Page MenuHomePhabricator
Create Task
Maniphest T7094

Clean up T603
Closed, ResolvedPublic
Actions

Description

Did a casual grep of T603 just now

src/applications/differential/parser/DifferentialChangesetParser.php:908:          // TODO: (T603) Probably fine to use omnipotent viewer here?
src/applications/diffusion/conduit/DiffusionGetCommitsConduitAPIMethod.php:244:    // TODO: (T603) This should be policy checked, either by moving to
src/applications/diffusion/query/DiffusionSymbolQuery.php:266:      // TODO: (T603) Provide a viewer here.
src/applications/diffusion/request/DiffusionRequest.php:390:      // TODO: (T603) This should be a real query, but we need to sort out
src/applications/drydock/blueprint/DrydockWorkingCopyBlueprintImplementation.php:43:    // TODO: (T603) Figure out the interaction between policies and
src/applications/maniphest/query/ManiphestTaskQuery.php:226:    // TODO: (T603) It is possible for a user to find the PHID of a project
src/applications/maniphest/view/ManiphestTaskResultListView.php:63:      // TODO: (T603) Eventually, we conceivably need to make each task
src/applications/metamta/replyhandler/PhabricatorMailReplyHandler.php:328:    // TODO: (T603) What's the policy here?
src/applications/owners/storage/PhabricatorOwnersPackage.php:253:    // thing to an Editor (T603).
src/applications/owners/storage/PhabricatorOwnersPackage.php:321:        // TODO: (T603) Thread policy stuff in here.
src/applications/people/storage/PhabricatorUser.php:694:      // TODO: (T603) Can we get rid of this entirely and move it to
src/applications/releeph/commitfinder/ReleephCommitFinder.php:33:      // TOOD: (T603) This is all slated for annihilation.
src/applications/repository/storage/PhabricatorRepositoryArcanistProject.php:48:  // TODO: Remove. Also, T603.
src/applications/repository/storage/PhabricatorRepositoryCommit.php:259:        // TODO: (T603) Who should be able to edit a commit? For now, retain
src/applications/repository/worker/commitchangeparser/PhabricatorOwnersPackagePathValidator.php:18:    // TODO: (T603) This should be policy-aware.
src/applications/repository/worker/PhabricatorRepositoryCommitOwnersWorker.php:109:      // TODO: (T603) This is probably safe to use an omnipotent user on,
src/applications/transactions/storage/PhabricatorApplicationTransaction.php:1143:    // TODO: (T603) Exact policies are unclear here.
src/applications/transactions/storage/PhabricatorApplicationTransactionComment.php:146:    // TODO: (T603) Policies are murky.

I think this is good to take a pass through and clean up.

Revisions and Commits

rP Phabricator
AbandonedD11631 Policy - clean up access to user profile image uri
D11660rPda1531f219d0 Policy - make ManiphestTaskQuery verify project visibility first thing
D11658rP461b09d17e69 Policy - update TODO to better tracking task for Maniphest drag and drop…
D11656rPdd814decbc52 Policy - remove comment to change policy later as its good as is
D11655rP53d7868c6db9 Policy - convert Drydock query for repository to policy-based query
D11654rP8c79b3eaede0 Policy - convert repository worker to query revision with policy query
D11653rP026e3794831f Policy - do proper policy queries when updating owners packages in commit…
D11652rP9b65370398cc Policy - move some owners code into an editor class and check policy better
D11632rP0969b0d8c87d Policy - add an explanation for automatic capabilities for transactions and…
D11633rP6ba0e5cfbf41 Policy - fix method name
D11630rPb2320c2e6817 Policy - clean up access to user profile image uri
D11591rP0fa31802e7dd Policy - lock down ReleephCommitFinder
D11589rP388d1ff7bd92 Policy - lock down file loading in mail reply handler path
D11586rPf58dce681905 Policy - remove loadRepository() method from ArcanistProjects
AuditedD11585rP8573d5b0c1a3 Policy - lock down loadCommit() from DiffusionRequest objects
D11584rPe1dcbc43866a Policy - lock down DiffusionSymbolQuery repo-loading code
D11581rPbdb3adeee485 Policy - clean up the deprecated diffusion.getcommits
D11579rP77eae81e1a5c Policy - fix up DifferentialChangesetParser

Related Objects

Event Timeline

btrahan created this task.Jan 30 2015, 5:37 PM
btrahan claimed this task.
btrahan raised the priority of this task from to High.
btrahan updated the task description. (Show Details)
btrahan added a project: Policy.
btrahan added subscribers: btrahan, epriestley.
btrahan added a revision: D11579: Policy - fix up DifferentialChangesetParser.Jan 30 2015, 7:05 PM
btrahan added a commit: rP77eae81e1a5c: Policy - fix up DifferentialChangesetParser.Jan 30 2015, 7:17 PM
btrahan added a revision: D11581: Policy - clean up the deprecated diffusion.getcommits.Jan 30 2015, 7:46 PM
btrahan added a commit: rPbdb3adeee485: Policy - clean up the deprecated diffusion.getcommits.Jan 30 2015, 7:51 PM
joshuaspence added a subscriber: joshuaspence.Jan 30 2015, 9:02 PM
btrahan added a revision: D11584: Policy - lock down DiffusionSymbolQuery repo-loading code.Jan 30 2015, 10:35 PM
btrahan added a revision: D11585: Policy - lock down loadCommit() from DiffusionRequest objects.Jan 30 2015, 10:47 PM
btrahan added a revision: D11586: Policy - remove loadRepository() method from ArcanistProjects.Jan 30 2015, 11:04 PM
btrahan added a revision: D11589: Policy - lock down file loading in mail reply handler path.Jan 30 2015, 11:14 PM
btrahan added a revision: D11591: Policy - lock down ReleephCommitFinder.Jan 30 2015, 11:46 PM
btrahan added a commit: rPe1dcbc43866a: Policy - lock down DiffusionSymbolQuery repo-loading code.Feb 1 2015, 2:36 AM
btrahan added a commit: rP8573d5b0c1a3: Policy - lock down loadCommit() from DiffusionRequest objects.Feb 1 2015, 5:33 PM
btrahan added a revision: D11630: Policy - clean up access to user profile image uri.Feb 2 2015, 9:56 PM
btrahan added a revision: D11631: Policy - clean up access to user profile image uri.
btrahan added a commit: rPf58dce681905: Policy - remove loadRepository() method from ArcanistProjects.Feb 2 2015, 9:58 PM
btrahan added a commit: rP388d1ff7bd92: Policy - lock down file loading in mail reply handler path.Feb 2 2015, 10:02 PM
btrahan added a commit: rP0fa31802e7dd: Policy - lock down ReleephCommitFinder.
btrahan added a commit: rPb2320c2e6817: Policy - clean up access to user profile image uri.
btrahan added a revision: D11632: Policy - add an explanation for automatic capabilities for transactions and transaction comments.Feb 2 2015, 10:12 PM
btrahan added a revision: D11633: Policy - fix method name.Feb 2 2015, 10:39 PM
btrahan added a commit: rP6ba0e5cfbf41: Policy - fix method name.Feb 2 2015, 10:40 PM
btrahan added a commit: rP0969b0d8c87d: Policy - add an explanation for automatic capabilities for transactions and….
btrahan added a revision: D11652: Policy - move some owners code into an editor class and check policy better.Feb 3 2015, 7:37 PM
btrahan added a commit: rP9b65370398cc: Policy - move some owners code into an editor class and check policy better.Feb 3 2015, 7:41 PM
btrahan added a revision: D11653: Policy - do proper policy queries when updating owners packages in commit workers.Feb 3 2015, 7:51 PM
btrahan added a commit: rP026e3794831f: Policy - do proper policy queries when updating owners packages in commit….Feb 3 2015, 7:55 PM
btrahan added a revision: D11654: Policy - convert repository worker to query revision with policy query.Feb 3 2015, 8:02 PM
btrahan added a comment.Feb 3 2015, 8:05 PM

Assuming my last revision makes it through, just four issues remain... @epriestley - I've provided some details... Can you let me know what you want me to do for these last four?

src/applications/drydock/blueprint/DrydockWorkingCopyBlueprintImplementation.php:43: // TODO: (T603) Figure out the interaction between policies and Drydock

This particular bit of code loads a repository based on the 'repositoryID' attribute from a DrydockLease. I am not sure what the interaction should be - maybe if there exists an intersection of people who can edit the blueprint and see the repository? Sounds messy.

src/applications/maniphest/query/ManiphestTaskQuery.php:226: // TODO: (T603) It is possible for a user to find the PHID of a project

Full TODO is...

// TODO: (T603) It is possible for a user to find the PHID of a project
// they can't see, then query for tasks in that project and deduce the
// identity of unknown/invisible projects. Before we allow the user to
// execute a project-based PHID query, we should verify that they
// can see the project.

should there be some code added to willExecute that filters out any projectPHIDs the user can't see? (Basically do a policy query for the project phids specified and remove any that don't match?) Otherwise, how should this be implemented?

src/applications/maniphest/view/ManiphestTaskResultListView.php:63: // TODO: (T603) Eventually, we conceivably need to make each task draggable individually

This is a polish thing, where I think users can see some tasks but not edit them, but the UI lets them drag if they are logged in users. I have not investigated this, but presumably its an involved change to make the javascript aware of things on a per-item basis. My proposal is to file a new task, low priority to handle this. Alternatively, I can tackle this if you think its like an afternoon or less of work.

src/applications/repository/storage/PhabricatorRepositoryCommit.php:259: // TODO: (T603) Who should be able to edit a commit? For now, retain the existing policy and return PhabricatorPolicies::POLICY_USER

Whaddya say boss?

btrahan added a commit: rP8c79b3eaede0: Policy - convert repository worker to query revision with policy query.Feb 3 2015, 8:07 PM
epriestley added a comment.Feb 3 2015, 8:13 PM

#1: For drydock, I'd switch it to a Query with an omnipotent user -- we can only reasonably do the checks when users create the blueprints, since systems like Drydock, Almanac, Harbormaster and Instances don't act as a real user when running background tasks. Like with Harbormaster, we'll just prevent you from creating things that affect stuff you can't act on in the first place. Drydock will have high default barriers to creation, anyway.

#2: For the task query thing, we should ideally run a ProjectQuery and make sure they can see all the projects they're about to run a TaskQuery for, then filter out the ones that they can't see and throw a PhabricatorEmptyQueryException if nothing is left after filtering.

#3:

My proposal is to file a new task, low priority to handle this.

Yep, agreed with your assessment and proposal.

#4:

Rule seems fine as-is for now, we can just remove the comment. In effect, POLICY_USER means "users who can see the repository" because that's built in to being able to see a commit, which seems like a workable rule. Editing commits basically does nothing anyway (tagging them and linking them to stuff). I haven't seen any users hitting issues with this.

btrahan added a revision: D11655: Policy - convert Drydock query for repository to policy-based query.Feb 3 2015, 8:20 PM
btrahan added a revision: D11656: Policy - remove comment to change policy later as its good as is.Feb 3 2015, 8:23 PM
btrahan mentioned this in T7131: Lock items from drag and drop on a per item basis.Feb 3 2015, 8:25 PM
btrahan added a revision: D11658: Policy - update TODO to better tracking task for Maniphest drag and drop policy fix.Feb 3 2015, 8:27 PM
btrahan added a commit: rP53d7868c6db9: Policy - convert Drydock query for repository to policy-based query.Feb 3 2015, 8:28 PM
btrahan added a commit: rPdd814decbc52: Policy - remove comment to change policy later as its good as is.
btrahan added a commit: rP461b09d17e69: Policy - update TODO to better tracking task for Maniphest drag and drop….
btrahan added a revision: D11660: Policy - make ManiphestTaskQuery verify project visibility first thing.Feb 3 2015, 9:14 PM
btrahan closed this task as Resolved by committing rPda1531f219d0: Policy - make ManiphestTaskQuery verify project visibility first thing.Feb 3 2015, 9:53 PM
btrahan added a commit: rPda1531f219d0: Policy - make ManiphestTaskQuery verify project visibility first thing.
Phabricator · Built by Phacility