1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-30 09:20:58 +01:00

Make most file reads policy-aware

Summary: Ref T603. Swaps out most `PhabricatorFile` loads for `PhabricatorFileQuery`.

Test Plan:
  - Viewed Differential changesets.
  - Used `file.info`.
  - Used `file.download`.
  - Viewed a file.
  - Deleted a file.
  - Used `/Fnnnn` to access a file.
  - Uploaded an image, verified a thumbnail generated.
  - Created and edited a macro.
  - Added a meme.
  - Did old-school attach-a-file-to-a-task.
  - Viewed a paste.
  - Viewed a mock.
  - Embedded a mock.
  - Profiled a page.
  - Parsed a commit with image files linked to a revision with image files.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7178
This commit is contained in:
epriestley 2013-09-30 09:38:13 -07:00
parent 4b39cc321b
commit 13dae05193
28 changed files with 124 additions and 67 deletions

View file

@ -296,6 +296,8 @@ final class DifferentialChangesetViewController extends DifferentialController {
DifferentialChangeset $changeset,
$is_new) {
$viewer = $this->getRequest()->getUser();
if ($is_new) {
$key = 'raw:new:phid';
} else {
@ -307,9 +309,13 @@ final class DifferentialChangesetViewController extends DifferentialController {
$file = null;
$phid = idx($metadata, $key);
if ($phid) {
$file = id(new PhabricatorFile())->loadOneWhere(
'phid = %s',
$phid);
$file = id(new PhabricatorFileQuery())
->setViewer($viewer)
->withPHIDs(array($phid))
->execute();
if ($file) {
$file = head($file);
}
}
if (!$file) {

View file

@ -887,6 +887,7 @@ final class DifferentialRevisionViewController extends DifferentialController {
* @return mixed (@{class:PhabricatorFile} if found, null if not)
*/
public function loadFileByPHID($phid) {
// TODO: (T603) Factor this and the other one out.
$file = id(new PhabricatorFile())->loadOneWhere(
'phid = %s',
$phid);

View file

@ -104,6 +104,7 @@ abstract class DifferentialReviewRequestMail extends DifferentialMail {
}
public function loadFileByPHID($phid) {
// TODO: (T603) Factor this and the other one out.
$file = id(new PhabricatorFile())->loadOneWhere(
'phid = %s',
$phid);

View file

@ -851,6 +851,7 @@ final class DifferentialChangesetParser {
$file_phids[] = $new_phid;
}
// TODO: (T603) Probably fine to use omnipotent viewer here?
$files = id(new PhabricatorFile())->loadAllWhere(
'phid IN (%Ls)',
$file_phids);

View file

@ -29,9 +29,10 @@ final class ConduitAPI_file_download_Method
protected function execute(ConduitAPIRequest $request) {
$phid = $request->getValue('phid');
$file = id(new PhabricatorFile())->loadOneWhere(
'phid = %s',
$phid);
$file = id(new PhabricatorFileQuery())
->setViewer($request->getUser())
->withPHIDs(array($phid))
->executeOne();
if (!$file) {
throw new ConduitException('ERR-BAD-PHID');
}

View file

@ -30,14 +30,16 @@ final class ConduitAPI_file_info_Method extends ConduitAPI_file_Method {
$phid = $request->getValue('phid');
$id = $request->getValue('id');
$query = id(new PhabricatorFileQuery())
->setViewer($request->getUser());
if ($id) {
$file = id(new PhabricatorFile())->load($id);
$query->withIDs(array($id));
} else {
$file = id(new PhabricatorFile())->loadOneWhere(
'phid = %s',
$phid);
$query->withPHIDs(array($phid));
}
$file = $query->executeOne();
if (!$file) {
throw new ConduitException('ERR-NOT-FOUND');
}

View file

@ -25,9 +25,10 @@ final class PhabricatorFileDataController extends PhabricatorFileController {
->setURI($uri->setPath($request->getPath()));
}
$file = id(new PhabricatorFile())->loadOneWhere(
'phid = %s',
$this->phid);
$file = id(new PhabricatorFileQuery())
->setViewer($request->getUser())
->withPHIDs(array($this->phid))
->executeOne();
if (!$file) {
return new Aphront404Response();
}

View file

@ -9,13 +9,18 @@ final class PhabricatorFileDeleteController extends PhabricatorFileController {
}
public function processRequest() {
$request = $this->getRequest();
$user = $request->getUser();
$file = id(new PhabricatorFile())->loadOneWhere(
'id = %d',
$this->id);
$file = id(new PhabricatorFileQuery())
->setViewer($user)
->withIDs(array($this->id))
->requireCapabilities(
array(
PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT,
))
->executeOne();
if (!$file) {
return new Aphront404Response();
}

View file

@ -10,10 +10,14 @@ final class PhabricatorFileShortcutController
}
public function processRequest() {
$file = id(new PhabricatorFile())->load($this->id);
$file = id(new PhabricatorFileQuery())
->setViewer($this->getRequest()->getUser())
->withIDs(array($this->id))
->executeOne();
if (!$file) {
return new Aphront404Response();
}
return id(new AphrontRedirectResponse())->setURI($file->getBestURI());
}

View file

@ -18,8 +18,12 @@ final class PhabricatorFileTransformController
}
public function processRequest() {
$viewer = $this->getRequest()->getUser();
$file = id(new PhabricatorFile())->loadOneWhere('phid = %s', $this->phid);
$file = id(new PhabricatorFileQuery())
->setViewer($viewer)
->withPHIDs(array($this->phid))
->executeOne();
if (!$file) {
return new Aphront404Response();
}
@ -125,20 +129,17 @@ final class PhabricatorFileTransformController
private function buildTransformedFileResponse(
PhabricatorTransformedFile $xform) {
$file = id(new PhabricatorFile())->loadOneWhere(
'phid = %s',
$xform->getTransformedPHID());
if ($file) {
$uri = $file->getBestURI();
} else {
$bad_phid = $xform->getTransformedPHID();
throw new Exception(
"Unable to load file with phid {$bad_phid}."
);
$file = id(new PhabricatorFileQuery())
->setViewer($this->getRequest()->getUser())
->withPHIDs(array($xform->getTransformedPHID()))
->executeOne();
if (!$file) {
return new Aphront404Response();
}
// TODO: We could just delegate to the file view controller instead,
// which would save the client a roundtrip, but is slightly more complex.
$uri = $file->getBestURI();
return id(new AphrontRedirectResponse())->setURI($uri);
}

View file

@ -19,6 +19,8 @@ abstract class PhabricatorFilesManagementWorkflow
if ($args->getArg('names')) {
$iterator = array();
// TODO: (T603) Convert this to ObjectNameQuery.
foreach ($args->getArg('names') as $name) {
$name = trim($name);

View file

@ -21,6 +21,8 @@ final class PhabricatorRemarkupRuleEmbedFile
$file = null;
if ($matches[1]) {
// TODO: This is pretty inefficient if there are a bunch of files.
// TODO: (T603) This isn't policy-aware and should be extending
// PhabricatorRemarkupRuleObject.
$file = id(new PhabricatorFile())->load($matches[1]);
}

View file

@ -828,6 +828,7 @@ final class PhabricatorFile extends PhabricatorFileDAO
public function getCapabilities() {
return array(
PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT,
);
}

View file

@ -82,9 +82,10 @@ final class PhabricatorMacroEditController
$errors[] = pht('Could not fetch URL: %s', $ex->getMessage());
}
} else if ($request->getStr('phid')) {
$file = id(new PhabricatorFile())->loadOneWhere(
'phid = %s',
$request->getStr('phid'));
$file = id(new PhabricatorFileQuery())
->setViewer($user)
->withPHIDs(array($request->getStr('phid')))
->executeOne();
}
if ($file) {

View file

@ -38,10 +38,15 @@ final class PhabricatorMacroMemeController
$file->getPHID(), $hash);
if ($xform) {
$memefile = id(new PhabricatorFile())->loadOneWhere(
'phid = %s', $xform->getTransformedPHID());
$memefile = id(new PhabricatorFileQuery())
->setViewer($user)
->withPHIDs(array($xform->getTransformedPHID()))
->executeOne();
if ($memefile) {
return $memefile->getBestURI();
}
}
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$transformers = (new PhabricatorImageTransformer());
$newfile = $transformers

View file

@ -611,9 +611,12 @@ final class ManiphestTaskDetailController extends ManiphestController {
if ($file_infos) {
$file_phids = array_keys($file_infos);
$files = id(new PhabricatorFile())->loadAllWhere(
'phid IN (%Ls)',
$file_phids);
// TODO: These should probably be handles or something; clean this up
// as we sort out file attachments.
$files = id(new PhabricatorFileQuery())
->setViewer($viewer)
->withPHIDs($file_phids)
->execute();
$file_view = new PhabricatorFileLinkListView();
$file_view->setFiles($files);

View file

@ -72,9 +72,10 @@ final class ManiphestTaskEditController extends ManiphestController {
}
if ($file_phids) {
$files = id(new PhabricatorFile())->loadAllWhere(
'phid IN (%Ls)',
$file_phids);
$files = id(new PhabricatorFileQuery())
->setViewer($user)
->withPHIDs($file_phids)
->execute();
}
$template_id = $request->getInt('template');

View file

@ -33,9 +33,10 @@ final class ManiphestTransactionSaveController extends ManiphestController {
// Look for drag-and-drop uploads first.
$file_phids = $request->getArr('files');
if ($file_phids) {
$files = id(new PhabricatorFile())->loadAllWhere(
'phid in (%Ls)',
$file_phids);
$files = id(new PhabricatorFileQuery())
->setViewer($user)
->withPHIDs(array($file_phids))
->execute();
}
// This means "attach a file" even though we store other types of data

View file

@ -315,6 +315,7 @@ EOBODY;
return $body;
}
// TODO: (T603) What's the policy here?
$files = id(new PhabricatorFile())
->loadAllWhere('phid in (%Ls)', $attachments);

View file

@ -44,9 +44,10 @@ final class PhabricatorPasteViewController extends PhabricatorPasteController {
return new Aphront404Response();
}
$file = id(new PhabricatorFile())->loadOneWhere(
'phid = %s',
$paste->getFilePHID());
$file = id(new PhabricatorFileQuery())
->setViewer($user)
->withPHIDs(array($paste->getFilePHID()))
->executeOne();
if (!$file) {
return new Aphront400Response();
}

View file

@ -162,9 +162,10 @@ final class PhabricatorPasteQuery
private function loadRawContent(array $pastes) {
$file_phids = mpull($pastes, 'getFilePHID');
$files = id(new PhabricatorFile())->loadAllWhere(
'phid IN (%Ls)',
$file_phids);
$files = id(new PhabricatorFileQuery())
->setViewer($this->getViewer())
->withPHIDs($file_phids)
->execute();
$files = mpull($files, null, 'getPHID');
foreach ($pastes as $key => $paste) {

View file

@ -746,6 +746,8 @@ EOBODY;
$src_phid = $this->getProfileImagePHID();
if ($src_phid) {
// TODO: (T603) Can we get rid of this entirely and move it to
// PeopleQuery with attach/attachable?
$file = id(new PhabricatorFile())->loadOneWhere('phid = %s', $src_phid);
if ($file) {
$this->profileImage = $file->getBestURI();

View file

@ -34,9 +34,14 @@ final class PholioInlineThumbController extends PholioController {
return new Aphront404Response();
}
$file = id(new PhabricatorFile())->loadOneWhere(
'phid = %s',
$image->getFilePHID());
$file = id(new PhabricatorFileQuery())
->setViewer($user)
->witHPHIDs(array($image->getFilePHID()))
->executeOne();
if (!$file) {
return new Aphront404Response();
}
return id(new AphrontRedirectResponse())->setURI($file->getThumb60x45URI());
}

View file

@ -104,9 +104,12 @@ final class PholioImageQuery
assert_instances_of($images, 'PholioImage');
$file_phids = mpull($images, 'getFilePHID');
$all_files = mpull(id(new PhabricatorFile())->loadAllWhere(
'phid IN (%Ls)',
$file_phids), null, 'getPHID');
$all_files = id(new PhabricatorFileQuery())
->setViewer($this->getViewer())
->withPHIDs($file_phids)
->execute();
$all_files = mpull($all_files, null, 'getPHID');
if ($this->needInlineComments) {
$all_inline_comments = id(new PholioTransactionComment())

View file

@ -132,9 +132,12 @@ final class PholioMockQuery
private function loadCoverFiles(array $mocks) {
assert_instances_of($mocks, 'PholioMock');
$cover_file_phids = mpull($mocks, 'getCoverPHID');
$cover_files = mpull(id(new PhabricatorFile())->loadAllWhere(
'phid IN (%Ls)',
$cover_file_phids), null, 'getPHID');
$cover_files = id(new PhabricatorFileQuery())
->setViewer($this->getViewer())
->withPHIDs($cover_file_phids)
->execute();
$cover_files = mpull($cover_files, null, 'getPHID');
foreach ($mocks as $mock) {
$file = idx($cover_files, $mock->getCoverPHID());

View file

@ -9,6 +9,7 @@ final class PhabricatorProjectProfile extends PhabricatorProjectDAO {
public function loadProfileImageURI() {
$src_phid = $this->getProfileImagePHID();
// TODO: (T603) Can we get rid of this and move it to a Query?
$file = id(new PhabricatorFile())->loadOneWhere('phid = %s', $src_phid);
if ($file) {
return $file->getBestURI();

View file

@ -329,9 +329,10 @@ abstract class PhabricatorRepositoryCommitMessageParserWorker
$files = array();
if ($file_phids) {
$files = id(new PhabricatorFile())->loadAllWhere(
'phid IN (%Ls)',
$file_phids);
$files = id(new PhabricatorFileQuery())
->setViewer(PhabricatorUser::getOmnipotentUser())
->withPHIDs($file_phids)
->execute();
$files = mpull($files, null, 'getPHID');
}

View file

@ -10,11 +10,12 @@ final class PhabricatorXHProfProfileController
}
public function processRequest() {
$request = $this->getRequest();
$file = id(new PhabricatorFile())->loadOneWhere(
'phid = %s',
$this->phid);
$file = id(new PhabricatorFileQuery())
->setViewer($request->getUser())
->withPHIDs(array($this->phid))
->executeOne();
if (!$file) {
return new Aphront404Response();
}
@ -25,7 +26,6 @@ final class PhabricatorXHProfProfileController
throw new Exception("Failed to unserialize XHProf profile!");
}
$request = $this->getRequest();
$symbol = $request->getStr('symbol');
$is_framed = $request->getBool('frame');