1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-25 00:02:41 +01:00
phorge-phorge/src/applications
Bob Trahan e281c5ee90 Security - disable conduit act as user by default
Summary: Introduce a new configuration setting that by default disables the conduit as as user method. Wordily explain that turning it on is not recommended. Fixes T3818.

Test Plan:
```
15:25:19 ~/Dropbox/code/phalanx/src/applications/conduit (T3818)
~>  echo '{}' | arc call-conduit --conduit-uri http://phalanx.dev/ user.whoami
Waiting for JSON parameters on stdin...
{"error":null,"errorMessage":null,"response":{"phid":"PHID-USER-tghb3b2gbdyezdcuw2or","userName":"btrahan","realName":"Bob Trahan","image":"http:\/\/phalanx.dev\/file\/data\/yncjbh7phk7ktrdhuorn\/PHID-FILE-qyf4ui3x2ll3e52hpg5e\/profile-profile-gravatar","uri":"http:\/\/phalanx.dev\/p\/btrahan\/","roles":["admin","verified","approved","activated"]}}
15:25:34 ~/Dropbox/code/phalanx/src/applications/conduit (T3818)

<go edit libconfig/conduitclient to spoof another user...>

~>  echo '{}' | arc call-conduit --conduit-uri http://phalanx.dev/ user.whoami
Waiting for JSON parameters on stdin...
{"error":"ERR-CONDUIT-CORE","errorMessage":"ERR-CONDUIT-CORE: security.allow-conduit-act-as-user is disabled","response":null}
15:26:40 ~/Dropbox/code/phalanx/src/applications/conduit (T3818)

<enable option via bin/config....>

~>  echo '{}' | arc call-conduit --conduit-uri http://phalanx.dev/ user.whoami
Waiting for JSON parameters on stdin...
{"error":null,"errorMessage":null,"response":{"phid":"PHID-USER-6lcglnzbkiamdofishgi","userName":"xerxes","realName":"Xerxes Trahan","image":"http:\/\/phalanx.dev\/file\/data\/n2kyeevowetcuynbcxrg\/PHID-FILE-voquikectzpde256zzvm\/profile-1275455993.jpg","uri":"http:\/\/phalanx.dev\/p\/xerxes\/","roles":["verified","approved","activated"]}}
```

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: jevripio, sowedance, epriestley, Korvin

Maniphest Tasks: T3818

Differential Revision: https://secure.phabricator.com/D9881
2014-07-10 15:43:53 -07:00
..
aphlict/management Try nodejs before node when starting notification server 2014-06-07 13:56:23 -07:00
arcanist/conduit Remove @group annotations 2014-07-10 08:12:48 +10:00
audit Add GROUP BY to commit query 2014-07-10 10:16:26 -07:00
auth Introduce CAN_EDIT for ExternalAccount, and make CAN_VIEW more liberal 2014-07-10 10:18:10 -07:00
base Remove @group annotations 2014-07-10 08:12:48 +10:00
cache Change double quotes to single quotes. 2014-06-09 11:36:50 -07:00
calendar Remove @group annotations 2014-07-10 08:12:48 +10:00
chatlog Remove @group annotations 2014-07-10 08:12:48 +10:00
conduit Security - disable conduit act as user by default 2014-07-10 15:43:53 -07:00
config Security - disable conduit act as user by default 2014-07-10 15:43:53 -07:00
conpherence Remove @group annotations 2014-07-10 08:12:48 +10:00
countdown Remove @group annotations 2014-07-10 08:12:48 +10:00
daemon Continue on bad daemon pid data 2014-06-26 15:23:22 -07:00
dashboard Allow dashboard panels to be archived 2014-07-01 17:50:28 -07:00
differential Introduce CAN_EDIT for ExternalAccount, and make CAN_VIEW more liberal 2014-07-10 10:18:10 -07:00
diffusion Respond more gracefully when a git push deletes a nonexistent ref 2014-07-10 10:17:17 -07:00
diviner Fix an issue with Diviner symbol rule using incorrect logic 2014-07-02 04:58:23 -07:00
doorkeeper Introduce CAN_EDIT for ExternalAccount, and make CAN_VIEW more liberal 2014-07-10 10:18:10 -07:00
draft/storage Differential - add DifferentialDraft to track whether revisions have draft feedback or not 2014-02-18 16:25:16 -08:00
drydock Remove @group annotations 2014-07-10 08:12:48 +10:00
fact Set device to false for all pages which don't specify device readiness 2014-06-23 15:15:11 -07:00
feed Remove @group annotations 2014-07-10 08:12:48 +10:00
files After a file upload, take the user to the info page, not the view page 2014-07-10 06:39:23 -07:00
flag Remove @group annotations 2014-07-10 08:12:48 +10:00
harbormaster Remove @group annotations 2014-07-10 08:12:48 +10:00
help Add support for aural-only and visual-only elements 2014-05-01 07:18:18 -07:00
herald Remove @group annotations 2014-07-10 08:12:48 +10:00
home Remove all device = true from page construction 2014-06-23 15:18:14 -07:00
legalpad Remove @group annotations 2014-07-10 08:12:48 +10:00
lipsum Change double quotes to single quotes. 2014-06-09 11:36:50 -07:00
macro Remove @group annotations 2014-07-10 08:12:48 +10:00
mailinglists Remove all device = true from page construction 2014-06-23 15:18:14 -07:00
maniphest Make column reordering after edits on workboards more general 2014-07-10 10:19:03 -07:00
meta Remove all device = true from page construction 2014-06-23 15:18:14 -07:00
metamta Introduce CAN_EDIT for ExternalAccount, and make CAN_VIEW more liberal 2014-07-10 10:18:10 -07:00
notification React to Aphlict disconnects in the UI 2014-06-24 09:41:40 -07:00
nuance Remove @group annotations 2014-07-10 08:12:48 +10:00
oauthserver Remove @group annotations 2014-07-10 08:12:48 +10:00
owners Remove @group annotations 2014-07-10 08:12:48 +10:00
passphrase Allow linking to passphrase credential via remarkup 2014-06-25 14:59:12 -07:00
paste Remove @group annotations 2014-07-10 08:12:48 +10:00
people Introduce CAN_EDIT for ExternalAccount, and make CAN_VIEW more liberal 2014-07-10 10:18:10 -07:00
phame Remove @group annotations 2014-07-10 08:12:48 +10:00
phid Remove @group annotations 2014-07-10 08:12:48 +10:00
phlux Remove all device = true from page construction 2014-06-23 15:18:14 -07:00
pholio Remove @group annotations 2014-07-10 08:12:48 +10:00
phortune Remove all device = true from page construction 2014-06-23 15:18:14 -07:00
phpast Remove all device = true from page construction 2014-06-23 15:18:14 -07:00
phragment Remove @group annotations 2014-07-10 08:12:48 +10:00
phrequent Remove @group annotations 2014-07-10 08:12:48 +10:00
phriction Remove @group annotations 2014-07-10 08:12:48 +10:00
policy Add a "documents I've signed" view to Legalpad 2014-06-28 16:37:15 -07:00
ponder Remove @group annotations 2014-07-10 08:12:48 +10:00
project Fix some transaction issues when retitling projects 2014-07-10 10:18:32 -07:00
releeph Remove @group annotations 2014-07-10 08:12:48 +10:00
remarkup/conduit When a conduit method requires a string constant, call it "string-const" not "enum" 2014-05-14 21:59:03 -07:00
repository set localpath in repository.create 2014-07-09 15:35:25 -07:00
search switch from term query to match query 2014-07-09 15:47:07 -07:00
settings Introduce CAN_EDIT for ExternalAccount, and make CAN_VIEW more liberal 2014-07-10 10:18:10 -07:00
slowvote Remove @group annotations 2014-07-10 08:12:48 +10:00
subscriptions Touch up Subscriber List Dialog 2014-06-07 21:43:04 -07:00
support/application Whitelist allowed editor protocols 2014-03-17 13:00:37 -07:00
system Substantially support character encodings and "Highlight As" in changesets 2014-06-20 11:49:41 -07:00
tokens Remove all device = true from page construction 2014-06-23 15:18:14 -07:00
transactions Support custom actions in Herald 2014-07-02 14:29:46 +10:00
typeahead Make Legalpad documents have a little document icon in typeaheads 2014-06-28 21:44:09 -07:00
uiexample Slimmer Shade Tags 2014-06-26 14:19:32 -07:00
xhprof Change double quotes to single quotes. 2014-06-09 11:36:50 -07:00