1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-22 21:40:55 +01:00

Fix excessively strict "Can Use Application" policy filtering

Summary:
Ref T9058. The stricter filtering is over-filtering Handles. For example, in the Phacility cluster, users can not see Almanac services.

So this filtering happens:

  - The AlmanacServiceQuery filters the service beacuse they can't see the application.
  - The HandleQuery generates a "you can't see this" handle.
  - But then the HandleQuery filters that handle! It has a "service" PHID and the user can't see Almanac.

This violates the assumption that all application code makes about handles: it's OK to query handles for objects you can't see, and you'll get something back.

Instead, don't do application filtering on handles.

Test Plan:
  - Added a failing test and made it pass.
  - As a user who can not see Almanac, viewed an Instances timeline.
    - Before patch: fatal on trying to load a handle for a Service.
    - After patch: smooth sailing.

Reviewers: chad

Maniphest Tasks: T9058

Differential Revision: https://secure.phabricator.com/D17152
This commit is contained in:
epriestley 2017-01-08 10:53:35 -08:00
parent d4248d231b
commit f16778fc18
2 changed files with 33 additions and 0 deletions

View file

@ -874,6 +874,19 @@ final class PhabricatorPolicyFilter extends Phobject {
$viewer = $this->viewer; $viewer = $this->viewer;
foreach ($objects as $key => $object) { foreach ($objects as $key => $object) {
// Don't filter handles: users are allowed to see handles from an
// application they can't see even if they can not see objects from
// that application. Note that the application policies still apply to
// the underlying object, so these will be "Restricted Object" handles.
// If we don't let these through, PhabricatorHandleQuery will completely
// fail to load results for PHIDs that are part of applications which
// the viewer can not see, but a fundamental property of handles is that
// we always load something and they can safely be assumed to load.
if ($object instanceof PhabricatorObjectHandle) {
continue;
}
$phid = $object->getPHID(); $phid = $object->getPHID();
if (!$phid) { if (!$phid) {
continue; continue;

View file

@ -51,6 +51,13 @@ final class PhabricatorProjectCoreTestCase extends PhabricatorTestCase {
$proj, $proj,
PhabricatorPolicyCapability::CAN_VIEW)); PhabricatorPolicyCapability::CAN_VIEW));
// This object is visible so its handle should load normally.
$handle = id(new PhabricatorHandleQuery())
->setViewer($user)
->withPHIDs(array($proj->getPHID()))
->executeOne();
$this->assertEqual($proj->getPHID(), $handle->getPHID());
// Change the "Can Use Application" policy for Projecs to "No One". This // Change the "Can Use Application" policy for Projecs to "No One". This
// should cause filtering checks to fail even when they are executed // should cause filtering checks to fail even when they are executed
// directly rather than via a Query. // directly rather than via a Query.
@ -76,6 +83,19 @@ final class PhabricatorProjectCoreTestCase extends PhabricatorTestCase {
$proj, $proj,
PhabricatorPolicyCapability::CAN_VIEW)); PhabricatorPolicyCapability::CAN_VIEW));
// We should still be able to load a handle for the project, even if we
// can not see the application.
$handle = id(new PhabricatorHandleQuery())
->setViewer($user)
->withPHIDs(array($proj->getPHID()))
->executeOne();
// The handle should load...
$this->assertEqual($proj->getPHID(), $handle->getPHID());
// ...but be policy filtered.
$this->assertTrue($handle->getPolicyFiltered());
unset($env); unset($env);
} }