| commit | 698ada2470b18ae0b6ec579614b56b1bee395eba | |
| author | epriestley <git@epriestley.com> | |
| Mon, 9 May 2022 22:00:10 +0000 (9 15:00 -0700) | ||
| committer | epriestley <git@epriestley.com> | |
| Mon, 9 May 2022 22:10:50 +0000 (9 15:10 -0700) | ||
| tree | d236fbbfb37cda5a927c51922549fbd111613016 | treesnapshot (tar.gz zip) |
| parent | 01253d533bbca72e179b1efb64d97e4d91c988e4 | commitdiff |
Correct overbroad automatic capability grant of global settings objects
Summary:
Ref T13679. In D16983, global settings objects were given an exception to let logged-out users see them, even on installs with no "public" user role.
This exception is too broad and grants everyone all capabilities, not just "CAN_VIEW". In particular, it incorrectly grants "CAN_EDIT", so any user can edit global settings defaults.
Restrict this grant to "CAN_VIEW".
Test Plan:
- As a non-administrator, tried to edit global settings.
- Before: could.
- After: could not.
Maniphest Tasks: T13679
Differential Revision: https://secure.phabricator.com/D21811
Summary:
Ref T13679. In D16983, global settings objects were given an exception to let logged-out users see them, even on installs with no "public" user role.
This exception is too broad and grants everyone all capabilities, not just "CAN_VIEW". In particular, it incorrectly grants "CAN_EDIT", so any user can edit global settings defaults.
Restrict this grant to "CAN_VIEW".
Test Plan:
- As a non-administrator, tried to edit global settings.
- Before: could.
- After: could not.
Maniphest Tasks: T13679
Differential Revision: https://secure.phabricator.com/D21811
| src/applications/settings/storage/PhabricatorUserPreferences.php | diffblobblamehistory |