recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Use ManiphestTaskQuery in nearly all interfaces

Summary:
Ref T603. Make almost every task read policy-aware. Notable exceptions are:

- Edge editor -- this stuff is prescreened and should be moved to ApplicationTransactions eventually anyway.
- Search/attach stuff -- this stuff needs some general work. The actual list should be fine since you can't pull handles. There may be a very indirect hole here where you could attach an object you can't see (but do know the ID of) to an object you can see. Pretty fluff.
- The "Tasks" field in Differential will let you reference objects you can't see. Possibly this is desirable, in the case of commandeering revisions. Mostly, it was inconvenient to get a viewer (I think).

Test Plan:
- Called `maniphest.info`.
- Called `maniphest.update`.
- Batch edited tasks.
- Dragged and dropped tasks to change subpriority.
- Subscribed and unsubscribed from a task.
- Edited a task.
- Created a task.
- Created a task with a parent.
- Created a task with a template.
- Previewed a task update.
- Commented on a task.
- Added a dependency.
- Searched for "T33" in object search dialog.
- Created a branch "T33", ran `arc diff`, verified link.
- Pushed a commit with "Fixes T33", verified close.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7119

epriestley 3a87a95e 475afe4a

+98 -26
+4 -1
src/applications/differential/field/specification/DifferentialBranchFieldSpecification.php
··· 56 56 $match = null; 57 57 if (preg_match('/^T(\d+)/i', $branch, $match)) { // No $ to allow T123_demo. 58 58 list(, $task_id) = $match; 59 - $task = id(new ManiphestTask())->load($task_id); 59 + $task = id(new ManiphestTaskQuery()) 60 + ->setViewer($editor->requireActor()) 61 + ->withIDs(array($task_id)) 62 + ->executeOne(); 60 63 if ($task) { 61 64 id(new PhabricatorEdgeEditor()) 62 65 ->setActor($this->getUser())
+4 -2
src/applications/differential/field/specification/DifferentialFreeformFieldSpecification.php
··· 150 150 151 151 $tasks = $this->findMentionedTasks($message); 152 152 if ($tasks) { 153 - $tasks = id(new ManiphestTask()) 154 - ->loadAllWhere('id IN (%Ld)', array_keys($tasks)); 153 + $tasks = id(new ManiphestTaskQuery()) 154 + ->setViewer($editor->getActor()) 155 + ->withIDs(array_keys($tasks)) 156 + ->execute(); 155 157 $this->saveFieldEdges( 156 158 $editor->getRevision(), 157 159 PhabricatorEdgeConfig::TYPE_DREV_HAS_RELATED_TASK,
+1
src/applications/differential/field/specification/DifferentialManiphestTasksFieldSpecification.php
··· 128 128 return array(); 129 129 } 130 130 131 + // TODO: T603 Get a viewer here so we can issue the right query. 131 132 132 133 $task_ids = $matches[1]; 133 134 $tasks = id(new ManiphestTask())
+4 -1
src/applications/maniphest/conduit/ConduitAPI_maniphest_info_Method.php
··· 30 30 protected function execute(ConduitAPIRequest $request) { 31 31 $task_id = $request->getValue('task_id'); 32 32 33 - $task = id(new ManiphestTask())->load($task_id); 33 + $task = id(new ManiphestTaskQuery()) 34 + ->setViewer($request->getUser()) 35 + ->withIDs(array($task_id)) 36 + ->executeOne(); 34 37 if (!$task) { 35 38 throw new ConduitException('ERR_BAD_TASK'); 36 39 }
+8 -4
src/applications/maniphest/conduit/ConduitAPI_maniphest_update_Method.php
··· 35 35 } 36 36 37 37 if ($id) { 38 - $task = id(new ManiphestTask())->load($id); 38 + $task = id(new ManiphestTaskQuery()) 39 + ->setViewer($request->getUser()) 40 + ->withIDs(array($id)) 41 + ->executeOne(); 39 42 } else { 40 - $task = id(new ManiphestTask())->loadOneWhere( 41 - 'phid = %s', 42 - $phid); 43 + $task = id(new ManiphestTaskQuery()) 44 + ->setViewer($request->getUser()) 45 + ->withPHIDs(array($phid)) 46 + ->executeOne(); 43 47 } 44 48 45 49 $params = $request->getAllParameters();
+9 -3
src/applications/maniphest/controller/ManiphestBatchEditController.php
··· 11 11 $user = $request->getUser(); 12 12 13 13 $task_ids = $request->getArr('batch'); 14 - $tasks = id(new ManiphestTask())->loadAllWhere( 15 - 'id IN (%Ld)', 16 - $task_ids); 14 + $tasks = id(new ManiphestTaskQuery()) 15 + ->setViewer($user) 16 + ->withIDs($task_ids) 17 + ->requireCapabilities( 18 + array( 19 + PhabricatorPolicyCapability::CAN_VIEW, 20 + PhabricatorPolicyCapability::CAN_EDIT, 21 + )) 22 + ->execute(); 17 23 18 24 $actions = $request->getStr('actions'); 19 25 if ($actions) {
+13 -2
src/applications/maniphest/controller/ManiphestSubpriorityController.php
··· 13 13 return new Aphront403Response(); 14 14 } 15 15 16 - $task = id(new ManiphestTask())->load($request->getInt('task')); 16 + $task = id(new ManiphestTaskQuery()) 17 + ->setViewer($user) 18 + ->withIDs(array($request->getInt('task'))) 19 + ->requireCapabilities( 20 + array( 21 + PhabricatorPolicyCapability::CAN_VIEW, 22 + PhabricatorPolicyCapability::CAN_EDIT, 23 + )) 24 + ->executeOne(); 17 25 if (!$task) { 18 26 return new Aphront404Response(); 19 27 } 20 28 21 29 if ($request->getInt('after')) { 22 - $after_task = id(new ManiphestTask())->load($request->getInt('after')); 30 + $after_task = id(new ManiphestTaskQuery()) 31 + ->setViewer($user) 32 + ->withIDs(array($request->getInt('after'))) 33 + ->executeOne(); 23 34 if (!$after_task) { 24 35 return new Aphront404Response(); 25 36 }
+4 -1
src/applications/maniphest/controller/ManiphestSubscribeController.php
··· 15 15 $request = $this->getRequest(); 16 16 $user = $request->getUser(); 17 17 18 - $task = id(new ManiphestTask())->load($this->id); 18 + $task = id(new ManiphestTaskQuery()) 19 + ->setViewer($user) 20 + ->withIDs(array($this->id)) 21 + ->executeOne(); 19 22 if (!$task) { 20 23 return new Aphront404Response(); 21 24 }
+8 -2
src/applications/maniphest/controller/ManiphestTaskDetailController.php
··· 20 20 21 21 $priority_map = ManiphestTaskPriority::getTaskPriorityMap(); 22 22 23 - $task = id(new ManiphestTask())->load($this->id); 23 + $task = id(new ManiphestTaskQuery()) 24 + ->setViewer($user) 25 + ->withIDs(array($this->id)) 26 + ->executeOne(); 24 27 if (!$task) { 25 28 return new Aphront404Response(); 26 29 } ··· 28 31 $workflow = $request->getStr('workflow'); 29 32 $parent_task = null; 30 33 if ($workflow && is_numeric($workflow)) { 31 - $parent_task = id(new ManiphestTask())->load($workflow); 34 + $parent_task = id(new ManiphestTaskQuery()) 35 + ->setViewer($user) 36 + ->withIDs(array($workflow)) 37 + ->executeOne(); 32 38 } 33 39 34 40 $transactions = id(new ManiphestTransactionQuery())
+17 -3
src/applications/maniphest/controller/ManiphestTaskEditController.php
··· 21 21 $template_id = null; 22 22 23 23 if ($this->id) { 24 - $task = id(new ManiphestTask())->load($this->id); 24 + $task = id(new ManiphestTaskQuery()) 25 + ->setViewer($user) 26 + ->requireCapabilities( 27 + array( 28 + PhabricatorPolicyCapability::CAN_VIEW, 29 + PhabricatorPolicyCapability::CAN_EDIT, 30 + )) 31 + ->withIDs(array($this->id)) 32 + ->executeOne(); 25 33 if (!$task) { 26 34 return new Aphront404Response(); 27 35 } ··· 74 82 // You can only have a parent task if you're creating a new task. 75 83 $parent_id = $request->getInt('parent'); 76 84 if ($parent_id) { 77 - $parent_task = id(new ManiphestTask())->load($parent_id); 85 + $parent_task = id(new ManiphestTaskQuery()) 86 + ->setViewer($user) 87 + ->withIDs(array($parent_id)) 88 + ->executeOne(); 78 89 if (!$template_id) { 79 90 $template_id = $parent_id; 80 91 } ··· 274 285 $user->getPHID(), 275 286 )); 276 287 if ($template_id) { 277 - $template_task = id(new ManiphestTask())->load($template_id); 288 + $template_task = id(new ManiphestTaskQuery()) 289 + ->setViewer($user) 290 + ->withIDs(array($template_id)) 291 + ->executeOne(); 278 292 if ($template_task) { 279 293 $task->setCCPHIDs($template_task->getCCPHIDs()); 280 294 $task->setProjectPHIDs($template_task->getProjectPHIDs());
+4 -1
src/applications/maniphest/controller/ManiphestTransactionPreviewController.php
··· 18 18 19 19 $comments = $request->getStr('comments'); 20 20 21 - $task = id(new ManiphestTask())->load($this->id); 21 + $task = id(new ManiphestTaskQuery()) 22 + ->setViewer($user) 23 + ->withIDs(array($this->id)) 24 + ->executeOne(); 22 25 if (!$task) { 23 26 return new Aphront404Response(); 24 27 }
+8 -1
src/applications/maniphest/controller/ManiphestTransactionSaveController.php
··· 9 9 $request = $this->getRequest(); 10 10 $user = $request->getUser(); 11 11 12 - $task = id(new ManiphestTask())->load($request->getStr('taskID')); 12 + // TODO: T603 This doesn't require CAN_EDIT because non-editors can still 13 + // leave comments, probably? For now, this just nondisruptive. Smooth this 14 + // out once policies are more clear. 15 + 16 + $task = id(new ManiphestTaskQuery()) 17 + ->setViewer($user) 18 + ->withIDs(array($request->getStr('taskID'))) 19 + ->executeOne(); 13 20 if (!$task) { 14 21 return new Aphront404Response(); 15 22 }
+3
src/applications/maniphest/editor/ManiphestTransactionEditor.php
··· 15 15 16 16 public static function getNextSubpriority($pri, $sub) { 17 17 18 + // TODO: T603 Figure out what the policies here should be once this gets 19 + // cleaned up. 20 + 18 21 if ($sub === null) { 19 22 $next = id(new ManiphestTask())->loadOneWhere( 20 23 'priority = %d ORDER BY subpriority ASC LIMIT 1',
+3
src/applications/maniphest/event/ManiphestEdgeEventListener.php
··· 36 36 $edges = $this->loadAllEdges($event); 37 37 $tasks = array(); 38 38 if ($edges) { 39 + // TODO: T603 This should probably all get nuked. Until then, this isn't 40 + // realllllly a policy issue since callers are (or should be) doing 41 + // policy checks anyway. 39 42 $tasks = id(new ManiphestTask())->loadAllWhere( 40 43 'phid IN (%Ls)', 41 44 array_keys($edges));
+4 -3
src/applications/search/controller/PhabricatorSearchAttachController.php
··· 149 149 return $response; 150 150 } 151 151 152 - $targets = id(new ManiphestTask())->loadAllWhere( 153 - 'phid in (%Ls) ORDER BY id ASC', 154 - array_keys($phids)); 152 + $targets = id(new ManiphestTaskQuery()) 153 + ->setViewer($user) 154 + ->withPHIDs(array_keys($phids)) 155 + ->execute(); 155 156 156 157 if (empty($targets)) { 157 158 return $response;
+2
src/applications/search/controller/PhabricatorSearchSelectController.php
··· 98 98 $object_ids); 99 99 break; 100 100 case ManiphestPHIDTypeTask::TYPECONST: 101 + // TODO: (T603) Clean this up. This should probably all run through 102 + // ObjectQuery? 101 103 $objects = id(new ManiphestTask())->loadAllWhere( 102 104 'id IN (%Ld)', 103 105 $object_ids);
+2 -2
src/infrastructure/PhabricatorEditor.php
··· 10 10 return $this; 11 11 } 12 12 13 - final protected function getActor() { 13 + final public function getActor() { 14 14 return $this->actor; 15 15 } 16 16 17 - final protected function requireActor() { 17 + final public function requireActor() { 18 18 $actor = $this->getActor(); 19 19 if (!$actor) { 20 20 throw new Exception('You must setActor()!');