epriestley f59ebf4c09 Fix incorrect key handling in extended policy filtering ... Summary: Via HackerOne. The use of `$key` here should be `$extended_key`. Exploiting this requires a very unusual group of objects to be subjected to extended policy checks. I believe there is no way to actually get anything bad through the policy filter today, but this could have been an issue in the future. Test Plan: - Added a unit test which snuck something through the policy filter. - Fixed use of `$extended_key`. - Test now passes. Reviewers: chad Reviewed By: chad Differential Revision: https://secure.phabricator.com/D14993		2016-01-11 07:04:47 -08:00
..
__tests__	Fix incorrect key handling in extended policy filtering	2016-01-11 07:04:47 -08:00
application	Allow different policy rules for different types of objects	2015-06-13 15:44:03 -07:00
capability	Use getPhobjectClassConstant() to access class constants	2015-10-01 16:56:21 -07:00
config	Use PhutilClassMapQuery instead of PhutilSymbolLoader	2015-08-14 07:49:01 +10:00
constants	Extend from Phobject	2015-06-15 18:02:27 +10:00
controller	Use PhutilClassMapQuery instead of PhutilSymbolLoader	2015-08-14 07:49:01 +10:00
editor	Clean up "HTTP Parameters" view a bit for EditEngine forms	2015-12-18 12:00:38 -08:00
engineextension	Formalize custom Conduit fields on objects	2015-12-14 11:54:13 -08:00
exception	Modernize OAuthserver and provide more context on "no permission" exception	2015-09-03 10:05:23 -07:00
filter	Fix incorrect key handling in extended policy filtering	2016-01-11 07:04:47 -08:00
interface	Add support for "Extended Policies"	2015-06-03 18:59:27 -07:00
management	phtize all the things	2015-05-22 21:16:39 +10:00
phid	Mark PhabricatorPHIDType::getPHIDTypeApplicationClass() as abstract	2015-11-03 06:47:12 +11:00
query	Use PhutilClassMapQuery instead of PhutilSymbolLoader	2015-08-14 07:49:01 +10:00
rule	Trivial fixes from D14467	2015-12-23 17:19:33 -08:00
storage	Modernize OAuthserver and provide more context on "no permission" exception	2015-09-03 10:05:23 -07:00