@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Correct overbroad automatic capability grant of global settings objects
Summary:
Ref T13679. In D16983, global settings objects were given an exception to let logged-out users see them, even on installs with no "public" user role.
This exception is too broad and grants everyone all capabilities, not just "CAN_VIEW". In particular, it incorrectly grants "CAN_EDIT", so any user can edit global settings defaults.
Restrict this grant to "CAN_VIEW".
Test Plan:
- As a non-administrator, tried to edit global settings.
- Before: could.
- After: could not.
Maniphest Tasks: T13679
Differential Revision: https://secure.phabricator.com/D21811
+9
-5
+9
-5
src/applications/settings/storage/PhabricatorUserPreferences.php
+9
-5
src/applications/settings/storage/PhabricatorUserPreferences.php
···
219
219
}
220
220
}
221
221
222
-
switch ($this->getBuiltinKey()) {
223
-
case self::BUILTIN_GLOBAL_DEFAULT:
224
-
// NOTE: Without this policy exception, the logged-out viewer can not
225
-
// see global preferences.
226
-
return true;
222
+
$builtin_key = $this->getBuiltinKey();
223
+
224
+
$is_global = ($builtin_key === self::BUILTIN_GLOBAL_DEFAULT);
225
+
$is_view = ($capability === PhabricatorPolicyCapability::CAN_VIEW);
226
+
227
+
if ($is_global && $is_view) {
228
+
// NOTE: Without this policy exception, the logged-out viewer can not
229
+
// see global preferences.
230
+
return true;
227
231
}
228
232
229
233
return false;