recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Policy - make ManiphestTaskQuery verify project visibility first thing

Summary: Fixes T7094 (last of many revisions). Its important to do this filtering ASAP so that users can't deduce the identify of an unknown / invisible project.

Test Plan: executed a query for tasks in project foo using user bar. using user foo, lock user bar out of project foo. reissued the query and saw "no data" as well as "restricted project" in the project typeahead.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7094

Differential Revision: https://secure.phabricator.com/D11660

Bob Trahan da1531f2 137b0ebc

+29 -5
+29 -5
src/applications/maniphest/query/ManiphestTaskQuery.php
··· 56 56 private $blockingTasks; 57 57 private $blockedTasks; 58 58 59 + private $projectPolicyCheckFailed = false; 60 + 59 61 const DEFAULT_PAGE_SIZE = 1000; 60 62 61 63 public function withAuthors(array $authors) { ··· 222 224 return $this; 223 225 } 224 226 227 + protected function willExecute() { 228 + // Make sure the user can see any projects specified in this 229 + // query FIRST. 230 + if ($this->projectPHIDs) { 231 + $projects = id(new PhabricatorProjectQuery()) 232 + ->setViewer($this->getViewer()) 233 + ->withPHIDs($this->projectPHIDs) 234 + ->execute(); 235 + $projects = mpull($projects, null, 'getPHID'); 236 + foreach ($this->projectPHIDs as $index => $phid) { 237 + $project = idx($projects, $phid); 238 + if (!$project) { 239 + unset($this->projectPHIDs[$index]); 240 + continue; 241 + } 242 + } 243 + if (!$this->projectPHIDs) { 244 + $this->projectPolicyCheckFailed = true; 245 + } 246 + $this->projectPHIDs = array_values($this->projectPHIDs); 247 + } 248 + } 249 + 225 250 protected function loadPage() { 226 - // TODO: (T603) It is possible for a user to find the PHID of a project 227 - // they can't see, then query for tasks in that project and deduce the 228 - // identity of unknown/invisible projects. Before we allow the user to 229 - // execute a project-based PHID query, we should verify that they 230 - // can see the project. 251 + 252 + if ($this->projectPolicyCheckFailed) { 253 + throw new PhabricatorEmptyQueryException(); 254 + } 231 255 232 256 $task_dao = new ManiphestTask(); 233 257 $conn = $task_dao->establishConnection('r');