revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-12 08:36:13 +01:00
Code Issues Releases Wiki Activity
No description
17696 commits 3 branches 7 tags 153 MiB
PHP 93.5%
JavaScript 4.1%
CSS 2.4%
Find a file
Valerio Bozzolan 7429da91d2 Repository Identity "Automatically Detected User": don't trust unverified emails 
Summary:
Make sure that Repository Diffusion Identities "Automatically Detected User " are not created from unverified emails.

Closes T15965

Test Plan:
Find at least one identity that is assigned to nobody:

http://phorge.localhost/diffusion/identity/

(For example, you may easily find an identity of "GitHub <noreply@github.com>")

(Double check that its "Assigned To" is unset or make sure it's unset for this test)

Be evil: add *that* email in your {nav Profile > Settings > Email addresses}. So, for example add "noreply@github.com", like a rogue. The email can stay unverified.

Run this command to immediately cause an effect:

    ./bin/repository rebuild-identities --all-identities

- before this change, you can reproduce that you successfully steal that identity and you become "GitHub" or whoever
- after this change, you see that "Automatically Detected User" is unset again
- after this change, any other identity manually assigned, is still assigned to that value
- after this change, any other identity automatically assigned to verified emails, are still "Automatically Detected User"

Reviewers: O1 Blessed Committers, speck, 20after4

Reviewed By: O1 Blessed Committers, speck, 20after4

Subscribers: aklapper, tobiaswiese, Matthew, Cigaryno

Maniphest Tasks: T15965

Differential Revision: https://we.phorge.it/D25845
2024-12-11 09:31:14 +01:00
bin Remove the "ssh-auth-key" script 2019-10-28 17:52:37 -07:00
conf Change some instances of "phabricator" to "phorge" 2023-11-18 22:14:15 +00:00
externals Add first unit test for mimemailparser headers 2024-12-06 13:12:54 +01:00
resources Show table of contents by default on wide screens 2024-12-09 18:33:33 +01:00
scripts Add first unit test for mimemailparser headers 2024-12-06 13:12:54 +01:00
src Repository Identity "Automatically Detected User": don't trust unverified emails 2024-12-11 09:31:14 +01:00
support Bump PHP version requirement from 5.2.3 to 7.2.25 2024-10-18 14:20:21 +02:00
webroot Show table of contents by default on wide screens 2024-12-09 18:33:33 +01:00
.arcconfig T15006: Update .arcconfig to point to we.phorge.it 2021-06-18 14:51:47 -04:00
.arclint Calendar Import: add unit tests to cover participants 2024-08-28 09:31:18 +02:00
.arcunit Use the configuration driven unit test engine 2015-08-11 07:57:11 +10:00
.editorconfig Fix text lint issues 2015-02-12 07:00:13 +11:00
.gitignore Generate Diviner book for Javelin 2023-08-30 11:20:12 -07:00
LICENSE Fix text lint issues 2015-02-12 07:00:13 +11:00
NOTICE Remove some "Phacility" and "epriestley" references 2021-07-08 10:46:17 -07:00
README.md Update Readme 2021-06-18 11:36:31 -04:00

README.md

Phorge is a collection of web applications which help software companies build better software.

Phorge is a community-maintained fork of Phabricator.

Phorge includes applications for:

  • reviewing and auditing source code;
  • hosting and browsing repositories;
  • tracking bugs;
  • managing projects;
  • conversing with team members;
  • assembling a party to venture forth;
  • writing stuff down and reading it later;
  • hiding stuff from coworkers; and
  • also some other things.

Phorge is developed and maintained by The Phorge Team.

LICENSE

Phorge is released under the Apache 2.0 license except as otherwise noted.