@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Add some missing capability checks for repository mirror edits
Summary: Via HackerOne. These endpoints have insufficient policy checks.
Test Plan: Verified endpoints now check policies correctly.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Differential Revision: https://secure.phabricator.com/D10957
+15
+5
src/applications/diffusion/controller/DiffusionMirrorDeleteController.php
+5
src/applications/diffusion/controller/DiffusionMirrorDeleteController.php
···
19
19
$mirror = id(new PhabricatorRepositoryMirrorQuery())
20
20
->setViewer($viewer)
21
21
->withIDs(array($this->id))
22
+
->requireCapabilities(
23
+
array(
24
+
PhabricatorPolicyCapability::CAN_VIEW,
25
+
PhabricatorPolicyCapability::CAN_EDIT,
26
+
))
22
27
->executeOne();
23
28
if (!$mirror) {
24
29
return new Aphront404Response();
+10
src/applications/diffusion/controller/DiffusionMirrorEditController.php
+10
src/applications/diffusion/controller/DiffusionMirrorEditController.php
···
16
16
$drequest = $this->diffusionRequest;
17
17
$repository = $drequest->getRepository();
18
18
19
+
PhabricatorPolicyFilter::requireCapability(
20
+
$viewer,
21
+
$repository,
22
+
PhabricatorPolicyCapability::CAN_EDIT);
23
+
19
24
if ($this->id) {
20
25
$mirror = id(new PhabricatorRepositoryMirrorQuery())
21
26
->setViewer($viewer)
22
27
->withIDs(array($this->id))
28
+
->requireCapabilities(
29
+
array(
30
+
PhabricatorPolicyCapability::CAN_VIEW,
31
+
PhabricatorPolicyCapability::CAN_EDIT,
32
+
))
23
33
->executeOne();
24
34
if (!$mirror) {
25
35
return new Aphront404Response();