mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-19 12:00:55 +01:00
Don't skip policy checks on ObjectQuery if special capabilities are required
Summary: Ref T6741. As an optimization, we omit policy checks on ObjectQuery, but need to retain them if the query requests non-view permissions. This primarily affected Almanac properties. Test Plan: Almanac properties now do full policy checks on ObjectQuery loads. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T6741 Differential Revision: https://secure.phabricator.com/D11005
This commit is contained in:
parent
d8739459f6
commit
f5600acb16
1 changed files with 10 additions and 4 deletions
|
@ -144,12 +144,18 @@ final class PhabricatorObjectQuery
|
|||
}
|
||||
|
||||
/**
|
||||
* This query disables policy filtering because it is performed in the
|
||||
* subqueries which actually load objects. We don't need to re-filter
|
||||
* results, since policies have already been applied.
|
||||
* This query disables policy filtering if the only required capability is
|
||||
* the view capability.
|
||||
*
|
||||
* The view capability is always checked in the subqueries, so we do not need
|
||||
* to re-filter results. For any other set of required capabilities, we do.
|
||||
*/
|
||||
protected function shouldDisablePolicyFiltering() {
|
||||
return true;
|
||||
$view_capability = PhabricatorPolicyCapability::CAN_VIEW;
|
||||
if ($this->getRequiredCapabilities() === array($view_capability)) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
public function getQueryApplicationClass() {
|
||||
|
|
Loading…
Reference in a new issue