1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-25 08:12:40 +01:00
phorge-phorge/src/applications/passphrase
epriestley 36006bcb8f Prevent locked credentials from being made accessible via conduit
Summary:
Via HackerOne. Currently, you can use "Lock Permanently" to lock a credential permanently, but you can still enable Conduit API access to it. This directly contradicts both intent of the setting and its description as presented to the user.

Instead:

  - When a credential is locked, revoke Conduit API access.
  - Prevent API access from being enabled for locked credentials.
  - Prevent API access to locked credentials, period.

Test Plan:
  - Created a credential.
  - Enabled API access.
  - Locked credential.
  - Saw API access become disabled.
  - Tried to enable API access; was rebuffed.
  - Queried credential via API, wasn't granted access.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15944
2016-05-18 14:54:44 -07:00
..
application Move FontIcon calls to Icon 2016-01-28 08:48:45 -08:00
capability Save authorPHID on Passphrase Credentials to support "Credential Author" object policy 2015-06-22 11:28:33 -07:00
conduit Prevent locked credentials from being made accessible via conduit 2016-05-18 14:54:44 -07:00
controller Prevent locked credentials from being made accessible via conduit 2016-05-18 14:54:44 -07:00
credentialtype Add a "Token" Credential type 2016-03-22 12:11:58 -07:00
editor Add a "Token" Credential type 2016-03-22 12:11:58 -07:00
keys Add a "Token" Credential type 2016-03-22 12:11:58 -07:00
phid Separate handle "status" and "availability" 2015-05-14 11:14:44 -07:00
policyrule Save authorPHID on Passphrase Credentials to support "Credential Author" object policy 2015-06-22 11:28:33 -07:00
query Add a "Token" Credential type 2016-03-22 12:11:58 -07:00
remarkup Rename PhutilRemarkupRule subclasses 2014-08-05 00:55:43 +10:00
search Convert all "DocumentIndexers" into "FulltextEngines" 2015-12-21 17:25:23 -08:00
storage Add a "Token" Credential type 2016-03-22 12:11:58 -07:00
view Fill in new URI credential edit web UI interfaces 2016-05-02 04:26:13 -07:00