From 7e09da3313fb16b52fd21c7d8e8164073b3d3ad1 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Tue, 30 Jul 2019 11:49:23 -0700
Subject: [PATCH] Fix policy behavior of "slowvote.info" API method

Summary: Ref T13350. This ancient API method is missing modern policy checks.

Test Plan:
  - Set visibility of vote X to "Only: epriestley".
  - Called "slowvote.info" as another user.
  - Before: retrieved poll title and author.
  - After: policy error.
  - Called "slowvote.info" on a visible poll, got information before and after.

Maniphest Tasks: T13350

Differential Revision: https://secure.phabricator.com/D20684
---
 .../slowvote/conduit/SlowvoteInfoConduitAPIMethod.php     | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/applications/slowvote/conduit/SlowvoteInfoConduitAPIMethod.php b/src/applications/slowvote/conduit/SlowvoteInfoConduitAPIMethod.php
index cecd799ad0..4041b1f70c 100644
--- a/src/applications/slowvote/conduit/SlowvoteInfoConduitAPIMethod.php
+++ b/src/applications/slowvote/conduit/SlowvoteInfoConduitAPIMethod.php
@@ -27,8 +27,14 @@ final class SlowvoteInfoConduitAPIMethod extends SlowvoteConduitAPIMethod {
   }
 
   protected function execute(ConduitAPIRequest $request) {
+    $viewer = $this->getViewer();
+
     $poll_id = $request->getValue('poll_id');
-    $poll = id(new PhabricatorSlowvotePoll())->load($poll_id);
+
+    $poll = id(new PhabricatorSlowvoteQuery())
+      ->setViewer($viewer)
+      ->withIDs(array($poll_id))
+      ->executeOne();
     if (!$poll) {
       throw new ConduitException('ERR_BAD_POLL');
     }