@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Require login for "Must Verify Email" controller
Summary:
Via HackerOne. This page fatals if accessed directly while logged out.
The "shouldRequireLogin()" check is wrong; this is a logged-in page.
Test Plan:
Viewed the page while logged out, no more fatal.
Faked my way through the actual verification flow.
Reviewers: chad
Reviewed By: chad
Differential Revision: https://secure.phabricator.com/D16077
-4
-4
src/applications/auth/controller/PhabricatorMustVerifyEmailController.php
-4
src/applications/auth/controller/PhabricatorMustVerifyEmailController.php
···
3
3
final class PhabricatorMustVerifyEmailController
4
4
extends PhabricatorAuthController {
5
5
6
-
public function shouldRequireLogin() {
7
-
return false;
8
-
}
9
-
10
6
public function shouldRequireEmailVerification() {
11
7
// NOTE: We don't technically need this since PhabricatorController forces
12
8
// us here in either case, but it's more consistent with intent.