mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-10 00:42:41 +01:00
Policy - make ManiphestTaskQuery verify project visibility first thing
Summary: Fixes T7094 (last of many revisions). Its important to do this filtering ASAP so that users can't deduce the identify of an unknown / invisible project. Test Plan: executed a query for tasks in project foo using user bar. using user foo, lock user bar out of project foo. reissued the query and saw "no data" as well as "restricted project" in the project typeahead. Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T7094 Differential Revision: https://secure.phabricator.com/D11660
This commit is contained in:
parent
137b0ebc53
commit
da1531f219
1 changed files with 29 additions and 5 deletions
|
@ -56,6 +56,8 @@ final class ManiphestTaskQuery extends PhabricatorCursorPagedPolicyAwareQuery {
|
|||
private $blockingTasks;
|
||||
private $blockedTasks;
|
||||
|
||||
private $projectPolicyCheckFailed = false;
|
||||
|
||||
const DEFAULT_PAGE_SIZE = 1000;
|
||||
|
||||
public function withAuthors(array $authors) {
|
||||
|
@ -222,12 +224,34 @@ final class ManiphestTaskQuery extends PhabricatorCursorPagedPolicyAwareQuery {
|
|||
return $this;
|
||||
}
|
||||
|
||||
protected function willExecute() {
|
||||
// Make sure the user can see any projects specified in this
|
||||
// query FIRST.
|
||||
if ($this->projectPHIDs) {
|
||||
$projects = id(new PhabricatorProjectQuery())
|
||||
->setViewer($this->getViewer())
|
||||
->withPHIDs($this->projectPHIDs)
|
||||
->execute();
|
||||
$projects = mpull($projects, null, 'getPHID');
|
||||
foreach ($this->projectPHIDs as $index => $phid) {
|
||||
$project = idx($projects, $phid);
|
||||
if (!$project) {
|
||||
unset($this->projectPHIDs[$index]);
|
||||
continue;
|
||||
}
|
||||
}
|
||||
if (!$this->projectPHIDs) {
|
||||
$this->projectPolicyCheckFailed = true;
|
||||
}
|
||||
$this->projectPHIDs = array_values($this->projectPHIDs);
|
||||
}
|
||||
}
|
||||
|
||||
protected function loadPage() {
|
||||
// TODO: (T603) It is possible for a user to find the PHID of a project
|
||||
// they can't see, then query for tasks in that project and deduce the
|
||||
// identity of unknown/invisible projects. Before we allow the user to
|
||||
// execute a project-based PHID query, we should verify that they
|
||||
// can see the project.
|
||||
|
||||
if ($this->projectPolicyCheckFailed) {
|
||||
throw new PhabricatorEmptyQueryException();
|
||||
}
|
||||
|
||||
$task_dao = new ManiphestTask();
|
||||
$conn = $task_dao->establishConnection('r');
|
||||
|
|
Loading…
Reference in a new issue