Fix a policy issue where permissions were not properly checked when disabling global builtin queries
ClosedPublic
Actions

Authored by epriestley on May 31 2022, 5:59 PM.

Details

Reviewers: None
Commits: rP944b257d5df3: Fix a policy issue where permissions were not properly checked when disabling…

Summary

See https://hackerone.com/reports/1573143. The pathway for disabling global builtin queries is missing a policy check. Add it.

Test Plan

Accessed the "/search/delete/id/.../" URI for a global builtin query as a non-administrator.
Before patch: could improperly disable queries. -After patch: proper policy exception.

Repository

rP Phabricator

Lint

Lint Not Applicable

Unit

Tests Not Applicable

epriestley requested review of this revision.May 31 2022, 5:59 PM

epriestley created this revision.

This revision was not accepted when it landed; it landed in state Needs Review.May 31 2022, 6:00 PM

This revision was automatically updated to reflect the committed changes.

Path

Size

src/

applications/

search/

controller/

13 lines