Caching inside the policy filter may cause policy filtering to occur on a partial representation of a project
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	adampaetznick
	Nov 11 2016, 6:15 PM

Description

Reproduction steps:

Open "Create Subproject" from a parent project Subprojects page.
Limit subproject visibility to members of the parent project.
Create the subproject.

Expected result:

Members of the parent project can view, and join the subproject

Actual result:

No one can join, view, or edit the subproject. Error message "You do not have permission to view this object".
policy unlock claims to succeed, but the same error remains. Note that the error message still indicates that only members of the parent project can view.

Revisions and Commits

rP Phabricator
	D16841	rP4c540fb01b9a Fix some policy CSS
	D16840	rP40d3bcb8910b Fix a complicated object caching issue with the policy filter

Related Objects

Mentioned Here: T10779: Cannot manage base project milestones if base project has subprojects
rARCe17fe43ca3fe: (stable) Promote 2016 Week 43
rP111c63955155: (stable) Promote 2016 Week 45
rPHU40e473e05788: (stable) Promote 2016 Week 45

Event Timeline

adampaetznick created this task.Nov 11 2016, 6:15 PM

Versions:

phabricator 111c63955155046bbd57c3836c78d460ebe13dfb (Sat, Nov 5)
arcanist e17fe43ca3fe6dc6dd0b5ce056f56310ea1d3d51 (Fri, Oct 21)
phutil 40e473e057885dab5de4fb42901f7fff2d340a6a (Sat, Nov 5)

I can't reproduce this. Can you create a test instance in Phacility and reproduce this there?

Sounds similar to T10779

I was able to reproduce in this test instance. There is a parent project called Parent, and two subprojects: Sub1 and Sub2. Sub2 produces the error.

The key appears to be in the policy settings of the Parent project. The problem does not occur if visibility of Parent is set to All Users. But it does occur when the visibility of Parent is restricted to members of Parent.

Here's the raw data from that install:

mysql> select * from project\G
*************************** 1. row ***************************
                id: 1
              name: Parent
              phid: PHID-PROJ-gpnlq4nvtvrtsrcvkt4b
        authorPHID: PHID-USER-w7oapp7xetx7xshvruyb
       dateCreated: 1478890241
      dateModified: 1478891093
            status: 0
        viewPolicy: PHID-PROJ-gpnlq4nvtvrtsrcvkt4b
        editPolicy: users
        joinPolicy: users
isMembershipLocked: 0
  profileImagePHID: PHID-FILE-jwwqkilrad7t52brmrm7
              icon: umbrella
             color: blue
           mailKey: kmkffcnuqpqihr7ptanl
       primarySlug: parent
 parentProjectPHID: NULL
      hasWorkboard: 0
     hasMilestones: 0
    hasSubprojects: 1
   milestoneNumber: NULL
       projectPath: Ruyh
      projectDepth: 0
    projectPathKey: Ruyh
        properties: []
*************************** 2. row ***************************
                id: 2
              name: Sub1
              phid: PHID-PROJ-b57byavdns3rb2zmw72l
        authorPHID: PHID-USER-w7oapp7xetx7xshvruyb
       dateCreated: 1478890274
      dateModified: 1478890820
            status: 0
        viewPolicy: users
        editPolicy: users
        joinPolicy: users
isMembershipLocked: 0
  profileImagePHID: PHID-FILE-ginwpqgxpewiiwjpchgo
              icon: project
             color: blue
           mailKey: 7zxqadvhxdzpcz7aykn2
       primarySlug: sub1
 parentProjectPHID: PHID-PROJ-gpnlq4nvtvrtsrcvkt4b
      hasWorkboard: 0
     hasMilestones: 0
    hasSubprojects: 0
   milestoneNumber: NULL
       projectPath: Ruyh5525
      projectDepth: 1
    projectPathKey: 5525
        properties: []
*************************** 3. row ***************************
                id: 3
              name: Sub2
              phid: PHID-PROJ-nvzcde5sidg3ighpxgbk
        authorPHID: PHID-USER-w7oapp7xetx7xshvruyb
       dateCreated: 1478890382
      dateModified: 1478890861
            status: 0
        viewPolicy: PHID-PROJ-gpnlq4nvtvrtsrcvkt4b
        editPolicy: admin
        joinPolicy: PHID-PROJ-gpnlq4nvtvrtsrcvkt4b
isMembershipLocked: 0
  profileImagePHID: PHID-FILE-garszdg7hcgucv635aaa
              icon: project
             color: blue
           mailKey: f6jrgqosorzxx5g77tdg
       primarySlug: sub2
 parentProjectPHID: PHID-PROJ-gpnlq4nvtvrtsrcvkt4b
      hasWorkboard: 0
     hasMilestones: 0
    hasSubprojects: 0
   milestoneNumber: NULL
       projectPath: RuyhaygI
      projectDepth: 1
    projectPathKey: aygI
        properties: []
3 rows in set (0.00 sec)

Note that both "Sub2" and "Parent" have been set the global project policy "Members of: 'Parent'", not the object policy "Project Members".

epriestley renamed this task from Cannot view or unlock a subproject to Caching inside the policy filter may cause policy filtering to occur on a partial representation of a project.Nov 11 2016, 9:15 PM

epriestley added a project: Policy.

Herald added a subscriber: eadler. · View Herald TranscriptNov 11 2016, 9:15 PM

epriestley claimed this task.Nov 11 2016, 9:15 PM

epriestley triaged this task as Normal priority.

epriestley added a revision: D16840: Fix a complicated object caching issue with the policy filter.Nov 11 2016, 9:28 PM

epriestley added a revision: D16841: Fix some policy CSS.Nov 11 2016, 9:31 PM

epriestley closed this task as Resolved by committing rP40d3bcb8910b: Fix a complicated object caching issue with the policy filter.Nov 11 2016, 9:42 PM

epriestley added a commit: rP40d3bcb8910b: Fix a complicated object caching issue with the policy filter.

epriestley added a commit: rP4c540fb01b9a: Fix some policy CSS.