Don't skip policy checks on ObjectQuery if special capabilities are required

Summary: Ref T6741. As an optimization, we omit policy checks on ObjectQuery, but need to retain them if the query requests non-view permissions. This primarily affected Almanac properties.

Test Plan: Almanac properties now do full policy checks on ObjectQuery loads.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6741

Differential Revision: https://secure.phabricator.com/D11005

src/applications/phid/query/PhabricatorObjectQuery.php

@@ -144,12 +144,18 @@ final class PhabricatorObjectQuery
   }
 
   /**
-   * This query disables policy filtering because it is performed in the
-   * subqueries which actually load objects. We don't need to re-filter
-   * results, since policies have already been applied.
+   * This query disables policy filtering if the only required capability is
+   * the view capability.
+   *
+   * The view capability is always checked in the subqueries, so we do not need
+   * to re-filter results. For any other set of required capabilities, we do.
    */
   protected function shouldDisablePolicyFiltering() {
-    return true;
+    $view_capability = PhabricatorPolicyCapability::CAN_VIEW;
+    if ($this->getRequiredCapabilities() === array($view_capability)) {
+      return true;
+    }
+    return false;
   }
 
   public function getQueryApplicationClass() {