Homestyx hydra
Diffusion hydra 944b257d5df3

Fix a policy issue where permissions were not properly checked when disabling…
944b257d5df3
Actions

Description

Fix a policy issue where permissions were not properly checked when disabling global builtin queries

Summary: See https://hackerone.com/reports/1573143. The pathway for disabling global builtin queries is missing a policy check. Add it.

Test Plan:

  • Accessed the "/search/delete/id/.../" URI for a global builtin query as a non-administrator.
  • Before patch: could improperly disable queries. -After patch: proper policy exception.

Differential Revision: https://secure.phabricator.com/D21851

Details

Provenance
epriestleyAuthored on May 31 2022, 1:55 PM
sirocylPushed on Oct 16 2024, 5:49 AM
Parents
R1:3052ed14849c: Remove obsolete, policy-violating "owners.query" API method
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (1)

PathSize
src/
applications/
search/
controller/

R1:944b257d5df3

View Options

src/applications/search/controller/PhabricatorSearchDeleteController.php

Loading...
styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)