Require application "Can Use" capability to call Conduit methods

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge

phorge phabricator

fork

Summary: Ref T603. If you don't have access to an application, prevent execution of its (authenticated) methods.

Test Plan: Restricted Tokens to only admins, then tried to view/call Token methods as a non-admin.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7342

epriestley 12 years ago 5171e368 32dca4b5

+42 -9

2 changed files

expand all

src

applications

conduit

call

ConduitCall.php

method

ConduitAPIMethod.php

+27 -4

src/applications/conduit/call/ConduitCall.php

··· 79 79 } 80 80 81 81 public function execute() { 82 - if (!$this->getUser()) { 83 - if ($this->shouldRequireAuthentication()) { 82 + $user = $this->getUser(); 83 + if (!$user) { 84 + $user = new PhabricatorUser(); 85 + } 86 + 87 + $this->request->setUser($user); 88 + 89 + if ($this->shouldRequireAuthentication()) { 90 + if (!$user->isLoggedIn()) { 84 91 throw new ConduitException("ERR-INVALID-AUTH"); 85 92 } 86 - } else { 87 - $this->request->setUser($this->getUser()); 93 + 94 + // TODO: This would be slightly cleaner by just using a Query, but the 95 + // Conduit auth workflow requires the Call and User be built separately. 96 + // Just do it this way for the moment. 97 + $application = $this->handler->getApplication(); 98 + if ($application) { 99 + $can_view = PhabricatorPolicyFilter::hasCapability( 100 + $user, 101 + $application, 102 + PhabricatorPolicyCapability::CAN_VIEW); 103 + 104 + if (!$can_view) { 105 + throw new ConduitException( 106 + pht( 107 + "You do not have access to the application which provides this ". 108 + "API method.")); 109 + } 110 + } 88 111 } 89 112 90 113 if (!$this->shouldForceLocal() && $this->servers) {

+15 -5

src/applications/conduit/method/ConduitAPIMethod.php

··· 177 177 } 178 178 179 179 public function getPolicy($capability) { 180 - return PhabricatorPolicies::POLICY_USER; 180 + // Application methods get application visibility; other methods get open 181 + // visibility. 182 + 183 + $application = $this->getApplication(); 184 + if ($application) { 185 + return $application->getPolicy($capability); 186 + } 187 + 188 + return PhabricatorPolicies::getMostOpenPolicy(); 181 189 } 182 190 183 191 public function hasAutomaticCapability($capability, PhabricatorUser $viewer) { 184 - // The policy interface on Conduit calls is currently just to let us hook 185 - // into ApplicationSearch. Calls are always visible (even to logged out 186 - // users). 187 - return true; 192 + if (!$this->shouldRequireAuthentication()) { 193 + // Make unauthenticated methods univerally visible. 194 + return true; 195 + } 196 + 197 + return false; 188 198 } 189 199 190 200 public function describeAutomaticCapability($capability) {

Configure Feed

Configure Feed