mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-18 21:02:41 +01:00
Give files uploaded to objects a very restrictive view policy
Summary: Fixes T4589. This implements much better policy behavior for files that aligns with user expectations. Currently, all files have permissive visibility. The new behavior is: - Files uploaded via drag-and-drop to the home page or file upload page get permissive visibility, for ease of quickly sharing things like screenshots. - Files uploaded via the manual file upload control get permissive visibility by default, but the user can select the policy they want at upload time in an explicit/obvious way. - Files uploaded via drag-and-drop anywhere else (e.g., comments or Pholio) get restricted visibility (only the uploader). - When the user applies a transaction to the object which uses the file, we attach the file to the object and punch a hole through the policies: if you can see the object, you can see the file. - This rule requires things to use ApplicationTransactions, which is why this took so long to fix. - The "attach stuff to the object" code has been in place for a long time and works correctly. I'll land D8498 after this lands, too. Test Plan: - Uploaded via global homepage upload and file drag-and-drop upload, saw permissive visibility. - Uploaded via comment area, saw restricted visibility. - After commenting, verified links were established and the file became visible to users who could see the attached object. - Verified Pholio (which is a bit of a special case) correctly attaches images. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4589 Differential Revision: https://secure.phabricator.com/D10131
This commit is contained in:
epriestley
parent
1f1828e0c0
commit
9181929ebc
5 changed files with 45 additions and 27 deletions
|
|
@ -8,10 +8,10 @@
|
||||||
return array(
|
return array(
|
||||||
'names' => array(
|
'names' => array(
|
||||||
'core.pkg.css' => '66ada2ec',
|
'core.pkg.css' => '66ada2ec',
|
||||||
'core.pkg.js' => '8cd3cd8c',
|
'core.pkg.js' => '4c28870b',
|
||||||
'darkconsole.pkg.js' => 'df001cab',
|
'darkconsole.pkg.js' => 'df001cab',
|
||||||
'differential.pkg.css' => '4a93db37',
|
'differential.pkg.css' => '4a93db37',
|
||||||
'differential.pkg.js' => '79503aa4',
|
'differential.pkg.js' => 'eb182ccd',
|
||||||
'diffusion.pkg.css' => '591664fa',
|
'diffusion.pkg.css' => '591664fa',
|
||||||
'diffusion.pkg.js' => 'bfc0737b',
|
'diffusion.pkg.js' => 'bfc0737b',
|
||||||
'maniphest.pkg.css' => 'f5d89daf',
|
'maniphest.pkg.css' => 'f5d89daf',
|
||||||
|
|
@ -440,7 +440,7 @@ return array(
|
||||||
'rsrc/js/application/uiexample/gesture-example.js' => '558829c2',
|
'rsrc/js/application/uiexample/gesture-example.js' => '558829c2',
|
||||||
'rsrc/js/application/uiexample/notification-example.js' => '7a9677fc',
|
'rsrc/js/application/uiexample/notification-example.js' => '7a9677fc',
|
||||||
'rsrc/js/core/Busy.js' => '6453c869',
|
'rsrc/js/core/Busy.js' => '6453c869',
|
||||||
'rsrc/js/core/DragAndDropFileUpload.js' => 'a575f592',
|
'rsrc/js/core/DragAndDropFileUpload.js' => 'f61aa8ec',
|
||||||
'rsrc/js/core/DraggableList.js' => '2cad29d1',
|
'rsrc/js/core/DraggableList.js' => '2cad29d1',
|
||||||
'rsrc/js/core/FileUpload.js' => 'a4ae61bf',
|
'rsrc/js/core/FileUpload.js' => 'a4ae61bf',
|
||||||
'rsrc/js/core/Hovercard.js' => '7e8468ae',
|
'rsrc/js/core/Hovercard.js' => '7e8468ae',
|
||||||
|
|
@ -465,7 +465,7 @@ return array(
|
||||||
'rsrc/js/core/behavior-file-tree.js' => '88236f00',
|
'rsrc/js/core/behavior-file-tree.js' => '88236f00',
|
||||||
'rsrc/js/core/behavior-form.js' => '5c54cbf3',
|
'rsrc/js/core/behavior-form.js' => '5c54cbf3',
|
||||||
'rsrc/js/core/behavior-gesture.js' => '3ab51e2c',
|
'rsrc/js/core/behavior-gesture.js' => '3ab51e2c',
|
||||||
'rsrc/js/core/behavior-global-drag-and-drop.js' => '3672899b',
|
'rsrc/js/core/behavior-global-drag-and-drop.js' => '07f199d8',
|
||||||
'rsrc/js/core/behavior-high-security-warning.js' => '8fc1c918',
|
'rsrc/js/core/behavior-high-security-warning.js' => '8fc1c918',
|
||||||
'rsrc/js/core/behavior-history-install.js' => '7ee2b591',
|
'rsrc/js/core/behavior-history-install.js' => '7ee2b591',
|
||||||
'rsrc/js/core/behavior-hovercard.js' => 'f36e01af',
|
'rsrc/js/core/behavior-hovercard.js' => 'f36e01af',
|
||||||
|
|
@ -589,7 +589,7 @@ return array(
|
||||||
'javelin-behavior-doorkeeper-tag' => 'e5822781',
|
'javelin-behavior-doorkeeper-tag' => 'e5822781',
|
||||||
'javelin-behavior-error-log' => 'a5d7cf86',
|
'javelin-behavior-error-log' => 'a5d7cf86',
|
||||||
'javelin-behavior-fancy-datepicker' => 'a5573bcd',
|
'javelin-behavior-fancy-datepicker' => 'a5573bcd',
|
||||||
'javelin-behavior-global-drag-and-drop' => '3672899b',
|
'javelin-behavior-global-drag-and-drop' => '07f199d8',
|
||||||
'javelin-behavior-herald-rule-editor' => '7ebaeed3',
|
'javelin-behavior-herald-rule-editor' => '7ebaeed3',
|
||||||
'javelin-behavior-high-security-warning' => '8fc1c918',
|
'javelin-behavior-high-security-warning' => '8fc1c918',
|
||||||
'javelin-behavior-history-install' => '7ee2b591',
|
'javelin-behavior-history-install' => '7ee2b591',
|
||||||
|
|
@ -715,7 +715,7 @@ return array(
|
||||||
'phabricator-countdown-css' => '86b7b0a0',
|
'phabricator-countdown-css' => '86b7b0a0',
|
||||||
'phabricator-crumbs-view-css' => '7fbf25b8',
|
'phabricator-crumbs-view-css' => '7fbf25b8',
|
||||||
'phabricator-dashboard-css' => 'a2bfdcbf',
|
'phabricator-dashboard-css' => 'a2bfdcbf',
|
||||||
'phabricator-drag-and-drop-file-upload' => 'a575f592',
|
'phabricator-drag-and-drop-file-upload' => 'f61aa8ec',
|
||||||
'phabricator-draggable-list' => '2cad29d1',
|
'phabricator-draggable-list' => '2cad29d1',
|
||||||
'phabricator-fatal-config-template-css' => '25d446d6',
|
'phabricator-fatal-config-template-css' => '25d446d6',
|
||||||
'phabricator-feed-css' => '4e544db4',
|
'phabricator-feed-css' => '4e544db4',
|
||||||
|
|
@ -869,6 +869,13 @@ return array(
|
||||||
'javelin-util',
|
'javelin-util',
|
||||||
'phabricator-busy',
|
'phabricator-busy',
|
||||||
),
|
),
|
||||||
|
'07f199d8' => array(
|
||||||
|
'javelin-behavior',
|
||||||
|
'javelin-dom',
|
||||||
|
'javelin-uri',
|
||||||
|
'javelin-mask',
|
||||||
|
'phabricator-drag-and-drop-file-upload',
|
||||||
|
),
|
||||||
'09eee344' => array(
|
'09eee344' => array(
|
||||||
'javelin-behavior',
|
'javelin-behavior',
|
||||||
'javelin-stratcom',
|
'javelin-stratcom',
|
||||||
|
|
@ -1042,13 +1049,6 @@ return array(
|
||||||
'javelin-behavior',
|
'javelin-behavior',
|
||||||
'javelin-dom',
|
'javelin-dom',
|
||||||
),
|
),
|
||||||
'3672899b' => array(
|
|
||||||
'javelin-behavior',
|
|
||||||
'javelin-dom',
|
|
||||||
'javelin-uri',
|
|
||||||
'javelin-mask',
|
|
||||||
'phabricator-drag-and-drop-file-upload',
|
|
||||||
),
|
|
||||||
'3915d490' => array(
|
'3915d490' => array(
|
||||||
'javelin-install',
|
'javelin-install',
|
||||||
'javelin-util',
|
'javelin-util',
|
||||||
|
|
@ -1490,14 +1490,6 @@ return array(
|
||||||
'javelin-stratcom',
|
'javelin-stratcom',
|
||||||
'javelin-vector',
|
'javelin-vector',
|
||||||
),
|
),
|
||||||
'a575f592' => array(
|
|
||||||
'javelin-install',
|
|
||||||
'javelin-util',
|
|
||||||
'javelin-request',
|
|
||||||
'javelin-dom',
|
|
||||||
'javelin-uri',
|
|
||||||
'phabricator-file-upload',
|
|
||||||
),
|
|
||||||
'a5b67173' => array(
|
'a5b67173' => array(
|
||||||
'javelin-dom',
|
'javelin-dom',
|
||||||
'javelin-util',
|
'javelin-util',
|
||||||
|
|
@ -1877,6 +1869,14 @@ return array(
|
||||||
'multirow-row-manager',
|
'multirow-row-manager',
|
||||||
'javelin-json',
|
'javelin-json',
|
||||||
),
|
),
|
||||||
|
'f61aa8ec' => array(
|
||||||
|
'javelin-install',
|
||||||
|
'javelin-util',
|
||||||
|
'javelin-request',
|
||||||
|
'javelin-dom',
|
||||||
|
'javelin-uri',
|
||||||
|
'phabricator-file-upload',
|
||||||
|
),
|
||||||
'f6555212' => array(
|
'f6555212' => array(
|
||||||
'javelin-install',
|
'javelin-install',
|
||||||
'javelin-reactornode',
|
'javelin-reactornode',
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@ final class PhabricatorFileDropUploadController
|
||||||
*/
|
*/
|
||||||
public function processRequest() {
|
public function processRequest() {
|
||||||
$request = $this->getRequest();
|
$request = $this->getRequest();
|
||||||
$user = $request->getUser();
|
$viewer = $request->getUser();
|
||||||
|
|
||||||
// NOTE: Throws if valid CSRF token is not present in the request.
|
// NOTE: Throws if valid CSRF token is not present in the request.
|
||||||
$request->validateCSRF();
|
$request->validateCSRF();
|
||||||
|
|
@ -16,11 +16,21 @@ final class PhabricatorFileDropUploadController
|
||||||
$data = PhabricatorStartup::getRawInput();
|
$data = PhabricatorStartup::getRawInput();
|
||||||
$name = $request->getStr('name');
|
$name = $request->getStr('name');
|
||||||
|
|
||||||
|
// If there's no explicit view policy, make it very restrictive by default.
|
||||||
|
// This is the correct policy for files dropped onto objects during
|
||||||
|
// creation, comment and edit flows.
|
||||||
|
|
||||||
|
$view_policy = $request->getStr('viewPolicy');
|
||||||
|
if (!$view_policy) {
|
||||||
|
$view_policy = $viewer->getPHID();
|
||||||
|
}
|
||||||
|
|
||||||
$file = PhabricatorFile::newFromXHRUpload(
|
$file = PhabricatorFile::newFromXHRUpload(
|
||||||
$data,
|
$data,
|
||||||
array(
|
array(
|
||||||
'name' => $request->getStr('name'),
|
'name' => $request->getStr('name'),
|
||||||
'authorPHID' => $user->getPHID(),
|
'authorPHID' => $viewer->getPHID(),
|
||||||
|
'viewPolicy' => $view_policy,
|
||||||
'isExplicitUpload' => true,
|
'isExplicitUpload' => true,
|
||||||
));
|
));
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,7 @@ final class PhabricatorGlobalUploadTargetView extends AphrontView {
|
||||||
'instructions' => $instructions_id,
|
'instructions' => $instructions_id,
|
||||||
'uploadURI' => '/file/dropupload/',
|
'uploadURI' => '/file/dropupload/',
|
||||||
'browseURI' => '/file/query/authored/',
|
'browseURI' => '/file/query/authored/',
|
||||||
|
'viewPolicy' => PhabricatorPolicies::getMostOpenPolicy(),
|
||||||
));
|
));
|
||||||
|
|
||||||
return phutil_tag(
|
return phutil_tag(
|
||||||
|
|
|
||||||
|
|
@ -174,8 +174,13 @@ JX.install('PhabricatorDragAndDropFileUpload', {
|
||||||
|
|
||||||
var up_uri = JX.$U(this.getURI())
|
var up_uri = JX.$U(this.getURI())
|
||||||
.setQueryParam('name', file.getName())
|
.setQueryParam('name', file.getName())
|
||||||
.setQueryParam('__upload__', 1)
|
.setQueryParam('__upload__', 1);
|
||||||
.toString();
|
|
||||||
|
if (this.getViewPolicy()) {
|
||||||
|
up_uri.setQueryParam('viewPolicy', this.getViewPolicy());
|
||||||
|
}
|
||||||
|
|
||||||
|
up_uri = up_uri.toString();
|
||||||
|
|
||||||
var onupload = JX.bind(this, function(r) {
|
var onupload = JX.bind(this, function(r) {
|
||||||
if (r.error) {
|
if (r.error) {
|
||||||
|
|
@ -235,6 +240,7 @@ JX.install('PhabricatorDragAndDropFileUpload', {
|
||||||
},
|
},
|
||||||
properties: {
|
properties: {
|
||||||
URI : null,
|
URI : null,
|
||||||
activatedClass : null
|
activatedClass : null,
|
||||||
|
viewPolicy : null
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,8 @@ JX.behavior('global-drag-and-drop', function(config) {
|
||||||
}
|
}
|
||||||
|
|
||||||
var drop = new JX.PhabricatorDragAndDropFileUpload(document.documentElement)
|
var drop = new JX.PhabricatorDragAndDropFileUpload(document.documentElement)
|
||||||
.setURI(config.uploadURI);
|
.setURI(config.uploadURI)
|
||||||
|
.setViewPolicy(config.viewPolicy);
|
||||||
|
|
||||||
drop.listen('didBeginDrag', function() {
|
drop.listen('didBeginDrag', function() {
|
||||||
JX.Mask.show();
|
JX.Mask.show();
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue