Home GnuPG
Diffusion Phabricator f16778fc18b7

Fix excessively strict "Can Use Application" policy filtering
f16778fc18b7Unpublished
Actions

Unpublished Commit ยท Learn More

Repository Importing: This repository is still importing.

Description

Fix excessively strict "Can Use Application" policy filtering

Summary:
Ref T9058. The stricter filtering is over-filtering Handles. For example, in the Phacility cluster, users can not see Almanac services.

So this filtering happens:

  • The AlmanacServiceQuery filters the service beacuse they can't see the application.
  • The HandleQuery generates a "you can't see this" handle.
  • But then the HandleQuery filters that handle! It has a "service" PHID and the user can't see Almanac.

This violates the assumption that all application code makes about handles: it's OK to query handles for objects you can't see, and you'll get something back.

Instead, don't do application filtering on handles.

Test Plan:

  • Added a failing test and made it pass.
  • As a user who can not see Almanac, viewed an Instances timeline.
    • Before patch: fatal on trying to load a handle for a Service.
    • After patch: smooth sailing.

Reviewers: chad

Maniphest Tasks: T9058

Differential Revision: https://secure.phabricator.com/D17152

Details

Provenance
epriestley <git@epriestley.com>Authored on Jan 8 2017, 7:53 PM
Parents
rPHABd4248d231bed: Correct "Manage Password" link in Quickling in Diffusion
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHABf16778fc18b7: Fix excessively strict "Can Use Application" policy filtering (authored by epriestley <git@epriestley.com>).Jan 8 2017, 8:01 PM

Changes (2)

PathSize
src/
applications/
policy/
filter/
project/
__tests__/

rPHABf16778fc18b7

View Options

src/applications/policy/filter/PhabricatorPolicyFilter.php

Loading...
View Options

src/applications/project/__tests__/PhabricatorProjectCoreTestCase.php

Loading...