1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-29 02:02:41 +01:00
Commit graph

10 commits

Author SHA1 Message Date
epriestley
2a5c987c71 Lock policy queries to their applications
Summary:
While we mostly have reasonable effective object accessibility when you lock a user out of an application, it's primarily enforced at the controller level. Users can still, e.g., load the handles of objects they can't actually see. Instead, lock the queries to the applications so that you can, e.g., never load a revision if you don't have access to Differential.

This has several parts:

  - For PolicyAware queries, provide an application class name method.
  - If the query specifies a class name and the user doesn't have permission to use it, fail the entire query unconditionally.
  - For handles, simplify query construction and count all the PHIDs as "restricted" so we get a UI full of "restricted" instead of "unknown" handles.

Test Plan:
  - Added a unit test to verify I got all the class names right.
  - Browsed around, logged in/out as a normal user with public policies on and off.
  - Browsed around, logged in/out as a restricted user with public policies on and off. With restrictions, saw all traces of restricted apps removed or restricted.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D7367
2013-10-21 17:20:27 -07:00
epriestley
95c2b03fc8 Distinguish between invalid/broken handles and filtered handles
Summary:
Ref T603. Currently, we render handles the user doesn't have permission to see in a manner identical to handles that don't exist. This is confusing, and not required by policies (which restrict content, but permit knowledge that an object exists).

Instead, render them in different styles. Bad/invalid objects look like:

  Unknown Object (Task)

Restricted objects look like:

  [o] Restricted Task

...where `[o]` is the padlock icon.

Test Plan:
{F71100}

{F71101}

It's possible this renders weird somewhere, but I wasn't immediately able to find any issues. Yell if you see something.

Reviewers: btrahan, chad

Reviewed By: btrahan

CC: chad, aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7334
2013-10-17 10:49:21 -07:00
epriestley
c4abf160cc Fix some file policy issues and add a "Query Workspace"
Summary:
Ref T603. Several issues here:

  1. Currently, `FileQuery` does not actually respect object attachment edges when doing policy checks. Everything else works fine, but this was missing an `array_keys()`.
  2. Once that's fixed, we hit a bunch of recursion issues. For example, when loading a User we load the profile picture, and then that loads the User, and that loads the profile picture, etc.
  3. Introduce a "Query Workspace", which holds objects we know we've loaded and know we can see but haven't finished filtering and/or attaching data to. This allows subqueries to look up objects instead of querying for them.
    - We can probably generalize this a bit to make a few other queries more efficient. Pholio currently has a similar (but less general) "mock cache". However, it's keyed by ID instead of PHID so it's not easy to reuse this right now.

This is a bit complex for the problem being solved, but I think it's the cleanest approach and I believe the primitive will be useful in the future.

Test Plan: Looked at pastes, macros, mocks and projects as a logged-in and logged-out user.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7309
2013-10-14 14:36:06 -07:00
epriestley
ca7a792794 Convert bin/files to ObjectQuery
Summary: Ref T603. This has some custom logic which ObjectQuery can now perform more simply and more correctly.

Test Plan: Ran `bin/files purge F1`, `bin/files purge D1`, `bin/files purge --all`.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7180
2013-09-30 12:23:18 -07:00
epriestley
926b47ef70 Call array_unique() in Handle/Object queries
Summary: I think the old thing did this, but this makes queries a bit less ridiculous. For example, `secure.phabricator.com` currently issues a query for 664 handles on my task list, but only 73 of them are unique (basically, all the projects plus all the authors). This proably is slightly good for performance, but mostly makes the "Services" tab manageable.

Test Plan: Looked at Maniphest and some other pages, saw handles and objects where they were expected to be.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D6959
2013-09-12 14:48:24 -07:00
epriestley
1f86c73428 Simplify policy filtering for projects and ObjectQuery
Summary:
Ref T603. Moves to detangle and optimize how we apply policies to filtering objects. Notably:

  - Add a short circuit for omnipotent users.
  - When performing project filtering, do a stricter check for user membership. We don't actually care if the user can see the project or not according to other policy constraints, and checking if they can may be complicated.
  - When performing project filtering, do a local check to see if we're filtering the project itself. This is a common case (a project editable by members of itself, for example) and we can skip queries when it is satisfied.
  - Don't perform policy filtering in ObjectQuery. All the data it aggregates is already filtered correctly.
  - Clean up a little bit of stuff in Feed.

Test Plan: Pages like the Maniphest task list and Project profile pages now issue dramatically fewer queries.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D6931
2013-09-10 15:34:07 -07:00
epriestley
f32e0e9330 Provide a callback for Queries to filter objects from alternate result sets
Summary: Ref T2715. `PhabricatorObjectQuery` can theoretically bypass policies on its side-channel result set. This can't actually happen in practice because all the loading mechanisms are filtered, but provide a general way to implement side channel results safely.

Test Plan: Loaded some pages; see next diff.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T2715

Differential Revision: https://secure.phabricator.com/D6514
2013-07-22 12:20:31 -07:00
epriestley
2845d11962 Remove PhabricatorPHID::fromObjectName
Summary: Ref T2715. This only ever supported like 10% of object types; get rid of it in favor of the new infra.

Test Plan:
  - Ran `bin/search index D12`; `bin/search index <some valid phid>`, `bin/search index derp`.
  - Turned off Search jump, searched for `D12`.
  - Used `phid.lookup`.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T2715

Differential Revision: https://secure.phabricator.com/D6519
2013-07-22 12:17:37 -07:00
epriestley
5ca419174a Proide application-based handle loads; load Slowvote handles from the application
Summary:
Ref T2715. This is pretty straightforward, I think. Notes:

  - Long term, I want to replace `PhabricatorObjectHandleData` with `PhabricatorObjectQuery` and `PhabricatorHandleQuery`. The former's name is a relic of old Facebook stuff and unusual now that everything else uses normal queries.
  - I simplified the amount of work applications need to do in order to populate handles. The should just need to set names and URIs in most cases.

Test Plan: Used `phid.lookup` and `phid.query` to load slowvote handles. Browsed around to load other handles.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T2715

Differential Revision: https://secure.phabricator.com/D6508
2013-07-22 12:17:28 -07:00
epriestley
7ed6996604 Provide basic infrastructure for moving PHIDs, Handles and Object Names to applications
Summary:
See discussion in T2715. Currently, PHIDs are all hard coded in the PHID application. In the long run, we need to move them out into actual applications.

A specific immediate issue is Releeph, which uses a very very old and very broken mechanism to inject PHIDs in a way that only sort of works.

Moving forward, every PHID type will be provided by a `PhabricatorPHIDType` subclass, which will manage loading it, etc.

This also moves toward cleaning up the "load objects by name" (where "name" means something like `D12`) code, which is an //enormous// mess and spread across at least 4-5 callsites.

Test Plan: Used `phid.lookup` and `phid.query` to load Slowvotes.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D6502
2013-07-21 06:34:21 -07:00