1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-19 12:00:55 +01:00

Don't skip policy checks on ObjectQuery if special capabilities are required

Summary: Ref T6741. As an optimization, we omit policy checks on ObjectQuery, but need to retain them if the query requests non-view permissions. This primarily affected Almanac properties.

Test Plan: Almanac properties now do full policy checks on ObjectQuery loads.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6741

Differential Revision: https://secure.phabricator.com/D11005
This commit is contained in:
epriestley 2014-12-17 17:04:12 -08:00
parent d8739459f6
commit f5600acb16

View file

@ -144,12 +144,18 @@ final class PhabricatorObjectQuery
}
/**
* This query disables policy filtering because it is performed in the
* subqueries which actually load objects. We don't need to re-filter
* results, since policies have already been applied.
* This query disables policy filtering if the only required capability is
* the view capability.
*
* The view capability is always checked in the subqueries, so we do not need
* to re-filter results. For any other set of required capabilities, we do.
*/
protected function shouldDisablePolicyFiltering() {
return true;
$view_capability = PhabricatorPolicyCapability::CAN_VIEW;
if ($this->getRequiredCapabilities() === array($view_capability)) {
return true;
}
return false;
}
public function getQueryApplicationClass() {