Page MenuHomePhabricator

Remove "feed.public" and sort out feed policies
ClosedPublic

Authored by epriestley on Jul 1 2015, 9:49 PM.
Tags
None
Referenced Files
F14006300: D13518.id32681.diff
Mon, Oct 28, 5:45 AM
F13997169: D13518.id32681.diff
Thu, Oct 24, 2:47 AM
F13982429: D13518.id.diff
Sat, Oct 19, 11:13 PM
F13980068: D13518.id32684.diff
Sat, Oct 19, 8:16 AM
F13973612: D13518.diff
Fri, Oct 18, 1:44 AM
F13973605: D13518.id.diff
Fri, Oct 18, 1:41 AM
F13973603: D13518.id32681.diff
Fri, Oct 18, 1:40 AM
F13973598: D13518.id32684.diff
Fri, Oct 18, 1:38 AM
Subscribers

Details

Summary

Ref T6817. Fixes T8731. On the old secure host, feed.public was set to true. I didn't bring the option over, which caused the secondary issue in T8731.

Specifically, when feed.public is off, a logged-out user looking at feed can't see any stories, so they query all of feed until they hit the time limit.

To fix this immediately, just use the most open policy, which is basically equivalent but always correct.

To fix this more thoroughly:

  • Remove feed.public, which violates policies and has been slated for removal for a while (see T6817).
  • Clean up policy handling.
Test Plan
  • As a logged-out user, viewed feed on a public install with feed.public off; no longer saw all stories get queried + no feed shown.
  • Grepped for feed.public.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Remove "feed.public" and sort out feed policies.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
src/applications/feed/story/PhabricatorFeedStory.php
364

This should fix or at least improve T6817, although I didn't actually check what happens with it.

504

This method was buggy and never worked -- this should have been isset().

src/applications/feed/story/PhabricatorFeedStory.php
91–97

Specifically, this is performing the effective policy check: you need to be able to see a story's object(s) in order to see the story.

Oh, and "public feed" (e.g., feed on this install) still works fine, just not the special secret magical iframe policy-violating feed.

This revision is now accepted and ready to land.Jul 1 2015, 10:04 PM
This revision was automatically updated to reflect the committed changes.