Make most repository reads policy-aware · recaptime.dev/phorge@c467cc4

Configure Feed

Issues Pull Requests Commits Tags

Feed URL

Select the types of activity you want to include in your feed.

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge

phorge phabricator

fork

Configure Feed

Issues Pull Requests Commits Tags

Feed URL

Select the types of activity you want to include in your feed.

Make most repository reads policy-aware

Summary: Ref T603. This swaps almost all queries against the repository table over to be policy aware.

Test Plan:
- Made an audit comment on a commit.
- Ran `save_lint.php`.
- Looked up a commit with `diffusion.getcommits`.
- Looked up lint messages with `diffusion.getlintmessages`.
- Clicked an external/submodule in Diffusion.
- Viewed main lint and repository lint in Diffusion.
- Completed and validated Owners paths in Owners.
- Executed dry runs via Herald.
- Queried for package owners with `owners.query`.
- Viewed Owners package.
- Edited Owners package.
- Viewed Owners package list.
- Executed `repository.query`.
- Viewed "Repository" tool repository list.
- Edited Arcanist project.
- Hit "Delete" on repository (this just tells you to use the CLI).
- Created a repository.
- Edited a repository.
- Ran `bin/repository list`.
- Ran `bin/search index rGTESTff45d13dffcfb3ea85b03aac8cc36251cacdf01c`
- Pushed and parsed a commit.
- Skipped all the Drydock stuff, as it it's hard to test and isn't normally reachable.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7132

epriestley 12 years ago c467cc46 b8154cb5

+123 -87

31 changed files

expand all collapse all

src

applications

audit

editor

PhabricatorAuditCommentEditor.php

differential

conduit

ConduitAPI_differential_query_Method.php

diffusion

DiffusionLintSaveRunner.php

conduit

ConduitAPI_diffusion_getcommits_Method.php

ConduitAPI_diffusion_getlintmessages_Method.php

controller

DiffusionExternalController.php

DiffusionLintController.php

DiffusionPathCompleteController.php

DiffusionPathValidateController.php

query

DiffusionSymbolQuery.php

drydock

blueprint

DrydockWorkingCopyBlueprint.php

harbormaster

worker

HarbormasterRunnerWorker.php

herald

adapter

HeraldDifferentialRevisionAdapter.php

controller

HeraldTestConsoleController.php

owners

conduit

ConduitAPI_owners_query_Method.php

controller

PhabricatorOwnersDetailController.php

PhabricatorOwnersEditController.php

PhabricatorOwnersListController.php

storage

PhabricatorOwnersPackage.php

releeph

storage

ReleephProject.php

repository

conduit

ConduitAPI_repository_query_Method.php

controller

PhabricatorRepositoryArcanistProjectEditController.php

PhabricatorRepositoryDeleteController.php

PhabricatorRepositoryEditController.php

PhabricatorRepositoryListController.php

management

PhabricatorRepositoryManagementListWorkflow.php

PhabricatorRepositoryCommitSearchIndexer.php

storage

PhabricatorRepository.php

PhabricatorRepositoryArcanistProject.php

worker

PhabricatorRepositoryCommitParserWorker.php

commitchangeparser

PhabricatorOwnersPackagePathValidator.php

+4 -2

src/applications/audit/editor/PhabricatorAuditCommentEditor.php

reviewed

··· 403 403 404 404 $prefix = PhabricatorEnv::getEnvConfig('metamta.diffusion.subject-prefix'); 405 405 406 406 - $repository = id(new PhabricatorRepository()) 407 407 - ->load($commit->getRepositoryID()); 406 406 + $repository = id(new PhabricatorRepositoryQuery()) 407 407 + ->setViewer($this->getActor()) 408 408 + ->withIDs(array($commit->getRepositoryID())) 409 409 + ->executeOne(); 408 410 $threading = self::getMailThreading($repository, $commit); 409 411 list($thread_id, $thread_topic) = $threading; 410 412

+4 -3

src/applications/differential/conduit/ConduitAPI_differential_query_Method.php

reviewed

··· 112 112 foreach ($path_pairs as $pair) { 113 113 list($callsign, $path) = $pair; 114 114 if (!idx($repos, $callsign)) { 115 115 - $repos[$callsign] = id(new PhabricatorRepository())->loadOneWhere( 116 116 - 'callsign = %s', 117 117 - $callsign); 115 115 + $repos[$callsign] = id(new PhabricatorRepositoryQuery()) 116 116 + ->setViewer($request->getUser()) 117 117 + ->withCallsigns(array($callsign)) 118 118 + ->executeOne(); 118 119 119 120 if (!$repos[$callsign]) { 120 121 throw id(new ConduitException('ERR-INVALID-PARAMETER'))

+4 -2

src/applications/diffusion/DiffusionLintSaveRunner.php

reviewed

··· 228 228 229 229 230 230 private function blameAuthors() { 231 231 - $repository = id(new PhabricatorRepository())->load( 232 232 - $this->branch->getRepositoryID()); 231 231 + $repository = id(new PhabricatorRepositoryQuery()) 232 232 + ->setViewer(PhabricatorUser::getOmnipotentUser()) 233 233 + ->withIDs(array($this->branch->getRepositoryID())) 234 234 + ->executeOne(); 233 235 234 236 $queries = array(); 235 237 $futures = array();

+4 -3

src/applications/diffusion/conduit/ConduitAPI_diffusion_getcommits_Method.php

reviewed

··· 52 52 53 53 $callsigns = ipull($commits, 'callsign'); 54 54 $callsigns = array_unique($callsigns); 55 55 - $repos = id(new PhabricatorRepository())->loadAllWhere( 56 56 - 'callsign IN (%Ls)', 57 57 - $callsigns); 55 55 + $repos = id(new PhabricatorRepositoryQuery()) 56 56 + ->setViewer($request->getUser()) 57 57 + ->withCallsigns($callsigns) 58 58 + ->execute(); 58 59 $repos = mpull($repos, null, 'getCallsign'); 59 60 60 61 foreach ($commits as $name => $info) {

+4 -2

src/applications/diffusion/conduit/ConduitAPI_diffusion_getlintmessages_Method.php

reviewed

··· 42 42 43 43 $branch_name = $request->getValue('branch'); 44 44 if ($branch_name == '') { 45 45 - $repository = id(new PhabricatorRepository()) 46 46 - ->load($project->getRepositoryID()); 45 45 + $repository = id(new PhabricatorRepositoryQuery()) 46 46 + ->setViewer($request->getUser()) 47 47 + ->withIDs(array($project->getRepositoryID())) 48 48 + ->executeOne(); 47 49 $branch_name = $repository->getDefaultArcanistBranch(); 48 50 } 49 51

+3 -1

src/applications/diffusion/controller/DiffusionExternalController.php

reviewed

··· 12 12 $uri = $request->getStr('uri'); 13 13 $id = $request->getStr('id'); 14 14 15 15 - $repositories = id(new PhabricatorRepository())->loadAll(); 15 15 + $repositories = id(new PhabricatorRepositoryQuery()) 16 16 + ->setViewer($request->getUser()) 17 17 + ->execute(); 16 18 17 19 if ($uri) { 18 20 $uri_path = id(new PhutilURI($uri))->getPath();

+9 -4

src/applications/diffusion/controller/DiffusionLintController.php

reviewed

··· 221 221 } 222 222 223 223 if ($paths) { 224 224 - $repositories = id(new PhabricatorRepository())->loadAllWhere( 225 225 - 'phid IN (%Ls)', 226 226 - array_unique(mpull($paths, 'getRepositoryPHID'))); 224 224 + $repositories = id(new PhabricatorRepositoryQuery()) 225 225 + ->setViewer($this->getRequest()->getUser()) 226 226 + ->withPHIDs(mpull($paths, 'getRepositoryPHID')) 227 227 + ->execute(); 227 228 $repositories = mpull($repositories, 'getID', 'getPHID'); 228 229 229 230 $branches = id(new PhabricatorRepositoryBranch())->loadAllWhere( ··· 233 234 } 234 235 235 236 foreach ($paths as $path) { 236 236 - $branch = idx($branches, $repositories[$path->getRepositoryPHID()]); 237 237 + $branch = idx( 238 238 + $branches, 239 239 + idx( 240 240 + $repositories, 241 241 + $path->getRepositoryPHID())); 237 242 if ($branch) { 238 243 $condition = qsprintf( 239 244 $conn,

+4 -3

src/applications/diffusion/controller/DiffusionPathCompleteController.php

reviewed

··· 10 10 $request = $this->getRequest(); 11 11 12 12 $repository_phid = $request->getStr('repositoryPHID'); 13 13 - $repository = id(new PhabricatorRepository())->loadOneWhere( 14 14 - 'phid = %s', 15 15 - $repository_phid); 13 13 + $repository = id(new PhabricatorRepositoryQuery()) 14 14 + ->setViewer($request->getUser()) 15 15 + ->withPHIDs(array($repository_phid)) 16 16 + ->executeOne(); 16 17 if (!$repository) { 17 18 return new Aphront400Response(); 18 19 }

+4 -3

src/applications/diffusion/controller/DiffusionPathValidateController.php

reviewed

src/applications/diffusion/query/DiffusionSymbolQuery.php

reviewed

··· 265 265 $repo_ids = array_filter($repo_ids); 266 266 267 267 if ($repo_ids) { 268 268 + // TODO: (T603) Provide a viewer here. 268 269 $repos = id(new PhabricatorRepository())->loadAllWhere( 269 270 'id IN (%Ld)', 270 271 $repo_ids);

src/applications/drydock/blueprint/DrydockWorkingCopyBlueprint.php

reviewed

··· 31 31 "Lease is missing required 'repositoryID' attribute."); 32 32 } 33 33 34 34 + // TODO: (T603) Figure out the interaction between policies and 35 35 + // Drydock. 34 36 $repository = id(new PhabricatorRepository())->load($repository_id); 35 37 36 38 if (!$repository) {

src/applications/harbormaster/worker/HarbormasterRunnerWorker.php

reviewed

··· 19 19 "Commit '{$id}' does not exist!"); 20 20 } 21 21 22 22 + // TODO: (T603) Policy interaction? 22 23 $repository = id(new PhabricatorRepository())->loadOneWhere( 23 24 'id = %d', 24 25 $commit->getRepositoryID());

src/applications/herald/adapter/HeraldDifferentialRevisionAdapter.php

reviewed

··· 110 110 111 111 $repository = false; 112 112 113 113 + // TODO: (T603) Implement policy stuff in Herald. 114 114 + 113 115 if ($diff->getRepositoryUUID()) { 114 116 $repository = id(new PhabricatorRepository())->loadOneWhere( 115 117 'uuid = %s',

+8 -29

src/applications/herald/controller/HeraldTestConsoleController.php

reviewed

··· 20 20 } 21 21 22 22 if (!$errors) { 23 23 - $matches = null; 24 24 - $object = null; 25 25 - if (preg_match('/^D(\d+)$/', $object_name, $matches)) { 26 26 - $object = id(new DifferentialRevision())->load($matches[1]); 27 27 - if (!$object) { 28 28 - $e_name = pht('Invalid'); 29 29 - $errors[] = pht('No Differential Revision with that ID exists.'); 30 30 - } 31 31 - } else if (preg_match('/^r([A-Z]+)(\w+)$/', $object_name, $matches)) { 32 32 - $repo = id(new PhabricatorRepository())->loadOneWhere( 33 33 - 'callsign = %s', 34 34 - $matches[1]); 35 35 - if (!$repo) { 36 36 - $e_name = pht('Invalid'); 37 37 - $errors[] = pht('There is no repository with the callsign: %s.', 38 38 - $matches[1]); 39 39 - } 40 40 - $commit = id(new PhabricatorRepositoryCommit())->loadOneWhere( 41 41 - 'repositoryID = %d AND commitIdentifier = %s', 42 42 - $repo->getID(), 43 43 - $matches[2]); 44 44 - if (!$commit) { 45 45 - $e_name = pht('Invalid'); 46 46 - $errors[] = pht('There is no commit with that identifier.'); 47 47 - } 48 48 - $object = $commit; 49 49 - } else { 23 23 + $object = id(new PhabricatorObjectQuery()) 24 24 + ->setViewer($user) 25 25 + ->withNames(array($object_name)) 26 26 + ->executeOne(); 27 27 + 28 28 + if (!$object) { 50 29 $e_name = pht('Invalid'); 51 51 - $errors[] = pht('This object name is not recognized.'); 30 30 + $errors[] = pht('No object exists with that name.'); 52 31 } 53 32 54 33 if (!$errors) { ··· 61 40 'commitID = %d', 62 41 $object->getID()); 63 42 $adapter = HeraldCommitAdapter::newLegacyAdapter( 64 64 - $repo, 43 43 + $object->getRepository(), 65 44 $object, 66 45 $data); 67 46 } else {

+11 -5

src/applications/owners/conduit/ConduitAPI_owners_query_Method.php

reviewed

··· 65 65 return $packages; 66 66 } 67 67 68 68 - private static function queryByPath($repo_callsign, $path) { 69 69 - $repository = id(new PhabricatorRepository())->loadOneWhere('callsign = %s', 70 70 - $repo_callsign); 68 68 + private static function queryByPath( 69 69 + PhabricatorUser $viewer, 70 70 + $repo_callsign, 71 71 + $path) { 71 72 72 72 - if (empty($repository)) { 73 73 + $repository = id(new PhabricatorRepositoryQuery()) 74 74 + ->setViewer($viewer) 75 75 + ->withCallsigns(array($repo_callsign)) 76 76 + ->executeOne(); 77 77 + 78 78 + if (!$repository) { 73 79 throw id(new ConduitException('ERR_REP_NOT_FOUND')) 74 80 ->setErrorDescription( 75 81 'Repository callsign '.$repo_callsign.' not recognized'); ··· 144 150 $packages = self::queryByOwner($owner); 145 151 146 152 } else if ($is_path_query) { 147 147 - $packages = self::queryByPath($repo, $path); 153 153 + $packages = self::queryByPath($request->getUser(), $repo, $path); 148 154 } 149 155 150 156 return self::buildPackageInformationDictionaries($packages);

+4 -3

src/applications/owners/controller/PhabricatorOwnersDetailController.php

reviewed

··· 29 29 } 30 30 31 31 if ($repository_phids) { 32 32 - $repositories = id(new PhabricatorRepository())->loadAllWhere( 33 33 - 'phid in (%Ls)', 34 34 - array_keys($repository_phids)); 32 32 + $repositories = id(new PhabricatorRepositoryQuery()) 33 33 + ->setViewer($user) 34 34 + ->withPHIDs(array_keys($repository_phids)) 35 35 + ->execute(); 35 36 $repositories = mpull($repositories, null, 'getPHID'); 36 37 } else { 37 38 $repositories = array();

+3 -1

src/applications/owners/controller/PhabricatorOwnersEditController.php

reviewed

··· 142 142 } 143 143 $this->setSideNavFilter($side_nav_filter); 144 144 145 145 - $repos = id(new PhabricatorRepository())->loadAll(); 145 145 + $repos = id(new PhabricatorRepositoryQuery()) 146 146 + ->setViewer($user) 147 147 + ->execute(); 146 148 147 149 $default_paths = array(); 148 150 foreach ($repos as $repo) {

+12 -7

src/applications/owners/controller/PhabricatorOwnersListController.php

reviewed

··· 21 21 22 22 $repository_phid = ''; 23 23 if ($request->getStr('repository') != '') { 24 24 - $repository_phid = id(new PhabricatorRepository()) 25 25 - ->loadOneWhere('callsign = %s', $request->getStr('repository')) 24 24 + $repository_phid = id(new PhabricatorRepositoryQuery()) 25 25 + ->setViewer($user) 26 26 + ->withCallsigns(array($request->getStr('repository'))) 27 27 + ->executeOne() 26 28 ->getPHID(); 27 29 } 28 30 ··· 157 159 } 158 160 159 161 $callsigns = array('' => pht('(Any Repository)')); 160 160 - $repositories = id(new PhabricatorRepository()) 161 161 - ->loadAllWhere('1 = 1 ORDER BY callsign'); 162 162 + $repositories = id(new PhabricatorRepositoryQuery()) 163 163 + ->setViewer($user) 164 164 + ->setOrder(PhabricatorRepositoryQuery::ORDER_CALLSIGN) 165 165 + ->execute(); 162 166 foreach ($repositories as $repository) { 163 167 $callsigns[$repository->getCallsign()] = 164 168 $repository->getCallsign().': '.$repository->getName(); ··· 238 242 } 239 243 240 244 if ($repository_phids) { 241 241 - $repositories = id(new PhabricatorRepository())->loadAllWhere( 242 242 - 'phid in (%Ls)', 243 243 - array_keys($repository_phids)); 245 245 + $repositories = id(new PhabricatorRepositoryQuery()) 246 246 + ->setViewer($this->getRequest()->getUser()) 247 247 + ->withPHIDs(array_keys($repository_phids)) 248 248 + ->execute(); 244 249 } else { 245 250 $repositories = array(); 246 251 }

src/applications/owners/storage/PhabricatorOwnersPackage.php

reviewed

··· 297 297 298 298 $cur_paths = mgroup($cur_paths, 'getRepositoryPHID', 'getPath'); 299 299 foreach ($new_paths as $repository_phid => $paths) { 300 300 + // TODO: (T603) Thread policy stuff in here. 301 301 + 300 302 // get repository object for path validation 301 303 $repository = id(new PhabricatorRepository())->loadOneWhere( 302 304 'phid = %s',

+1 -1

src/applications/releeph/storage/ReleephProject.php

reviewed

··· 113 113 return $this->assertAttached($this->repository); 114 114 } 115 115 116 116 - // TODO: Remove once everything uses ProjectQuery. 116 116 + // TODO: Remove once everything uses ProjectQuery. Also, T603. 117 117 public function loadPhabricatorRepository() { 118 118 return $this->loadOneRelative( 119 119 new PhabricatorRepository(),

+3 -1

src/applications/repository/conduit/ConduitAPI_repository_query_Method.php

reviewed

··· 33 33 } 34 34 35 35 protected function execute(ConduitAPIRequest $request) { 36 36 - $repositories = id(new PhabricatorRepository())->loadAll(); 36 36 + $repositories = id(new PhabricatorRepositoryQuery()) 37 37 + ->setViewer($request->getUser()) 38 38 + ->execute(); 37 39 38 40 $results = array(); 39 41 foreach ($repositories as $repository) {

+3 -1

src/applications/repository/controller/PhabricatorRepositoryArcanistProjectEditController.php

reviewed

··· 19 19 return new Aphront404Response(); 20 20 } 21 21 22 22 - $repositories = id(new PhabricatorRepository())->loadAll(); 22 22 + $repositories = id(new PhabricatorRepositoryQuery()) 23 23 + ->setViewer($user) 24 24 + ->execute(); 23 25 $repos = array( 24 26 0 => 'None', 25 27 );

+5 -1

src/applications/repository/controller/PhabricatorRepositoryDeleteController.php

reviewed

··· 10 10 } 11 11 12 12 public function processRequest() { 13 13 + $viewer = $this->getRequest()->getUser(); 13 14 14 14 - $repository = id(new PhabricatorRepository())->load($this->id); 15 15 + $repository = id(new PhabricatorRepositoryQuery()) 16 16 + ->setViewer($viewer) 17 17 + ->withIDs(array($this->id)) 18 18 + ->executeOne(); 15 19 if (!$repository) { 16 20 return new Aphront404Response(); 17 21 }

+5 -1

src/applications/repository/controller/PhabricatorRepositoryEditController.php

reviewed

··· 16 16 public function processRequest() { 17 17 18 18 $request = $this->getRequest(); 19 19 + $viewer = $request->getUser(); 19 20 20 20 - $repository = id(new PhabricatorRepository())->load($this->id); 21 21 + $repository = id(new PhabricatorRepositoryQuery()) 22 22 + ->setViewer($viewer) 23 23 + ->withIDs(array($this->id)) 24 24 + ->executeOne(); 21 25 if (!$repository) { 22 26 return new Aphront404Response(); 23 27 }

+3 -5

src/applications/repository/controller/PhabricatorRepositoryListController.php

reviewed

··· 3 3 final class PhabricatorRepositoryListController 4 4 extends PhabricatorRepositoryController { 5 5 6 6 - public function shouldRequireAdmin() { 7 7 - return false; 8 8 - } 9 9 - 10 6 public function processRequest() { 11 7 12 8 $request = $this->getRequest(); 13 9 $user = $request->getUser(); 14 10 $is_admin = $user->getIsAdmin(); 15 11 16 16 - $repos = id(new PhabricatorRepository())->loadAll(); 12 12 + $repos = id(new PhabricatorRepositoryQuery()) 13 13 + ->setViewer($user) 14 14 + ->execute(); 17 15 $repos = msort($repos, 'getName'); 18 16 19 17 $rows = array();

+3 -1

src/applications/repository/management/PhabricatorRepositoryManagementListWorkflow.php

reviewed

··· 13 13 public function execute(PhutilArgumentParser $args) { 14 14 $console = PhutilConsole::getConsole(); 15 15 16 16 - $repos = id(new PhabricatorRepository())->loadAll(); 16 16 + $repos = id(new PhabricatorRepositoryQuery()) 17 17 + ->setViewer(PhabricatorUser::getOmnipotentUser()) 18 18 + ->execute(); 17 19 if ($repos) { 18 20 foreach ($repos as $repo) { 19 21 $console->writeOut("%s\n", $repo->getCallsign());

+4 -4

src/applications/repository/search/PhabricatorRepositoryCommitSearchIndexer.php

reviewed

··· 17 17 $commit_message = $commit_data->getCommitMessage(); 18 18 $author_phid = $commit_data->getCommitDetail('authorPHID'); 19 19 20 20 - $repository = id(new PhabricatorRepository())->loadOneWhere( 21 21 - 'id = %d', 22 22 - $commit->getRepositoryID()); 23 23 - 20 20 + $repository = id(new PhabricatorRepositoryQuery()) 21 21 + ->setViewer($this->getViewer()) 22 22 + ->withIDs(array($commit->getRepositoryID())) 23 23 + ->executeOne(); 24 24 if (!$repository) { 25 25 throw new Exception("No such repository!"); 26 26 }

src/applications/repository/storage/PhabricatorRepository.php

reviewed

··· 452 452 } 453 453 454 454 public static function loadAllByPHIDOrCallsign(array $names) { 455 455 + // TODO: (T603) Get rid of this. 456 456 + 455 457 $repositories = array(); 456 458 foreach ($names as $name) { 457 459 $repo = id(new PhabricatorRepository())->loadOneWhere(

+1 -1

src/applications/repository/storage/PhabricatorRepositoryArcanistProject.php

reviewed

··· 32 32 PhabricatorRepositoryPHIDTypeArcanistProject::TYPECONST); 33 33 } 34 34 35 35 - // TODO: Remove. 35 35 + // TODO: Remove. Also, T603. 36 36 public function loadRepository() { 37 37 if (!$this->getRepositoryID()) { 38 38 return null;

+6 -3

src/applications/repository/worker/PhabricatorRepositoryCommitParserWorker.php

reviewed

··· 31 31 return; 32 32 } 33 33 34 34 - $repository = id(new PhabricatorRepository())->load( 35 35 - $this->commit->getRepositoryID()); 36 36 - 34 34 + $repository = id(new PhabricatorRepositoryQuery()) 35 35 + ->setViewer(PhabricatorUser::getOmnipotentUser()) 36 36 + ->withIDs(array($this->commit->getRepositoryID())) 37 37 + ->executeOne(); 37 38 if (!$repository) { 38 39 return; 39 40 } ··· 91 92 if (!$commit) { 92 93 return $suffix; 93 94 } 95 95 + 96 96 + // TODO: (T603) This method should probably take a viewer. 94 97 95 98 $repository = id(new PhabricatorRepository()) 96 99 ->load($commit->getRepositoryID());

src/applications/repository/worker/commitchangeparser/PhabricatorOwnersPackagePathValidator.php

reviewed

··· 15 15 return; 16 16 } 17 17 18 18 + // TODO: (T603) This should be policy-aware. 18 19 $repository = 19 20 id(new PhabricatorRepository())->load($commit->getRepositoryID()); 20 21 $move_map = array();