@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Remove the "grant authority" mechanism from users
Summary:
Ref T13393. See some previous discussion in T13366.
Caching is hard and all approaches here have downsides, but the request cache likely has fewer practical downsides for this kind of policy check than other approaches. In particular, the grant approach (at least, as previously used in Phortune) has a major downside that "Query" classes can no longer fully enforce policies.
Since Phortune no longer depends on grants and they've now been removed from instances, drop the mechanism completely.
Test Plan: Grepped for callsites, found none.
Maniphest Tasks: T13393
Differential Revision: https://secure.phabricator.com/D20754
-18
-18
src/applications/people/storage/PhabricatorUser.php
-18
src/applications/people/storage/PhabricatorUser.php
···
59
59
private $rawCacheData = array();
60
60
private $usableCacheData = array();
61
61
62
-
private $authorities = array();
63
62
private $handlePool;
64
63
private $csrfSalt;
65
64
···
704
703
return null;
705
704
}
706
705
707
-
708
-
/**
709
-
* Grant a user a source of authority, to let them bypass policy checks they
710
-
* could not otherwise.
711
-
*/
712
-
public function grantAuthority($authority) {
713
-
$this->authorities[] = $authority;
714
-
return $this;
715
-
}
716
-
717
-
718
-
/**
719
-
* Get authorities granted to the user.
720
-
*/
721
-
public function getAuthorities() {
722
-
return $this->authorities;
723
-
}
724
706
725
707
public function hasConduitClusterToken() {
726
708
return ($this->conduitClusterToken !== self::ATTACHABLE);