Make most file reads policy-aware

Summary: Ref T603. Swaps out most `PhabricatorFile` loads for `PhabricatorFileQuery`. Test Plan: - Viewed Differential changesets. - Used `file.info`. - Used `file.download`. - Viewed a file. - Deleted a file. - Used `/Fnnnn` to access a file. - Uploaded an image, verified a thumbnail generated. - Created and edited a macro. - Added a meme. - Did old-school attach-a-file-to-a-task. - Viewed a paste. - Viewed a mock. - Embedded a mock. - Profiled a page. - Parsed a commit with image files linked to a revision with image files. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T603 Differential Revision: https://secure.phabricator.com/D7178
2013-09-30 09:38:13 -07:00
parent 4b39cc321b
commit 13dae05193
28 changed files with 124 additions and 67 deletions
--- a/src/applications/files/controller/PhabricatorFileDeleteController.php
+++ b/src/applications/files/controller/PhabricatorFileDeleteController.php
@@ -9,13 +9,18 @@ final class PhabricatorFileDeleteController extends PhabricatorFileController {
  }

  public function processRequest() {
-
    $request = $this->getRequest();
    $user = $request->getUser();

-    $file = id(new PhabricatorFile())->loadOneWhere(
-      'id = %d',
-      $this->id);
+    $file = id(new PhabricatorFileQuery())
+      ->setViewer($user)
+      ->withIDs(array($this->id))
+      ->requireCapabilities(
+        array(
+          PhabricatorPolicyCapability::CAN_VIEW,
+          PhabricatorPolicyCapability::CAN_EDIT,
+        ))
+      ->executeOne();
    if (!$file) {
      return new Aphront404Response();
    }