Clean up some EditEngine policy issues · recaptime.dev/phorge@5caee35

+93 -25

2 changed files

expand all

src

applications

transactions

editengine

PhabricatorEditEngine.php

query

PhabricatorEditEngineConfigurationQuery.php

+82 -24

src/applications/transactions/editengine/PhabricatorEditEngine.php

··· 190 190 return $this->editEngineConfiguration; 191 191 } 192 192 193 + 194 + /** 195 + * Load the default configuration, ignoring customization in the database 196 + * (which means we implicitly ignore policies). 197 + * 198 + * This is used from places like Conduit, where the fields available in the 199 + * API should not be affected by configuration changes. 200 + * 201 + * @return PhabricatorEditEngineConfiguration Default configuration, ignoring 202 + * customization. 203 + */ 204 + private function loadDefaultEditEngineConfiguration() { 205 + return $this->loadEditEngineConfigurationWithOptions( 206 + self::EDITENGINECONFIG_DEFAULT, 207 + true); 208 + } 209 + 210 + 211 + /** 212 + * Load a named configuration, respecting database customization and policies. 213 + * 214 + * @param string Configuration key, or null to load the default. 215 + * @return PhabricatorEditEngineConfiguration Default configuration, 216 + * respecting customization. 217 + */ 193 218 private function loadEditEngineConfiguration($key) { 194 - $viewer = $this->getViewer(); 195 - if ($key === null) { 219 + if (!strlen($key)) { 196 220 $key = self::EDITENGINECONFIG_DEFAULT; 197 - 198 - // TODO: At least for now, we need to load the default configuration 199 - // in some cases (editing, comment actions) even if the viewer can not 200 - // otherwise see it. This should be cleaned up eventually, but we can 201 - // safely use the omnipotent user for now without policy violations. 202 - $viewer = PhabricatorUser::getOmnipotentUser(); 203 221 } 204 222 223 + return $this->loadEditEngineConfigurationWithOptions( 224 + $key, 225 + false); 226 + } 227 + 228 + private function loadEditEngineConfigurationWithOptions( 229 + $key, 230 + $ignore_database) { 231 + $viewer = $this->getViewer(); 232 + 205 233 $config = id(new PhabricatorEditEngineConfigurationQuery()) 206 234 ->setViewer($viewer) 207 235 ->withEngineKeys(array($this->getEngineKey())) 208 236 ->withIdentifiers(array($key)) 237 + ->withIgnoreDatabaseConfigurations($ignore_database) 209 238 ->executeOne(); 210 239 if (!$config) { 211 240 return null; ··· 482 511 * Load an object by ID. 483 512 * 484 513 * @param int Object ID. 514 + * @param list<const> List of required capability constants, or omit for 515 + * defaults. 485 516 * @return object|null Object, or null if no such object exists. 486 517 * @task load 487 518 */ 488 - private function newObjectFromID($id) { 519 + private function newObjectFromID($id, array $capabilities = array()) { 489 520 $query = $this->newObjectQuery() 490 521 ->withIDs(array($id)); 491 522 492 - return $this->newObjectFromQuery($query); 523 + return $this->newObjectFromQuery($query, $capabilities); 493 524 } 494 525 495 526 ··· 512 543 * Load an object given a configured query. 513 544 * 514 545 * @param PhabricatorPolicyAwareQuery Configured query. 546 + * @param list<const> List of required capabilitiy constants, or omit for 547 + * defaults. 515 548 * @return object|null Object, or null if no such object exists. 516 549 * @task load 517 550 */ 518 - private function newObjectFromQuery(PhabricatorPolicyAwareQuery $query) { 551 + private function newObjectFromQuery( 552 + PhabricatorPolicyAwareQuery $query, 553 + array $capabilities = array()) { 554 + 519 555 $viewer = $this->getViewer(); 520 556 557 + if (!$capabilities) { 558 + $capabilities = array( 559 + PhabricatorPolicyCapability::CAN_VIEW, 560 + PhabricatorPolicyCapability::CAN_EDIT, 561 + ); 562 + } 563 + 521 564 $object = $query 522 565 ->setViewer($viewer) 523 - ->requireCapabilities( 524 - array( 525 - PhabricatorPolicyCapability::CAN_VIEW, 526 - PhabricatorPolicyCapability::CAN_EDIT, 527 - )) 566 + ->requireCapabilities($capabilities) 528 567 ->executeOne(); 529 568 if (!$object) { 530 569 return null; ··· 571 610 $controller = $this->getController(); 572 611 $request = $controller->getRequest(); 573 612 574 - $form_key = $request->getURIData('formKey'); 575 - $config = $this->loadEditEngineConfiguration($form_key); 613 + $action = $request->getURIData('editAction'); 614 + 615 + $capabilities = array(); 616 + $use_default = false; 617 + switch ($action) { 618 + case 'comment': 619 + $capabilities = array( 620 + PhabricatorPolicyCapability::CAN_VIEW, 621 + ); 622 + $use_default = true; 623 + break; 624 + default: 625 + break; 626 + } 627 + 628 + if ($use_default) { 629 + $config = $this->loadDefaultEditEngineConfiguration(); 630 + } else { 631 + $form_key = $request->getURIData('formKey'); 632 + $config = $this->loadEditEngineConfiguration($form_key); 633 + } 634 + 576 635 if (!$config) { 577 636 return new Aphront404Response(); 578 637 } ··· 580 639 $id = $request->getURIData('id'); 581 640 if ($id) { 582 641 $this->setIsCreate(false); 583 - $object = $this->newObjectFromID($id); 642 + $object = $this->newObjectFromID($id, $capabilities); 584 643 if (!$object) { 585 644 return new Aphront404Response(); 586 645 } ··· 591 650 592 651 $this->validateObject($object); 593 652 594 - $action = $request->getURIData('editAction'); 595 653 switch ($action) { 596 654 case 'parameters': 597 655 return $this->buildParametersResponse($object); ··· 880 938 } 881 939 882 940 final public function buildEditEngineCommentView($object) { 883 - $config = $this->loadEditEngineConfiguration(null); 941 + $config = $this->loadDefaultEditEngineConfiguration(); 884 942 885 943 $viewer = $this->getViewer(); 886 944 $object_phid = $object->getPHID(); ··· 1021 1079 return new Aphront400Response(); 1022 1080 } 1023 1081 1024 - $config = $this->loadEditEngineConfiguration(null); 1082 + $config = $this->loadDefaultEditEngineConfiguration(); 1025 1083 $fields = $this->buildEditFields($object); 1026 1084 1027 1085 $is_preview = $request->isPreviewRequest(); ··· 1151 1209 final public function buildConduitResponse(ConduitAPIRequest $request) { 1152 1210 $viewer = $this->getViewer(); 1153 1211 1154 - $config = $this->loadEditEngineConfiguration(null); 1212 + $config = $this->loadDefaultEditEngineConfiguration(); 1155 1213 if (!$config) { 1156 1214 throw new Exception( 1157 1215 pht( ··· 1297 1355 } 1298 1356 1299 1357 public function getConduitEditTypes() { 1300 - $config = $this->loadEditEngineConfiguration(null); 1358 + $config = $this->loadDefaultEditEngineConfiguration(); 1301 1359 if (!$config) { 1302 1360 return array(); 1303 1361 }

+11 -1

src/applications/transactions/query/PhabricatorEditEngineConfigurationQuery.php

··· 10 10 private $identifiers; 11 11 private $default; 12 12 private $disabled; 13 + private $ignoreDatabaseConfigurations; 13 14 14 15 public function withIDs(array $ids) { 15 16 $this->ids = $ids; ··· 46 47 return $this; 47 48 } 48 49 50 + public function withIgnoreDatabaseConfigurations($ignore) { 51 + $this->ignoreDatabaseConfigurations = $ignore; 52 + return $this; 53 + } 54 + 49 55 public function newResultObject() { 50 56 return new PhabricatorEditEngineConfiguration(); 51 57 } ··· 57 63 // number of edit forms for any particular engine for the lack of UI 58 64 // pagination to become a problem. 59 65 60 - $page = $this->loadStandardPage($this->newResultObject()); 66 + if ($this->ignoreDatabaseConfigurations) { 67 + $page = array(); 68 + } else { 69 + $page = $this->loadStandardPage($this->newResultObject()); 70 + } 61 71 62 72 // Now that we've loaded the real results from the database, we're going 63 73 // to load builtins from the edit engines and add them to the list.

Configure Feed

Configure Feed