Homec4science

Fix a CSRF issue with adding new email addresses

Authored by epriestley <git@epriestley.com> on Jun 30 2016, 17:22.

Description

Fix a CSRF issue with adding new email addresses

Summary:
The first dialog was being given the wrong user ($user, should be $viewer), leading to a CSRF issue.

(The CSRF token it generated was invalid in all validation contexts, so this wasn't a security problem or a way to capture CSRF tokens for other users.)

Use newDialog() instead.

(This seems completely unrelated to the vaguely-similar-looking issues we saw earlier this week.)

Test Plan:

  • Added a new email address.
  • Clicked "Done" on the last step.
  • Completed workflow instead of getting a CSRF error.

Reviewers: chad, tide

Reviewed By: tide

Differential Revision: https://secure.phabricator.com/D16200

Details

Committed
epriestley <git@epriestley.com>Jun 30 2016, 17:35
Pushed
aubortJan 31 2017, 17:16
Parents
rPH922822bd2dc3: Wrap really long text properly in diffs
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH4f8d07594e2a: Fix a CSRF issue with adding new email addresses (authored by epriestley <git@epriestley.com>).Jun 30 2016, 17:35