Page MenuHomePhabricator
Create Task
Maniphest T7703

Policy checks may execute incompletely for non-viewers
Closed, ResolvedPublic
Actions

Description

I have some herald rules which flags items.

On secure.phab, I would up with the case show in the screenshot. Presumably this is a deleted or hidden item?

bad_flag.png (332×1 px, 92 KB)

Revisions and Commits

rP Phabricator
ClosedD13070 Add repositories to Diviner
D13104rPd6247ffca59c Add support for "Extended Policies"

Related Objects
Search...

Event Timeline

sshannin created this task.Mar 30 2015, 9:52 PM
sshannin raised the priority of this task from to Needs Triage.
sshannin updated the task description. (Show Details)
sshannin added a project: Flags.
sshannin added a subscriber: sshannin.

Also, note that floating text in the search box, hehe

chad added a subscriber: chad.Mar 30 2015, 9:53 PM

what browser is that?

sshannin added a comment.EditedMar 30 2015, 9:53 PM

26.0 build for linux mint (aka mint build 1.0)

chad added a comment.EditedMar 30 2015, 9:55 PM

I presume this to be a deleted item.

chad added a comment.Mar 30 2015, 10:26 PM

Actually, I'm probably wrong. It looks like (based on Feed in the screenshot) there is plenty of activity you don't have access to see. I'm not really sure we should let you flag an object you can't see. What specifically is the Herald rule?

chad added a project: Herald.Mar 30 2015, 10:27 PM
epriestley claimed this task.Mar 30 2015, 10:43 PM

The expectation is that the rule will fail to run when the user can't see the object. The code is consistent with this expectation, looking into it..

epriestley added a comment.Mar 30 2015, 11:08 PM

We are doing a policy check here, but it's an unusual check and it's not fully effective.

Essentially everywhere else in the code, we do policy checks only for the user who loaded objects. So you load a page, we load some objects "as you", and then we might do some additional check (to see if you have edit permission, for example, to determine whether we should disable an action like "Edit Thing").

In Herald, we load the object as one user (the actor) and then execute checks for different users (the rule owners). These checks are effective for the primary policy rules, but avoid some implicit checks -- notably, in Differential, the implicit check that requires you be able to see the repository.

This might also affect diffs (which have the same repository-implicit rule) and Phriction documents (which have an implicit dependency on their parents).

I don't see a terribly clear path forward:

  • We can repeat the entire load as the rule owner, which will produce the correct behavior but introduce a large performance penalty.
  • We can modify PhabricatorPolicyInterface and add a method like getPolicyRequirements($capability), which would return a list of <object, required capabilities> pairs that need to be checked for the check to succeed. This seems structurally correct but is a lot of work.
  • This is important-ish to fix but not hugely critical so maybe I can think about it for a bit and come up with something better.
epriestley triaged this task as Normal priority.Mar 30 2015, 11:12 PM
epriestley added a project: Policy.
sshannin added a comment.Mar 30 2015, 11:27 PM

To your question @chad (although it seems like the clarity is not needed anymore), it just flags any newly created diff.

joshuaspence added a subscriber: joshuaspence.Mar 31 2015, 6:30 AM
epriestley renamed this task from Flagged Unknown Object to Policy checks may execute incompletely for non-viewers.Apr 11 2015, 8:18 PM

Project watchers are affected in the same way; see T6183.

epriestley mentioned this in T6183: Allow any user to watch projects.Apr 11 2015, 8:20 PM
epriestley added a parent task: T6183: Allow any user to watch projects.
epriestley added a comment.Apr 11 2015, 8:23 PM

This seems structurally correct but is a lot of work.

I haven't come up with a better approach for this yet. Assuming I don't, I think this is roughly 4-6 hours of work.

devurandom added a subscriber: devurandom.Apr 13 2015, 7:40 PM
epriestley mentioned this in T3820: Implement top-level "Spaces" that provide policy isolation to groups of objects.May 28 2015, 5:05 PM
epriestley added a revision: D13070: Add repositories to Diviner.Jun 1 2015, 2:44 PM
epriestley added a parent task: T8377: Build the core "Spaces" Application.Jun 1 2015, 9:37 PM
epriestley added a revision: D13104: Add support for "Extended Policies".Jun 1 2015, 9:44 PM
epriestley mentioned this in T8376: Develop Spaces (v1).Jun 3 2015, 2:04 PM
epriestley added a commit: rPd6247ffca59c: Add support for "Extended Policies".Jun 4 2015, 1:59 AM
epriestley mentioned this in D13231: Support Spaces in Pholio.Jun 10 2015, 10:50 PM
jeremyb added a subscriber: jeremyb.Jun 14 2015, 5:03 AM
joshuaspence mentioned this in rP69d12f64baf9: Add repositories to Diviner.Jun 19 2015, 8:05 AM
eadler added a subscriber: eadler.Jul 10 2015, 5:09 AM
aklapper added a subscriber: aklapper.Dec 8 2016, 8:53 PM
urzds added a subscriber: urzds.Jul 12 2017, 11:13 AM
sshannin added a comment.Nov 23 2017, 3:37 AM

I'm unable to close this, but I believe this to be resolved (or at least my specific repro of flags via herald no longer applies I believe).

epriestley closed this task as Resolved.May 3 2019, 4:53 AM

Although I'm not entirely confident that 100% of objects which should implement ExtendedPolicyInterface actually do today, I think we've gotten pretty much all of them. This approach also seems stable.

Later, this more often took the form of:

When I set parent object X to an object policy like "Subscribers" or "Task Author", child object Y fatals or becomes invisible [because the policy can not be evaluated against Y].

This form of the issue was more visible than "Herald might not fully execute all related policy checks in all cases" and I believe it rooted the rest of these out.

Herald added a subscriber: amckinley. · View Herald TranscriptMay 3 2019, 4:53 AM
Phabricator · Built by Phacility