Policy - lock down file loading in mail reply handler path

Summary: Ref T7094. This one is really straight-forward since $this->actor is always populated and the right thing to do here. Test Plan: used the ole thinking noodle since testing email w/ attachments is really hard Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T7094 Differential Revision: https://secure.phabricator.com/D11589
2024-11-10 08:52:39 +01:00 · 2015-02-02 14:02:36 -08:00 · 2015-02-02 14:02:36 -08:00 · 388d1ff7bd
commit 388d1ff7bd
parent f58dce6819
1 changed files with 4 additions and 3 deletions
--- a/src/applications/metamta/replyhandler/PhabricatorMailReplyHandler.php
+++ b/src/applications/metamta/replyhandler/PhabricatorMailReplyHandler.php
@ -325,9 +325,10 @@ abstract class PhabricatorMailReplyHandler {
      return $body;
    }

-    // TODO: (T603) What's the policy here?
-    $files = id(new PhabricatorFile())
-      ->loadAllWhere('phid in (%Ls)', $attachments);
+    $files = id(new PhabricatorFileQuery())
+      ->setViewer($this->getActor())
+      ->withPHIDs($attachments)
+      ->execute();

    // if we have some text then double return before adding our file list
    if ($body) {