Commit 2a5c987c authored by epriestley's avatar epriestley
Browse files

Lock policy queries to their applications

Summary:
While we mostly have reasonable effective object accessibility when you lock a user out of an application, it's primarily enforced at the controller level. Users can still, e.g., load the handles of objects they can't actually see. Instead, lock the queries to the applications so that you can, e.g., never load a revision if you don't have access to Differential.

This has several parts:

  - For PolicyAware queries, provide an application class name method.
  - If the query specifies a class name and the user doesn't have permission to use it, fail the entire query unconditionally.
  - For handles, simplify query construction and count all the PHIDs as "restricted" so we get a UI full of "restricted" instead of "unknown" handles.

Test Plan:
  - Added a unit test to verify I got all the class names right.
  - Browsed around, logged in/out as a normal user with public policies on and off.
  - Browsed around, logged in/out as a restricted user with public policies on and off. With restrictions, saw all traces of restricted apps removed or restricted.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D7367
parent 32dd8af9
......@@ -96,4 +96,8 @@ final class PhabricatorAuthProviderConfigQuery
return $this->formatWhereClause($where);
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationAuth';
}
}
......@@ -163,4 +163,8 @@ final class PhabricatorExternalAccountQuery
return $this->formatWhereClause($where);
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationPeople';
}
}
......@@ -55,4 +55,9 @@ final class PhabricatorChatLogChannelQuery
return $this->formatWhereClause($where);
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationChatlog';
}
}
......@@ -54,4 +54,9 @@ final class PhabricatorChatLogQuery
return $this->formatWhereClause($where);
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationChatlog';
}
}
......@@ -40,4 +40,8 @@ final class PhabricatorConduitLogQuery
return $this->formatWhereClause($where);
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationConduit';
}
}
......@@ -121,4 +121,8 @@ final class PhabricatorConduitMethodQuery
return $methods;
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationConduit';
}
}
......@@ -16,15 +16,12 @@ final class PhabricatorConfigPHIDTypeConfig extends PhabricatorPHIDType {
return new PhabricatorConfigEntry();
}
public function loadObjects(
protected function buildQueryForObjects(
PhabricatorObjectQuery $query,
array $phids) {
return id(new PhabricatorConfigEntryQuery())
->setViewer($query->getViewer())
->setParentQuery($query)
->withPHIDs($phids)
->execute();
->withPHIDs($phids);
}
public function loadHandles(
......
......@@ -53,4 +53,8 @@ final class PhabricatorConfigEntryQuery
return $this->formatWhereClause($where);
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationConfig';
}
}
......@@ -19,15 +19,12 @@ final class PhabricatorConpherencePHIDTypeThread extends PhabricatorPHIDType {
return new ConpherenceThread();
}
public function loadObjects(
protected function buildQueryForObjects(
PhabricatorObjectQuery $query,
array $phids) {
return id(new ConpherenceThreadQuery())
->setViewer($query->getViewer())
->setParentQuery($query)
->withPHIDs($phids)
->execute();
->withPHIDs($phids);
}
public function loadHandles(
......
......@@ -282,4 +282,8 @@ final class ConpherenceThreadQuery
return $this;
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationConpherence';
}
}
......@@ -16,15 +16,12 @@ final class PhabricatorCountdownPHIDTypeCountdown extends PhabricatorPHIDType {
return new PhabricatorCountdown();
}
public function loadObjects(
protected function buildQueryForObjects(
PhabricatorObjectQuery $query,
array $phids) {
return id(new PhabricatorCountdownQuery())
->setViewer($query->getViewer())
->setParentQuery($query)
->withPHIDs($phids)
->execute();
->withPHIDs($phids);
}
public function loadHandles(
......
......@@ -85,4 +85,8 @@ final class PhabricatorCountdownQuery
return $this->formatWhereClause($where);
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationCountdown';
}
}
......@@ -142,4 +142,8 @@ final class PhabricatorDaemonLogQuery
}
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationDaemons';
}
}
......@@ -16,15 +16,12 @@ final class DifferentialPHIDTypeRevision extends PhabricatorPHIDType {
return new DifferentialRevision();
}
public function loadObjects(
protected function buildQueryForObjects(
PhabricatorObjectQuery $query,
array $phids) {
return id(new DifferentialRevisionQuery())
->setViewer($query->getViewer())
->setParentQuery($query)
->withPHIDs($phids)
->execute();
->withPHIDs($phids);
}
public function loadHandles(
......
......@@ -137,4 +137,8 @@ final class DifferentialDiffQuery
return $this->formatWhereClause($where);
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationDifferential';
}
}
......@@ -1189,7 +1189,8 @@ final class DifferentialRevisionQuery
) + array_fuse($project_authority);
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationDifferential';
}
}
......@@ -250,4 +250,8 @@ final class DiffusionCommitQuery
}
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationDiffusion';
}
}
......@@ -16,15 +16,12 @@ final class DivinerPHIDTypeAtom extends PhabricatorPHIDType {
return new DivinerLiveSymbol();
}
public function loadObjects(
protected function buildQueryForObjects(
PhabricatorObjectQuery $query,
array $phids) {
return id(new DivinerAtomQuery())
->setViewer($query->getViewer())
->setParentQuery($query)
->withPHIDs($phids)
->execute();
->withPHIDs($phids);
}
public function loadHandles(
......
......@@ -16,15 +16,12 @@ final class DivinerPHIDTypeBook extends PhabricatorPHIDType {
return new DivinerLiveBook();
}
public function loadObjects(
protected function buildQueryForObjects(
PhabricatorObjectQuery $query,
array $phids) {
return id(new DivinerBookQuery())
->setViewer($query->getViewer())
->setParentQuery($query)
->withPHIDs($phids)
->execute();
->withPHIDs($phids);
}
public function loadHandles(
......
......@@ -405,4 +405,8 @@ final class DivinerAtomQuery
}
}
public function getQueryApplicationClass() {
return 'PhabricatorApplicationDiviner';
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment