@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Fix policy behavior of "slowvote.info" API method
Summary: Ref T13350. This ancient API method is missing modern policy checks.
Test Plan:
- Set visibility of vote X to "Only: epriestley".
- Called "slowvote.info" as another user.
- Before: retrieved poll title and author.
- After: policy error.
- Called "slowvote.info" on a visible poll, got information before and after.
Maniphest Tasks: T13350
Differential Revision: https://secure.phabricator.com/D20684
+7
-1
+7
-1
src/applications/slowvote/conduit/SlowvoteInfoConduitAPIMethod.php
+7
-1
src/applications/slowvote/conduit/SlowvoteInfoConduitAPIMethod.php
···
27
27
}
28
28
29
29
protected function execute(ConduitAPIRequest $request) {
30
+
$viewer = $this->getViewer();
31
+
30
32
$poll_id = $request->getValue('poll_id');
31
-
$poll = id(new PhabricatorSlowvotePoll())->load($poll_id);
33
+
34
+
$poll = id(new PhabricatorSlowvoteQuery())
35
+
->setViewer($viewer)
36
+
->withIDs(array($poll_id))
37
+
->executeOne();
32
38
if (!$poll) {
33
39
throw new ConduitException('ERR_BAD_POLL');
34
40
}