• Daniel Stone's avatar
    LOCAL: Make 'All Users' space extremely magic · 446c73ce
    Daniel Stone authored
    Phriction's view policy is ancestral: in order to access /w/foo/bar/baz,
    you must be able to access /w/foo and /w/bar in addition to
    /w/foo/bar/baz itself.
    
    This is fine and makes life easy: by setting restrictive policies on
    top-level pages, we can lessen the risk of someone exposing information
    they shouldn't, by accidentally making
    /w/cold-fusion/secret-research/funding-meeting/2018-09-14 public, when
    the rest of the hierarchy is super locked down.
    
    Phriction also recently gained Spaces support, which is nice: rather
    than trying to lock down with groups and harmonise permissions, we can
    just move top-level wiki pages to a particular Space, and then we don't
    need to worry about groups.
    
    Our clients don't know Spaces even exist, which is great since it avoids
    us having to explain the two-tier permission model to them. The reason
    they don't know it exists is because if you can only see a single Space,
    then Phabricator hides the entire Spaces UI away from you. Great!
    
    Unfortunately one detail ruins everything: /w/ is a top-level page
    itself, it counts for permission checks, and it _must be in a Space_.
    So, there is no way to have wiki documents in mutually-invisible Spaces
    unless you also have a common Space, at which point the whole Spaces UI
    suddenly becomes very visible everywhere.
    
    In order to try to keep our wiki partitioned, but to not confuse our
    clients (and give them the chance to potentially expose confidential
    information!), we:
      - have a magic 'Visible to Everyone' space
      - actually hide that space from everyone with policies
      - hack policy filters to make this space visible to everyone _only
        for the purpose of checking policies on wiki objects_
      - only allow admins to change view/edit policies on the root wiki
        page (see comment for reason why)
    
    This actual patch can obviously never go anywhere near upstream, but on
    the other hand we should probably make them aware of the problem and see
    if they're interested in discussing a solution, which is probably just
    to bless the root page with magic semantics.
    Signed-off-by: Daniel Stone's avatarDaniel Stone <daniels@collabora.com>
    446c73ce
PhabricatorSpacesNamespaceQuery.php 6.6 KB