@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Fix a policy issue where permissions were not properly checked when disabling global builtin queries
Summary: See <https://hackerone.com/reports/1573143>. The pathway for disabling global builtin queries is missing a policy check. Add it.
Test Plan:
- Accessed the "/search/delete/id/.../" URI for a global builtin query as a non-administrator.
- Before patch: could improperly disable queries.
-After patch: proper policy exception.
Differential Revision: https://secure.phabricator.com/D21851
+13
+13
src/applications/search/controller/PhabricatorSearchDeleteController.php
+13
src/applications/search/controller/PhabricatorSearchDeleteController.php
···
42
42
}
43
43
44
44
$named_query = $engine->getBuiltinQuery($key);
45
+
46
+
// After loading a global query, make sure the viewer actually has
47
+
// permission to view and edit it.
48
+
49
+
PhabricatorPolicyFilter::requireCapability(
50
+
$viewer,
51
+
$named_query,
52
+
PhabricatorPolicyCapability::CAN_VIEW);
53
+
54
+
PhabricatorPolicyFilter::requireCapability(
55
+
$viewer,
56
+
$named_query,
57
+
PhabricatorPolicyCapability::CAN_EDIT);
45
58
}
46
59
47
60
$builtin = null;