HomePhabricator

SECURITY: Move 'UserGetRights' call before application of Session…
160ce7dd0f59Unpublished

Authored by Anomie on Jul 7 2016, 9:24 PM.

Unpublished Commit · Learn More

Publishing Disabled: All publishing is disabled for this repository.

Description

SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights()

This prevents hook functions from accidentally adding rights that should
be denied based on the session grants.

If some extension really needs to be able to override session grants,
add a new hook where the old call was, with documentation explicitly
warning about the security implications.

Bug: T139670
Change-Id: I6392cf4d7cc9d3ea96554b25bb5f8abb66e9031b