From 7f1914540f99baf81091577730173a41be8ecaa1 Mon Sep 17 00:00:00 2001
From: Bob Trahan <btrahan@phacility.com>
Date: Wed, 18 Feb 2015 11:37:30 -0800
Subject: [PATCH] Phortune - require high security sessions for subscription
 edits

Summary: Ref T7202.

Test Plan: Visited edit subscription page and it worked. Clicked edit link from subscription view page and got to the right place.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7202

Differential Revision: https://secure.phabricator.com/D11803
---
 .../controller/PhortuneSubscriptionEditController.php      | 4 ++++
 .../controller/PhortuneSubscriptionViewController.php      | 3 +--
 src/applications/phortune/storage/PhortuneSubscription.php | 7 +++++++
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/applications/phortune/controller/PhortuneSubscriptionEditController.php b/src/applications/phortune/controller/PhortuneSubscriptionEditController.php
index d7f2ac23a3..e2615ebb1c 100644
--- a/src/applications/phortune/controller/PhortuneSubscriptionEditController.php
+++ b/src/applications/phortune/controller/PhortuneSubscriptionEditController.php
@@ -18,6 +18,10 @@ final class PhortuneSubscriptionEditController extends PhortuneController {
       return new Aphront404Response();
     }
 
+    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $viewer,
+      $request,
+      $this->getApplicationURI($subscription->getEditURI()));
     $merchant = $subscription->getMerchant();
     $account = $subscription->getAccount();
 
diff --git a/src/applications/phortune/controller/PhortuneSubscriptionViewController.php b/src/applications/phortune/controller/PhortuneSubscriptionViewController.php
index aab6b819e7..657ebc3282 100644
--- a/src/applications/phortune/controller/PhortuneSubscriptionViewController.php
+++ b/src/applications/phortune/controller/PhortuneSubscriptionViewController.php
@@ -35,8 +35,7 @@ final class PhortuneSubscriptionViewController extends PhortuneController {
       ->setUser($viewer)
       ->setObjectURI($request->getRequestURI());
 
-    $edit_uri = $this->getApplicationURI(
-      "{$account_id}/subscription/edit/{$subscription_id}/");
+    $edit_uri = $this->getApplicationURI($subscription->getEditURI());
 
     $actions->addAction(
       id(new PhabricatorActionView())
diff --git a/src/applications/phortune/storage/PhortuneSubscription.php b/src/applications/phortune/storage/PhortuneSubscription.php
index 638ce85ba2..b18a8718f0 100644
--- a/src/applications/phortune/storage/PhortuneSubscription.php
+++ b/src/applications/phortune/storage/PhortuneSubscription.php
@@ -187,6 +187,13 @@ final class PhortuneSubscription extends PhortuneDAO
     return "/phortune/{$account_id}/subscription/view/{$id}/";
   }
 
+  public function getEditURI() {
+    $account_id = $this->getAccount()->getID();
+    $id = $this->getID();
+
+    return "/phortune/{$account_id}/subscription/edit/{$id}/";
+  }
+
   public function getMerchantURI() {
     $merchant_id = $this->getMerchant()->getID();
     $id = $this->getID();