00
view Alternate fix for Firefox triple click selection 2016-04-29 16:59:43 -07:00
__phutil_library_init__.php
__phutil_library_map__.php Allow blocking reviewers to be added via the web UI 2016-05-17 10:56:12 -07:00