1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-24 15:52:41 +01:00
phorge-phorge/src
epriestley 9dd0eca335 Lock feed.public and feed.http-hooks config options
Summary:
Ref T6817. Ref T5726. These both bypass policy checks, and would allow an attacker who gains control of an administrative account to enable public feed, then view feed stories they could not normally see; or enable feed.http-hooks, then read the posted text.

In the longer term I'd like to remove `feed.public` completely (possibly providing API alternatives, if necessary).

Test Plan: Looked at options in web UI and saw them locked.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T6817, T5726

Differential Revision: https://secure.phabricator.com/D11046
2014-12-29 08:04:47 -08:00
..
__tests__ Accept Conduit tokens as an authentication mechanism 2014-12-15 11:14:41 -08:00
aphront Make ConduitCall always local/in-process 2014-12-10 15:27:07 -08:00
applications Lock feed.public and feed.http-hooks config options 2014-12-29 08:04:47 -08:00
docs Allow Almanac services to be locked 2014-12-18 14:31:36 -08:00
extensions Add src/extensions/ to Phabricator 2013-08-14 15:38:06 -07:00
infrastructure Migrate Maniphest task blockers to modern EdgeType classes 2014-12-28 06:40:39 -08:00
view Remove payments sprite 2014-12-20 09:44:53 -08:00
__phutil_library_init__.php Delete license headers from files 2012-11-05 11:16:51 -08:00
__phutil_library_map__.php Migrate Maniphest task blockers to modern EdgeType classes 2014-12-28 06:40:39 -08:00