Homec4science

Prevent Repository local path edit from the web UI

Authored by epriestley <git@epriestley.com> on Nov 13 2013, 20:26.

Description

Prevent Repository local path edit from the web UI

Summary:
Ref T4039. This fixes an issue where a user with the ability to create repositories could view repositories he is otherwise not permitted to see, by following these steps:

  • Suppose you want to see repository "A".
  • Create a repository with the same VCS, called "B".
  • Edit the local path, changing "/var/repo/B" to "/var/repo/A".
  • Now it points at a working copy of a repository you can't see.
  • Although you won't be able to make it through discovery (the pull will fail with the wrong credentials), you can read some information out of the repository directly through the Diffusion UI, probably?

I'm not sure this was really practical to execute since there are a bunch of sanity checks along most/all of the major pathways, but lock it down since normal users shouldn't be editing it anyway. In the best case, this would make a mess.

Test Plan: {F81391}

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4039

Differential Revision: https://secure.phabricator.com/D7580

Details

Committed
epriestley <git@epriestley.com>Nov 13 2013, 20:26
Pushed
aubortJan 31 2017, 17:16
Parents
rPHf5ca647d2c52: Add `bin/repository edit` for CLI repository editing
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH2dc8065d1143: Prevent Repository local path edit from the web UI (authored by epriestley <git@epriestley.com>).Nov 13 2013, 20:26