1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-29 02:02:41 +01:00
Commit graph

17086 commits

Author SHA1 Message Date
Valerio Bozzolan
dc558b5538 Fix NULL pointer exception in some circumstances from Calendar's homepage
Summary:
After importing specific weird events, for example from Google Calendar (bleah), it can happen that the Calendar's homepage becomes broken.

This was the Exception error shown to video:

    "Call to a member function getEventsBetween() on null"

It was happening since this method can return NULL:

    PhabricatorCalendarEventQuery#newRecurrenceSet()

This changeset verifies this condition from the Calendar's homepage.

Closes T15136

Test Plan: I tried in my server. I've executed the syntax lint. On my local machine I was not able to run "arc diff" since it tries to connect to root@localhost for some reasons.

Reviewers: O1 Blessed Committers, 20after4

Reviewed By: O1 Blessed Committers, 20after4

Subscribers: 0, Cigaryno, 20after4, speck, tobiaswiese, Matthew

Tags: #calendar

Maniphest Tasks: T15136

Differential Revision: https://we.phorge.it/D25060
2022-12-08 15:32:27 -07:00
Thomas Iguchi
a8a38835e1 Fix broken file PHID extraction that causes Pholio uploads to crash
Summary:
A commit earlier this year modified the structure of the file upload transaction data value, by nesting the array of file upload PHIDs in another array.
The `extractFilePHIDs` method was not updated to deal with that change though, therefore new mock uploads via Pholio would crash.
This patch fixes that method so it can process the updated transaction data.

Resolves T15105

Test Plan: Patched my live Phabricator installation with this fix and successfully uploaded new Pholio mockups.

Reviewers: O1 Blessed Committers, Cigaryno, Matthew

Reviewed By: O1 Blessed Committers, Cigaryno, Matthew

Subscribers: Matthew, speck, tobiaswiese, valerio.bozzolan, Cigaryno

Tags: #pholio

Maniphest Tasks: T15105

Differential Revision: https://we.phorge.it/D25058
2022-11-11 13:10:16 -07:00
MacFan4000
abb693962d Update sprite sheets
Summary: This fully updates some login provider icons. Somehow this didn't work fully on previous updates. I used --force this time.

Test Plan: None just ran the script which regenerated the spritesheets.

Reviewers: O1 Blessed Committers, #blessed_committers, avivey

Reviewed By: O1 Blessed Committers, #blessed_committers, avivey

Subscribers: avivey, speck, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno

Tags: #auth

Differential Revision: https://we.phorge.it/D25055
2022-11-11 13:04:20 -07:00
ekubischta
4aedc206c7 Update PassphraseCredential to support Mentions
Summary:
This revision allows us to see where passphrase credentials are mentioned in other parts of phabricator

This is very useful to "What is this credential for?"  If we can see where it was been mentioned

Test Plan: Mentioned a passphrase and saw it in the transaction list

Reviewers: O1 Blessed Committers, Matthew

Reviewed By: O1 Blessed Committers, Matthew

Subscribers: Matthew, Cigaryno, speck, tobiaswiese, valerio.bozzolan

Differential Revision: https://we.phorge.it/D25032
2022-10-09 03:30:07 -07:00
Vedran Miletić
f8ffa393c4 Added cross-platform default fonts
Summary:
`system-ui` is provided by modern browsers as [a cross-platform default font](https://caniuse.com/font-family-system-ui). Using this font [was a controversial choice back in 2017](https://infinnie.github.io/blog/2017/systemui.html). because it did not address i18n well and therefore it was removed from Bootstrap [twbs/bootstrap#22377](https://github.com/twbs/bootstrap/pull/22377). However, it was added back in Bootstrap v5 [twbs/bootstrap#30561](https://github.com/twbs/bootstrap/pull/30561) since it got better over time.

Fixes T15049.

Test Plan: Tested locally for now.

Reviewers: O1 Blessed Committers, avivey

Reviewed By: O1 Blessed Committers, avivey

Subscribers: Matthew, avivey, Cigaryno, 20after4, Ekubischta, speck, tobiaswiese, valerio.bozzolan

Maniphest Tasks: T15049

Differential Revision: https://we.phorge.it/D25021
2022-10-09 03:30:07 -07:00
Leon Eckardt
69b2710af9 Prevent Line Numbers in Diffusion being copied as Tabs
Summary: Marks Line Numbers in Diffusion File Preview as unselectable

Test Plan:
- Select multiple Lines from a File Preview in Diffusion
- Copy them into a Text Editor
- The Leading Tabs should no longer included

Reviewers: O1 Blessed Committers, speck, Ekubischta

Reviewed By: O1 Blessed Committers, speck, Ekubischta

Subscribers: Ekubischta, speck, tobiaswiese, valerio.bozzolan

Differential Revision: https://we.phorge.it/D25024
2022-09-21 11:33:20 -06:00
Matthew Bowker
a16e8773f0 Show confirmation dialog when closing a modal if form contents have been changed
Summary: Honestly I did not realize that Differential can do this. Anyway this is related to T15034 ... Originally opened at https://secure.phabricator.com/T12676

Test Plan:
1) Start creating a task via a Workboard in Manifest, type many words, press `ESC`

2) Start creating a task via a Workboard in Manifest, type no words, press `ESC`

Reviewers: O1 Blessed Committers, Ekubischta, speck

Reviewed By: O1 Blessed Committers, Ekubischta, speck

Subscribers: Leon95, 20after4, avivey, Ekubischta, speck, tobiaswiese

Tags: #maniphest

Differential Revision: https://we.phorge.it/D25015
2022-09-21 11:26:14 -06:00
Aviv Eyal
377ac059d6 Update default wordmark and logo
Summary:
The current default wordmark is "Phabricator" which is trademarked and the
default logo is also copyright.

(This change was made by @speck directly in the deployed instnace, bringing it into `master` now).

Test Plan: should be fine.

Reviewers: O1 Blessed Committers, speck

Reviewed By: O1 Blessed Committers, speck

Subscribers: tobiaswiese, valerio.bozzolan, Matthew, speck

Differential Revision: https://we.phorge.it/D25048
2022-08-25 01:31:18 -07:00
Aviv Eyal
dbf7cd2b4a Rebrand: Rename library and update "version" logic
Summary: Make the "version" data in Config show information. Also rename the library.

Test Plan: See version "branched from" information.

Reviewers: O1 Blessed Committers, speck

Reviewed By: O1 Blessed Committers, speck

Subscribers: speck, tobiaswiese, valerio.bozzolan, Matthew

Maniphest Tasks: T15006

Differential Revision: https://we.phorge.it/D25047
2022-08-25 01:26:21 -07:00
Aviv Eyal
c3f0c0b0f7 Merge Phacility/master into phorge 2022-07-25 11:50:26 -07:00
epriestley
9426765a2c Flatten "RemarkupValue" objects when setting field defaults for custom forms
Summary:
Ref T13685. "RemarkupEditField" uses a "RemarkupValue" internally, and it currently attempts to serialize into the database unsuccessfully.

Instead, flatten the value before returning it for storage.

Test Plan:
  - Edited the default description of a task in a custom form.

Maniphest Tasks: T13685

Differential Revision: https://secure.phabricator.com/D21854
2022-06-14 09:37:35 -07:00
epriestley
1fc04e238f Fix repository URI generation for SVN commit identifiers represented with integer types
Summary:
Ref T13588. See PHI2198. Some pathways represent SVN commit identifiers (which are numeric) with integers; these raise an exception in `phutil_nonempty_string()`, which is strict.

(Ideally, commit identifiers wouldn't have mixed types, but that's a dramatically less practical change.)

Test Plan: Will deploy.

Maniphest Tasks: T13588

Differential Revision: https://secure.phabricator.com/D21852
2022-06-03 15:01:04 -07:00
epriestley
944b257d5d Fix a policy issue where permissions were not properly checked when disabling global builtin queries
Summary: See <https://hackerone.com/reports/1573143>. The pathway for disabling global builtin queries is missing a policy check. Add it.

Test Plan:
  - Accessed the "/search/delete/id/.../" URI for a global builtin query as a non-administrator.
  - Before patch: could improperly disable queries.
   -After patch: proper policy exception.

Differential Revision: https://secure.phabricator.com/D21851
2022-05-31 11:00:53 -07:00
epriestley
3052ed1484 Remove obsolete, policy-violating "owners.query" API method
Summary: See <https://hackerone.com/reports/1584409>. This obsolete API method is technically policy-violating: Owners packages have had policies since D15275. See also T10360.

Test Plan: Viewed Conduit API console, no longer saw API method available.

Differential Revision: https://secure.phabricator.com/D21850
2022-05-31 10:44:45 -07:00
epriestley
835cd7f270 Improve remarkup metadata robustness against debris in the database
Summary:
Ref T13682. Versioned drafts may have missing or unexpected metadata:

  - versioned drafts from an older version of Phabricator may be missing metadata;
  - versioned drafts created by an older UI against a newer version of Phabricator may have `null` metadata.

Generally, make these workflows robust to metadata in unexpected formats, so database debris doesn't break the UI.

Test Plan: Simulated debris, interacted with UI.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21849
2022-05-28 06:29:43 -07:00
epriestley
809ae81752 Update Slowvote poll status to use sensible string constants
Summary: Ref T13682. This prepares for modernizing Slowvote and exposing a more usable API.

Test Plan: Ran migrations, opened and closed polls.

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21848
2022-05-27 10:15:01 -07:00
epriestley
c1887f0c1d Separate Slowvote poll status onto a dedicated object
Summary: Ref T13682. Prepares for use of API-friendly string constants rather than opaque integers.

Test Plan: Created and edited polls, opening and closing them. Grepped for affected methods.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21847
2022-05-27 10:15:01 -07:00
epriestley
03d3d1889d Update Slowvote voting methods to use sensible string constants
Summary: Ref T13682. Use API-friendly string constants instead of opaque integers in Slowvote voting methods.

Test Plan: Created, edited, and voted in polls with various voting methods. Examined database after migrations.

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21846
2022-05-26 10:27:01 -07:00
epriestley
9dad49472c Move Slowvote vote types to a separate object
Summary: Ref T13682. Extract Slowvote vote types to a separate object, to prepare for turning them into API-friendly string constants.

Test Plan: Created, edited, and voted in Slowvote polls. Grepped for affected constants.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21845
2022-05-26 10:17:36 -07:00
epriestley
9f075839a2 Update Slowvote to use sensible string constants for response visibility
Summary: Ref T13682. Migrate and update Slowvote to use API-friendly string constants for response visibility, not opaque integers.

Test Plan: Created and edited slowvotes, changing response visibility.

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21844
2022-05-26 09:58:48 -07:00
epriestley
23094b4950 Move Slowvote response visibility to a separate object
Summary: Ref T13682. This change supports modifying these constants to be sensible strings instead of opaque integers.

Test Plan: Created and edited polls.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21843
2022-05-26 09:58:48 -07:00
epriestley
b1533e5468 Migrate "SlowvotePoll" to modern mailkey storage
Summary:
Ref T13682. Ref T13065. Migrate and update "SlowvotePoll" to use more modern mailkey storage (in the mail application, rather than onboard).

Also make other minor modernization changes.

Test Plan: Created a new poll. Ran migration, verified mail key copied properly in database.

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Maniphest Tasks: T13682, T13065

Differential Revision: https://secure.phabricator.com/D21842
2022-05-26 09:29:05 -07:00
epriestley
d91727e66c Update nonstandard PHID key on "SlowvotePoll"
Summary: Ref T13682. Use a more modern PHID key name for this key.

Test Plan: Ran `bin/storage adjust`, got a modern key.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21841
2022-05-26 09:29:05 -07:00
epriestley
7e5f7b9640 Update "Files" attachment table to show more attachment details and support detachment
Summary: Ref T13682. Make the "Attached" list in Files a bit more detailed, and add a "Detach" button.

Test Plan: Tried to detach unrelated, referenced, and attached files. Saw attached files detach.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21840
2022-05-25 12:56:37 -07:00
epriestley
5aa159a830 Pass "object" to modular transaction methods explicitly
Summary:
Ref T13682. When editing a comment, the edit pathway may invoke file PHID extraction without first formalizing an object on the Editor.

Pass the "object" explicitly to generally improve the robustness of this pathway.

Test Plan: Edited a comment.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21839
2022-05-25 10:25:18 -07:00
epriestley
8e703c8c35 Provide a default "loadPage()" implementation on "CursorPagedPolicyAwareQuery"
Summary: Ref T13682. Many subclasses of "CursorPagedPolicyAwareQuery" have the same implementation of "loadPage()", and this is a sensible default behavior.

Test Plan: Examined changes to verify that all removed methods have the same behavior.

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21838
2022-05-24 10:18:53 -07:00
epriestley
5493f028dc Provide a simple "Attach File" explicit workflow for files referenced but not attached
Summary: Ref T13682. Allow users to manually attach files which are referenced (but not attached) via the UI.

Test Plan: Reference files via `{F...}`, then attached them via the UI workflow.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21837
2022-05-24 09:49:59 -07:00
epriestley
021e5ab933 Provide a rudimentary "Attached Files" curtain UI panel
Summary: Ref T13682. Provide a basic UI element for showing file attached to an object.

Test Plan: Viewed objects with attached files in the UI.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21836
2022-05-23 14:08:15 -07:00
epriestley
5033ef6f88 Give "FileAttachment" policy support and a query object
Summary: Ref T13682. This supports an "Attached Files" curtain UI element.

Test Plan: See next change.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21835
2022-05-23 14:08:15 -07:00
epriestley
631c36aee3 Don't consider file references inside quoted text blocks to grant "attachment intent"
Summary:
Ref T13682. This is a marginal case, but if you quote someone else's text and it has a file reference embedded in it, that isn't good enough to generate "attachment intent".

Since you need both a reference and an explicit attachment, this should never actually affect any user-visible behavior today, but makes the ruleset more thorough.

Test Plan: Dragged and dropped a file, referencing it in either a quoted or unquoted block. Saw it attach only for a quoted block.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21833
2022-05-23 14:08:15 -07:00
epriestley
2a0feb3de0 Only attach files that are both referenced in Remarkup and attached by explicit metadata
Summary:
Ref T13682. When a user uploads a file, then changes their mind and deletes the reference to the file, we don't actually want to attach the file.

When choosing which files to attach, only attach files which are both referenced in Remarkup and explicitly attached in remarkup metadata.

Test Plan:
  - Dropped a file into a comment, submitted it, saw it attach normally.
  - Dropped a file into a comment, deleted the reference, submitted it, saw no attachment.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21832
2022-05-23 14:08:14 -07:00
epriestley
8cd02e6727 Provide missing default attachment list for Files transactions
Summary: Ref T13682. This property may not exist, and should defualt to an empty array if not present.

Test Plan: Created a new object.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21834
2022-05-23 09:24:38 -07:00
epriestley
cc44ae32c5 Remove obsolete "setDisableMacros()" on "PhabricatorRemarkupControl"
Summary:
Ref T13682. This method originated in D4781 and no longer has any callers; remove it.

(I believe this was from an era where macros didn't have to be on their own line to trigger.)

Test Plan: Grepped for method, found no callers.

Maniphest Tasks: T13682

Differential Revision: https://secure.phabricator.com/D21831
2022-05-20 10:27:41 -07:00
epriestley
42876de60d Generate file attachment transactions for explicit Remarkup attachments on common edit pathways
Summary:
Ref T13603. On common edit pathways, extract explicit file attachments from Remarkup. These pathways are affected:

  - Objects that use EditEngine and expose a remarkup area via "RemarkupEditField".
  - Objects that use EditEngine to generate a comment area.

This is the vast majority of pathways, but not entirely exhaustive.

Test Plan: Created and commented on a task, explicitly attaching images. Saw images attach properly.

Maniphest Tasks: T13603

Differential Revision: https://secure.phabricator.com/D21830
2022-05-19 13:21:04 -07:00
epriestley
fee8297121 Remove file attachment edge types, including API access
Summary:
Ref T13603. This removes the file attachment edge types, which no longer have readers or writers.

It does not delete the underlying data.

This indirectly removes API access to this edge. As far as I know, this was only used by one customer (see D21480) who has migrated away from Phabricator.

Test Plan: Grepped for edge constants.

Maniphest Tasks: T13603

Differential Revision: https://secure.phabricator.com/D21823
2022-05-19 13:21:04 -07:00
epriestley
b872640c16 Remove all "FileHasObject" edge reads and writes
Summary: Ref T13603. Removes all reads and writes to the other half of the legacy edge.

Test Plan:
  - Verified I could still see file content accessible only through object attachment.
  - This fixes a unit test broken by removal of only half the edge access in the previous change.

Maniphest Tasks: T13603

Differential Revision: https://secure.phabricator.com/D21820
2022-05-19 13:21:04 -07:00
epriestley
c25a8fabfc Remove all "ObjectHasFile" edge reads and writes
Summary: Ref T13603. Migrate all code which interacts with the "ObjectHasFile" edge to use the "Attachments" table instead.

Test Plan:
  - Edited a paste's view policy, confirmed associated file secret was scrambled.
  - Verified I could still view paste content as a user who could not naturally view the underlying file.

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Maniphest Tasks: T13603

Differential Revision: https://secure.phabricator.com/D21819
2022-05-19 13:21:04 -07:00
epriestley
0329df0fa8 Copy file attachment edges to new storage
Summary: Ref T13603. Copy all existing file attachment data into the new storage table.

Test Plan: Ran migration, checked attachment table for general reasonableness.

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Maniphest Tasks: T13603

Differential Revision: https://secure.phabricator.com/D21818
2022-05-19 13:21:03 -07:00
epriestley
4a2d961e76 Adjust paste content transaction to support earlier file PHID extraction
Summary: Ref T13603. New transactional file attachment extracts PHIDs earlier than the older mechanism did. Allow either pathway to save content and extract a PHID.

Test Plan:
  - Created and modified a paste.
  - Confirmed both pathways do old and new storage writes.

Maniphest Tasks: T13603

Differential Revision: https://secure.phabricator.com/D21817
2022-05-19 13:21:03 -07:00
epriestley
d017f3f210 Double-write file attachment to old "edge" storage and new "attachment" storage
Summary: Ref T13603. This adds a second write to new "attachment" storage to all writers except one in Paste, which creates the file inline.

Test Plan:
  - Updated a macro image, confirmed a write to "attachment" storage (transaction pathway).
  - Updated a blog profile image, confirmed a write to "attachment" storage (legacy pathway).

Maniphest Tasks: T13603

Differential Revision: https://secure.phabricator.com/D21816
2022-05-19 13:21:03 -07:00
epriestley
7fcc0f9ebd Remove "PhabricatorFile->detachFromObject()"
Summary:
Ref T13603. Currently, files are sometimes detached from objects. For example, when you change the image for a Macro, the old image is detached.

This is wrong: the image should remain attached so users who can view the macro can view the complete "alice change the image from X to Y" transaction. To be able to understand the change that was applied, you need to be able to view both files.

All workflows which currently detach files aren't conistent with the modern way applications behave, except maybe one callsite in a unit test, and that one's kind of moot.

Get rid of this stuff and just use PHID extraction to perform file attachment in all cases.

Test Plan: Created and edited macros, verified files were properly attached and remained attached across edits.

Maniphest Tasks: T13603

Differential Revision: https://secure.phabricator.com/D21815
2022-05-19 13:21:03 -07:00
epriestley
cfa42c5e65 Add database storage for a dedicated file attachment table
Summary: Ref T13603. Prepare to move this relationship out of edge storage into dedicated storage so it is easier to formalize better in the UI.

Test Plan: Ran `bin/storage upgrade`.

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Maniphest Tasks: T13603

Differential Revision: https://secure.phabricator.com/D21813
2022-05-19 13:21:02 -07:00
epriestley
6fea5e5ce7 Do not extract file PHIDs from remarkup blocks for attachment
Summary: Ref T13603. When processing transactions that include remarkup blocks, stop extracting file references from them for attachment.

Test Plan: Submitted a remarkup block with a file reference, no longer saw automatic file attachment.

Maniphest Tasks: T13603

Differential Revision: https://secure.phabricator.com/D21812
2022-05-19 13:21:02 -07:00
epriestley
ee6e2a396f Fix some test suite stragglers with PHP 8.1 compatibility
Summary: Ref T13588. This allows "arc unit --everything" to more or less run cleanly on PHP 8.1.

Test Plan: Ran "arc unit --everything".

Maniphest Tasks: T13588

Differential Revision: https://secure.phabricator.com/D21821
2022-05-19 12:04:09 -07:00
epriestley
7693a711a7 Persist remarkup metadata in "VersionedDrafts" and record explicit file uploads
Summary:
Ref T13603. Allow "VersionedDraft" to persist remarkup comment area metadata from stacked actions controls.

When files are dragged and dropped, record them as explicit uploads in comment metadata.

Test Plan: Dragged and dropped files into Remarkup stacked action text areas (e.g., in Maniphest), reloaded page, saw metadata persist across reloads.

Maniphest Tasks: T13603

Differential Revision: https://secure.phabricator.com/D21828
2022-05-19 12:03:18 -07:00
epriestley
33a0731619 Give "RemarkupControl" support for tracking metadata
Summary: Ref T13603. This will support explicit handling of attached files.

Test Plan: Adjusted new input to have "text" input type, used it alongside additional upcoming changes, saw sensible metadata behavior.

Maniphest Tasks: T13603

Differential Revision: https://secure.phabricator.com/D21827
2022-05-19 12:03:17 -07:00
epriestley
147b48b934 Fix an exception in cursor pagination of Conpherence threads
Summary: Ref T13680. Conpherence may pass values with an integer type to this layer of the stack. These are "supposed" to be strings, but just be accepting.

Test Plan:
  - Wrote 100+ messages to a Conpherence room.
  - Clicked "Show Older Messages".
  - Before: exception, int passed to "phutil_nonempty_string()".
  - After: older messages loaded.

Maniphest Tasks: T13680

Differential Revision: https://secure.phabricator.com/D21824
2022-05-17 16:31:01 -07:00
epriestley
431612023d Remove "feed.publish" API
Summary:
Ref T13681. This was introduced in D593, never used, and doesn't make sense or have any uses in modern Phabricator.

It also does some pretty direct writes that can technically do things that at least //look// like they violate policies, so remove it.

Test Plan:
  - Checked the API console, no longer saw "feed.publish".
  - Grepped for "feed.publish", no hits.

Maniphest Tasks: T13681

Differential Revision: https://secure.phabricator.com/D21826
2022-05-17 16:30:53 -07:00
epriestley
698ada2470 Correct overbroad automatic capability grant of global settings objects
Summary:
Ref T13679. In D16983, global settings objects were given an exception to let logged-out users see them, even on installs with no "public" user role.

This exception is too broad and grants everyone all capabilities, not just "CAN_VIEW". In particular, it incorrectly grants "CAN_EDIT", so any user can edit global settings defaults.

Restrict this grant to "CAN_VIEW".

Test Plan:
  - As a non-administrator, tried to edit global settings.
  - Before: could.
  - After: could not.

Maniphest Tasks: T13679

Differential Revision: https://secure.phabricator.com/D21811
2022-05-09 15:10:50 -07:00
epriestley
01253d533b Prevent embedded remarkup content from cycling when it contains embedded self-references
Summary: Ref T13678. When remarkup content embeds other remarkup content, detect and degrade if the references have nesting depth greater than 1. This is a coarse cycle detector, since rendering shallow (but technically non-cycling) trees doesn't seem valuable.

Test Plan: Created various objects with self-references, saw everything degrade properly (after one level of embedding) when embedded in itself and in other contexts. See attached screenshot.

Maniphest Tasks: T13678

Differential Revision: https://secure.phabricator.com/D21810
2022-05-09 11:21:42 -07:00