Page MenuHomePhabricator
Differential D17152

Fix excessively strict "Can Use Application" policy filtering
ClosedPublic
Actions

Authored by epriestley on Jan 8 2017, 6:58 PM.
Tags
None
Referenced Files
F14057120: D17152.diff
Sun, Nov 17, 12:39 AM
F14042360: D17152.diff
Tue, Nov 12, 2:54 AM
F14014908: D17152.diff
Sun, Nov 3, 9:50 AM
F14008798: D17152.diff
Wed, Oct 30, 6:40 AM
F14001473: D17152.diff
Fri, Oct 25, 8:22 AM
F13999521: D17152.id41250.diff
Thu, Oct 24, 3:20 PM
F13995133: D17152.id.diff
Wed, Oct 23, 10:51 AM
F13962852: D17152.id41249.diff
Oct 15 2024, 12:39 PM
View All Files
Subscribers
None

Details

Reviewers
chad
Maniphest Tasks
T9058: PhabricatorPolicyFilter::hasCapability() does not apply application-level "Can Use Application" policy checks
Commits
rP40be2d53743c: (stable) Fix excessively strict "Can Use Application" policy filtering
rPf16778fc18b7: Fix excessively strict "Can Use Application" policy filtering
Summary

Ref T9058. The stricter filtering is over-filtering Handles. For example, in the Phacility cluster, users can not see Almanac services.

So this filtering happens:

  • The AlmanacServiceQuery filters the service beacuse they can't see the application.
  • The HandleQuery generates a "you can't see this" handle.
  • But then the HandleQuery filters that handle! It has a "service" PHID and the user can't see Almanac.

This violates the assumption that all application code makes about handles: it's OK to query handles for objects you can't see, and you'll get something back.

Instead, don't do application filtering on handles.

Test Plan
  • Added a failing test and made it pass.
  • As a user who can not see Almanac, viewed an Instances timeline.
    • Before patch: fatal on trying to load a handle for a Service.
    • After patch: smooth sailing.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley created this revision.Jan 8 2017, 6:58 PM
Harbormaster completed remote builds in B15136: Diff 41249.Jan 8 2017, 6:59 PM
epriestley added a comment.Jan 8 2017, 7:01 PM

I'm going to merge, cherry-pick and deploy this since instance administration is more or less toast without it: normal users can't see Almanac, and every instance gets Almanac transactions during creation as a side-effect of setup.

I missed this in testing because I can see Almanac just fine.

src/applications/policy/filter/PhabricatorPolicyFilter.php
882

Fixed this typo locally.

Closed by commit rPf16778fc18b7: Fix excessively strict "Can Use Application" policy filtering (authored by epriestley, committed by epriestley). · Explain WhyJan 8 2017, 7:01 PM
This revision was automatically updated to reflect the committed changes.
chad edited edge metadata.Jan 8 2017, 7:02 PM

epriestley added a comment.Jan 8 2017, 7:05 PM

I sent this to production and verified that a non-administrator test account no longer hits this when trying to view instance timelines containing service transactions.

Revision Contents
Changeset List

PathSize
src/
applications/
policy/
filter/
13 lines
project/
__tests__/
20 lines

Diff 41250

View Options

src/applications/policy/filter/PhabricatorPolicyFilter.php

Loading...
View Options

src/applications/project/__tests__/PhabricatorProjectCoreTestCase.php

Loading...
Phabricator · Built by Phacility