Lock feed.public and feed.http-hooks config options
9dd0eca335d5
Actions

Authored by epriestley <git@epriestley.com> on Dec 29 2014, 17:04.

Description

Lock feed.public and feed.http-hooks config options

Summary:
Ref T6817. Ref T5726. These both bypass policy checks, and would allow an attacker who gains control of an administrative account to enable public feed, then view feed stories they could not normally see; or enable feed.http-hooks, then read the posted text.

In the longer term I'd like to remove feed.public completely (possibly providing API alternatives, if necessary).

Test Plan: Looked at options in web UI and saw them locked.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T6817, T5726

Differential Revision: https://secure.phabricator.com/D11046

Details

Committed

epriestley <git@epriestley.com>

Dec 29 2014, 17:04

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH102e431feb01: Migrate Maniphest task blockers to modern EdgeType classes

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH9dd0eca335d5: Lock feed.public and feed.http-hooks config options (authored by epriestley <git@epriestley.com>).Dec 29 2014, 17:04

Changes (1)

				Path
	M			src/applications/feed/config/PhabricatorFeedConfigOptions.php

rPH9dd0eca335d5

View Options

src/applications/feed/config/PhabricatorFeedConfigOptions.php