Page MenuHomePhabricator

Fix excessively strict "Can Use Application" policy filtering
ClosedPublic

Authored by epriestley on Jan 8 2017, 6:58 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Dec 11, 1:22 AM
Unknown Object (File)
Sun, Dec 1, 5:38 AM
Unknown Object (File)
Wed, Nov 27, 8:49 AM
Unknown Object (File)
Nov 17 2024, 12:39 AM
Unknown Object (File)
Nov 12 2024, 2:54 AM
Unknown Object (File)
Nov 3 2024, 9:50 AM
Unknown Object (File)
Oct 30 2024, 6:40 AM
Unknown Object (File)
Oct 25 2024, 8:22 AM
Subscribers
None

Details

Summary

Ref T9058. The stricter filtering is over-filtering Handles. For example, in the Phacility cluster, users can not see Almanac services.

So this filtering happens:

  • The AlmanacServiceQuery filters the service beacuse they can't see the application.
  • The HandleQuery generates a "you can't see this" handle.
  • But then the HandleQuery filters that handle! It has a "service" PHID and the user can't see Almanac.

This violates the assumption that all application code makes about handles: it's OK to query handles for objects you can't see, and you'll get something back.

Instead, don't do application filtering on handles.

Test Plan
  • Added a failing test and made it pass.
  • As a user who can not see Almanac, viewed an Instances timeline.
    • Before patch: fatal on trying to load a handle for a Service.
    • After patch: smooth sailing.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

I'm going to merge, cherry-pick and deploy this since instance administration is more or less toast without it: normal users can't see Almanac, and every instance gets Almanac transactions during creation as a side-effect of setup.

I missed this in testing because I can see Almanac just fine.

src/applications/policy/filter/PhabricatorPolicyFilter.php
882

Fixed this typo locally.

This revision was automatically updated to reflect the committed changes.

I sent this to production and verified that a non-administrator test account no longer hits this when trying to view instance timelines containing service transactions.