Page MenuHomePhabricator
Files F13992237

D11660.id.diff
No OneTemporary
Actions

D11660.id.diff
View Options

diff --git a/src/applications/maniphest/query/ManiphestTaskQuery.php b/src/applications/maniphest/query/ManiphestTaskQuery.php
--- a/src/applications/maniphest/query/ManiphestTaskQuery.php
+++ b/src/applications/maniphest/query/ManiphestTaskQuery.php
@@ -56,6 +56,8 @@
private $blockingTasks;
private $blockedTasks;
+ private $projectPolicyCheckFailed = false;
+
const DEFAULT_PAGE_SIZE = 1000;
public function withAuthors(array $authors) {
@@ -222,12 +224,34 @@
return $this;
}
+ protected function willExecute() {
+ // Make sure the user can see any projects specified in this
+ // query FIRST.
+ if ($this->projectPHIDs) {
+ $projects = id(new PhabricatorProjectQuery())
+ ->setViewer($this->getViewer())
+ ->withPHIDs($this->projectPHIDs)
+ ->execute();
+ $projects = mpull($projects, null, 'getPHID');
+ foreach ($this->projectPHIDs as $index => $phid) {
+ $project = idx($projects, $phid);
+ if (!$project) {
+ unset($this->projectPHIDs[$index]);
+ continue;
+ }
+ }
+ if (!$this->projectPHIDs) {
+ $this->projectPolicyCheckFailed = true;
+ }
+ $this->projectPHIDs = array_values($this->projectPHIDs);
+ }
+ }
+
protected function loadPage() {
- // TODO: (T603) It is possible for a user to find the PHID of a project
- // they can't see, then query for tasks in that project and deduce the
- // identity of unknown/invisible projects. Before we allow the user to
- // execute a project-based PHID query, we should verify that they
- // can see the project.
+
+ if ($this->projectPolicyCheckFailed) {
+ throw new PhabricatorEmptyQueryException();
+ }
$task_dao = new ManiphestTask();
$conn = $task_dao->establishConnection('r');

File Metadata

Mime Type
text/plain
Expires
Wed, Oct 23, 3:23 PM (3 w, 6 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6710407
Default Alt Text
D11660.id.diff (1 KB)

Event Timeline

Phabricator · Built by Phacility