HomePhorge

Fix a policy issue where permissions were not properly checked when disabling…

Description

Fix a policy issue where permissions were not properly checked when disabling global builtin queries

Summary: See https://hackerone.com/reports/1573143. The pathway for disabling global builtin queries is missing a policy check. Add it.

Test Plan:

  • Accessed the "/search/delete/id/.../" URI for a global builtin query as a non-administrator.
  • Before patch: could improperly disable queries. -After patch: proper policy exception.

Differential Revision: https://secure.phabricator.com/D21851

Details

Provenance
epriestley <git@epriestley.com>Authored on May 31 2022, 17:55
aviveyPushed on Tue, Jul 26, 15:02
aviveyPushed on Tue, Jul 26, 15:01
Parents
rP3052ed14849c: Remove obsolete, policy-violating "owners.query" API method
Branches
Unknown
Tags
Unknown

Event Timeline