Phortune - require high security sessions for subscription edits
Summary: Ref T7202. Test Plan: Visited edit subscription page and it worked. Clicked edit link from subscription view page and got to the right place. Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T7202 Differential Revision: https://secure.phabricator.com/D11803
This commit is contained in:
		| @@ -18,6 +18,10 @@ final class PhortuneSubscriptionEditController extends PhortuneController { | |||||||
|       return new Aphront404Response(); |       return new Aphront404Response(); | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |     id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( | ||||||
|  |       $viewer, | ||||||
|  |       $request, | ||||||
|  |       $this->getApplicationURI($subscription->getEditURI())); | ||||||
|     $merchant = $subscription->getMerchant(); |     $merchant = $subscription->getMerchant(); | ||||||
|     $account = $subscription->getAccount(); |     $account = $subscription->getAccount(); | ||||||
|  |  | ||||||
|   | |||||||
| @@ -35,8 +35,7 @@ final class PhortuneSubscriptionViewController extends PhortuneController { | |||||||
|       ->setUser($viewer) |       ->setUser($viewer) | ||||||
|       ->setObjectURI($request->getRequestURI()); |       ->setObjectURI($request->getRequestURI()); | ||||||
|  |  | ||||||
|     $edit_uri = $this->getApplicationURI( |     $edit_uri = $this->getApplicationURI($subscription->getEditURI()); | ||||||
|       "{$account_id}/subscription/edit/{$subscription_id}/"); |  | ||||||
|  |  | ||||||
|     $actions->addAction( |     $actions->addAction( | ||||||
|       id(new PhabricatorActionView()) |       id(new PhabricatorActionView()) | ||||||
|   | |||||||
| @@ -187,6 +187,13 @@ final class PhortuneSubscription extends PhortuneDAO | |||||||
|     return "/phortune/{$account_id}/subscription/view/{$id}/"; |     return "/phortune/{$account_id}/subscription/view/{$id}/"; | ||||||
|   } |   } | ||||||
|  |  | ||||||
|  |   public function getEditURI() { | ||||||
|  |     $account_id = $this->getAccount()->getID(); | ||||||
|  |     $id = $this->getID(); | ||||||
|  |  | ||||||
|  |     return "/phortune/{$account_id}/subscription/edit/{$id}/"; | ||||||
|  |   } | ||||||
|  |  | ||||||
|   public function getMerchantURI() { |   public function getMerchantURI() { | ||||||
|     $merchant_id = $this->getMerchant()->getID(); |     $merchant_id = $this->getMerchant()->getID(); | ||||||
|     $id = $this->getID(); |     $id = $this->getID(); | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Bob Trahan
					Bob Trahan