mirror of
https://we.phorge.it/source/phorge.git
synced 2024-09-22 10:18:48 +02:00
9dd0eca335
Summary: Ref T6817. Ref T5726. These both bypass policy checks, and would allow an attacker who gains control of an administrative account to enable public feed, then view feed stories they could not normally see; or enable feed.http-hooks, then read the posted text. In the longer term I'd like to remove `feed.public` completely (possibly providing API alternatives, if necessary). Test Plan: Looked at options in web UI and saw them locked. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T6817, T5726 Differential Revision: https://secure.phabricator.com/D11046 |
||
|---|---|---|
| .. | ||
| __tests__ | ||
| aphront | ||
| applications | ||
| docs | ||
| extensions | ||
| infrastructure | ||
| view | ||
| __phutil_library_init__.php | ||
| __phutil_library_map__.php | ||