Home GnuPG
Diffusion Phabricator 40be2d53743c

(stable) Fix excessively strict "Can Use Application" policy filtering
40be2d53743cUnpublished
Actions

Unpublished Commit ยท Learn More

Repository Importing: This repository is still importing.

Description

(no title)

(stable) Fix excessively strict "Can Use Application" policy filtering

Summary:
Ref T9058. The stricter filtering is over-filtering Handles. For example, in the Phacility cluster, users can not see Almanac services.

So this filtering happens:

  • The AlmanacServiceQuery filters the service beacuse they can't see the application.
  • The HandleQuery generates a "you can't see this" handle.
  • But then the HandleQuery filters that handle! It has a "service" PHID and the user can't see Almanac.

This violates the assumption that all application code makes about handles: it's OK to query handles for objects you can't see, and you'll get something back.

Instead, don't do application filtering on handles.

Test Plan:

  • Added a failing test and made it pass.
  • As a user who can not see Almanac, viewed an Instances timeline.
    • Before patch: fatal on trying to load a handle for a Service.
    • After patch: smooth sailing.

Reviewers: chad

Maniphest Tasks: T9058

Differential Revision: https://secure.phabricator.com/D17152

Details

Provenance
epriestley <git@epriestley.com>Authored on Jan 8 2017, 7:53 PM
Parents
rPHABea9c0607e1fb: (stable) Promote 2017 Week 1
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHAB40be2d53743c: (stable) Fix excessively strict "Can Use Application" policy filtering (authored by epriestley <git@epriestley.com>).Jan 8 2017, 8:01 PM

Changes (2)

PathSize
src/
applications/
policy/
filter/
project/
__tests__/

rPHAB40be2d53743c

View Options

src/applications/policy/filter/PhabricatorPolicyFilter.php

Loading...
View Options

src/applications/project/__tests__/PhabricatorProjectCoreTestCase.php

Loading...