archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity
Files
71e1911dfcd7926c15d40a25a4c125312aeef7c5
phabricator/src/applications/metamta/controller/view/PhabricatorMetaMTAViewController.php
Evan Priestley 71e1911dfc Lock down MetaMTA functionality to administrators 
Summary:
We have a debug interface for sending various sorts of email, but normal users
don't really need to use it. In particular, they can:

  - Send arbitrary email to other users;
  - Discover other users' email addresses fairly easily (CC everyone);
  - Send arbitrary email to arbitrary addresses in conjunction with "Mailing
Lists"

In fact, normal users don't need to get to the MetaMTA web interface at all and
it has some somewhat-sensitive things beacuse it has a lot of detailed
information about mail. For instance, users can look at mail records to discover
things like password reset links and per-user object email addresses.

We should smooth out the UI here but I think I can do something about T21 fairly
soon and cover it then.

Test Plan:
Went to /mail/ with a non-admin, got 404'd. Went to /mail/ with an
admin, everything works, got a red admin header.

Reviewers: jungejason, btrahan

Reviewed By: btrahan

CC: aran, btrahan, jungejason

Maniphest Tasks: T718

Differential Revision: https://secure.phabricator.com/D1292
2011-12-30 14:37:13 -08:00

80 lines
2.3 KiB
PHP
Raw Blame History

<?php
/*
* Copyright 2011 Facebook, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
class PhabricatorMetaMTAViewController extends PhabricatorMetaMTAController {
private $id;
public function willProcessRequest(array $data) {
$this->id = $data['id'];
}
public function processRequest() {
$request = $this->getRequest();
$user = $request->getUser();
$mail = id(new PhabricatorMetaMTAMail())->load($this->id);
if (!$mail) {
return new Aphront404Response();
}
$status = PhabricatorMetaMTAMail::getReadableStatus($mail->getStatus());
$form = new AphrontFormView();
$form->setUser($request->getUser());
$form->setAction('/mail/send/');
$form
->appendChild(
id(new AphrontFormStaticControl())
->setLabel('Subject')
->setValue($mail->getSubject()))
->appendChild(
id(new AphrontFormStaticControl())
->setLabel('Created')
->setValue(phabricator_datetime($mail->getDateCreated(), $user)))
->appendChild(
id(new AphrontFormStaticControl())
->setLabel('Status')
->setValue($status))
->appendChild(
id(new AphrontFormStaticControl())
->setLabel('Message')
->setValue($mail->getMessage()))
->appendChild(
id(new AphrontFormStaticControl())
->setLabel('Related PHID')
->setValue($mail->getRelatedPHID()))
->appendChild(
id(new AphrontFormSubmitControl())
->addCancelButton('/mail/', 'Done'));
$panel = new AphrontPanelView();
$panel->setHeader('View Email');
$panel->appendChild($form);
$panel->setWidth(AphrontPanelView::WIDTH_WIDE);
return $this->buildStandardPageResponse(
$panel,
array(
'title' => 'View Mail',
));
}
}
Reference in New Issue View Git Blame Copy Permalink