revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-10 00:42:41 +01:00
Code Issues Releases Wiki Activity

Policy - make ManiphestTaskQuery verify project visibility first thing

Browse source 
Summary: Fixes T7094 (last of many revisions). Its important to do this filtering ASAP so that users can't deduce the identify of an unknown / invisible project.

Test Plan: executed a query for tasks in project foo using user bar. using user foo, lock user bar out of project foo. reissued the query and saw "no data" as well as "restricted project" in the project typeahead.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7094

Differential Revision: https://secure.phabricator.com/D11660
This commit is contained in:
Bob Trahan 2015-02-03 13:53:35 -08:00
parent 137b0ebc53
commit da1531f219
1 changed files with 29 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
src/applications/maniphest/query/ManiphestTaskQuery.php
View file

@ -56,6 +56,8 @@ final class ManiphestTaskQuery extends PhabricatorCursorPagedPolicyAwareQuery {
private $blockingTasks;
private $blockedTasks;
private $projectPolicyCheckFailed = false;
const DEFAULT_PAGE_SIZE = 1000;
public function withAuthors(array $authors) {
@ -222,12 +224,34 @@ final class ManiphestTaskQuery extends PhabricatorCursorPagedPolicyAwareQuery {
return $this;
}
protected function willExecute() {
// Make sure the user can see any projects specified in this
// query FIRST.
if ($this->projectPHIDs) {
$projects = id(new PhabricatorProjectQuery())
->setViewer($this->getViewer())
->withPHIDs($this->projectPHIDs)
->execute();
$projects = mpull($projects, null, 'getPHID');
foreach ($this->projectPHIDs as $index => $phid) {
$project = idx($projects, $phid);
if (!$project) {
unset($this->projectPHIDs[$index]);
continue;
}
}
if (!$this->projectPHIDs) {
$this->projectPolicyCheckFailed = true;
}
$this->projectPHIDs = array_values($this->projectPHIDs);
}
}
protected function loadPage() {
// TODO: (T603) It is possible for a user to find the PHID of a project
// they can't see, then query for tasks in that project and deduce the
// identity of unknown/invisible projects. Before we allow the user to
// execute a project-based PHID query, we should verify that they
// can see the project.
if ($this->projectPolicyCheckFailed) {
throw new PhabricatorEmptyQueryException();
}
$task_dao = new ManiphestTask();
$conn = $task_dao->establishConnection('r');