From 0c7ea8c94215eadae8d6082384709bf1988039e2 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Thu, 12 Sep 2019 08:53:14 -0700
Subject: [PATCH] When users fail a "CAN_SEE" check, give them an "opaque"
 policy explanation

Summary:
Ref T13411. Currently, if you hit a policy exception because you can't view an object, we disclose details about the view policy of the object, particularly which project's members can see the object for project policies.

Although there's a large amount of grey area here, this feels like a more substantial disclosure than we offer in other contexts. Instead, if you encounter a policy exception while testing "CAN_VIEW" or don't have "CAN_VIEW", present an "opaque" explanation which omits details that viewers who can't view the object shouldn't have access to. Today, this is the name of "Project" policies (and, implicitly, the rulesets of custom policies, which we now disclose in other similar contexts).

Test Plan:
  - Hit policy exceptions for "CAN_VIEW" on an object with a project view policy, saw an opaque explanation.
  - Hit policy exceptions for "CAN_EDIT" on an object with a project edit policy and a view policy I satisfied, saw a more detailed explanation.

Maniphest Tasks: T13411

Differential Revision: https://secure.phabricator.com/D20806
---
 .../policy/filter/PhabricatorPolicyFilter.php | 28 +++++++++++++++++--
 .../policy/storage/PhabricatorPolicy.php      | 23 ++++++++++++++-
 2 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/src/applications/policy/filter/PhabricatorPolicyFilter.php b/src/applications/policy/filter/PhabricatorPolicyFilter.php
index 4ea7ce1549..63f3f98cec 100644
--- a/src/applications/policy/filter/PhabricatorPolicyFilter.php
+++ b/src/applications/policy/filter/PhabricatorPolicyFilter.php
@@ -602,12 +602,13 @@ final class PhabricatorPolicyFilter extends Phobject {
     PhabricatorPolicyInterface $object,
     $policy,
     $capability) {
+    $viewer = $this->viewer;
 
     if (!$this->raisePolicyExceptions) {
       return;
     }
 
-    if ($this->viewer->isOmnipotent()) {
+    if ($viewer->isOmnipotent()) {
       // Never raise policy exceptions for the omnipotent viewer. Although we
       // will never normally issue a policy rejection for the omnipotent
       // viewer, we can end up here when queries blanket reject objects that
@@ -634,7 +635,30 @@ final class PhabricatorPolicyFilter extends Phobject {
         $capability);
     }
 
-    $more = PhabricatorPolicy::getPolicyExplanation($this->viewer, $policy);
+    // See T13411. If you receive a policy exception because you can't view
+    // an object, we also want to avoid disclosing too many details about the
+    // actual policy (for example, the names of projects in the policy).
+
+    // If you failed a "CAN_VIEW" check, or failed some other check and don't
+    // have "CAN_VIEW" on the object, we give you an "opaque" explanation.
+    // Otherwise, we give you a more detailed explanation.
+
+    $view_capability = PhabricatorPolicyCapability::CAN_VIEW;
+    if ($capability === $view_capability) {
+      $show_details = false;
+    } else {
+      $show_details = self::hasCapability(
+        $viewer,
+        $object,
+        $view_capability);
+    }
+
+    if ($show_details) {
+      $more = PhabricatorPolicy::getPolicyExplanation($viewer, $policy);
+    } else {
+      $more = PhabricatorPolicy::getOpaquePolicyExplanation($viewer, $policy);
+    }
+
     $more = (array)$more;
     $more = array_filter($more);
 
diff --git a/src/applications/policy/storage/PhabricatorPolicy.php b/src/applications/policy/storage/PhabricatorPolicy.php
index 82d4f355bc..66a7d9e3be 100644
--- a/src/applications/policy/storage/PhabricatorPolicy.php
+++ b/src/applications/policy/storage/PhabricatorPolicy.php
@@ -220,6 +220,25 @@ final class PhabricatorPolicy
     PhabricatorUser $viewer,
     $policy) {
 
+    $type = phid_get_type($policy);
+    if ($type === PhabricatorProjectProjectPHIDType::TYPECONST) {
+      $handle = id(new PhabricatorHandleQuery())
+        ->setViewer($viewer)
+        ->withPHIDs(array($policy))
+        ->executeOne();
+
+      return pht(
+        'Members of the project "%s" can take this action.',
+        $handle->getFullName());
+    }
+
+    return self::getOpaquePolicyExplanation($viewer, $policy);
+  }
+
+  public static function getOpaquePolicyExplanation(
+    PhabricatorUser $viewer,
+    $policy) {
+
     $rule = PhabricatorPolicyQuery::getObjectPolicyRule($policy);
     if ($rule) {
       return $rule->getPolicyExplanation();
@@ -245,7 +264,9 @@ final class PhabricatorPolicy
         $type = phid_get_type($policy);
         if ($type == PhabricatorProjectProjectPHIDType::TYPECONST) {
           return pht(
-            'Members of the project "%s" can take this action.',
+            'Members of a particular project can take this action. (You '.
+            'can not see this object, so the name of this project is '.
+            'restricted.)',
             $handle->getFullName());
         } else if ($type == PhabricatorPeopleUserPHIDType::TYPECONST) {
           return pht(