Remove "feed.public" and sort out feed policies
Summary: Ref T6817. Fixes T8731. On the old `secure` host, `feed.public` was set to `true`. I didn't bring the option over, which caused the secondary issue in T8731. Specifically, when `feed.public` is off, a logged-out user looking at feed can't see //any// stories, so they query all of feed until they hit the time limit. To fix this immediately, just use the most open policy, which is basically equivalent but always correct. To fix this more thoroughly: - Remove `feed.public`, which violates policies and has been slated for removal for a while (see T6817). - Clean up policy handling. Test Plan: - As a logged-out user, viewed feed on a public install with `feed.public` off; no longer saw all stories get queried + no feed shown. - Grepped for `feed.public`. Reviewers: btrahan Reviewed By: btrahan Subscribers: chad, epriestley Maniphest Tasks: T6817, T8731 Differential Revision: https://secure.phabricator.com/D13518
This commit is contained in:
		| @@ -1885,7 +1885,6 @@ phutil_register_library_map(array( | ||||
|     'PhabricatorFeedListController' => 'applications/feed/controller/PhabricatorFeedListController.php', | ||||
|     'PhabricatorFeedManagementRepublishWorkflow' => 'applications/feed/management/PhabricatorFeedManagementRepublishWorkflow.php', | ||||
|     'PhabricatorFeedManagementWorkflow' => 'applications/feed/management/PhabricatorFeedManagementWorkflow.php', | ||||
|     'PhabricatorFeedPublicStreamController' => 'applications/feed/controller/PhabricatorFeedPublicStreamController.php', | ||||
|     'PhabricatorFeedQuery' => 'applications/feed/query/PhabricatorFeedQuery.php', | ||||
|     'PhabricatorFeedSearchEngine' => 'applications/feed/query/PhabricatorFeedSearchEngine.php', | ||||
|     'PhabricatorFeedStory' => 'applications/feed/story/PhabricatorFeedStory.php', | ||||
| @@ -5520,7 +5519,6 @@ phutil_register_library_map(array( | ||||
|     'PhabricatorFeedListController' => 'PhabricatorFeedController', | ||||
|     'PhabricatorFeedManagementRepublishWorkflow' => 'PhabricatorFeedManagementWorkflow', | ||||
|     'PhabricatorFeedManagementWorkflow' => 'PhabricatorManagementWorkflow', | ||||
|     'PhabricatorFeedPublicStreamController' => 'PhabricatorFeedController', | ||||
|     'PhabricatorFeedQuery' => 'PhabricatorCursorPagedPolicyAwareQuery', | ||||
|     'PhabricatorFeedSearchEngine' => 'PhabricatorApplicationSearchEngine', | ||||
|     'PhabricatorFeedStory' => array( | ||||
|   | ||||
| @@ -274,6 +274,8 @@ final class PhabricatorExtraConfigSetupCheck extends PhabricatorSetupCheck { | ||||
|  | ||||
|       'security.allow-conduit-act-as-user' => pht( | ||||
|         'Impersonating users over the API is no longer supported.'), | ||||
|  | ||||
|       'feed.public' => pht('The framable public feed is no longer supported.'), | ||||
|     ); | ||||
|  | ||||
|     return $ancient_config; | ||||
|   | ||||
| @@ -25,7 +25,6 @@ final class PhabricatorFeedApplication extends PhabricatorApplication { | ||||
|   public function getRoutes() { | ||||
|     return array( | ||||
|       '/feed/' => array( | ||||
|         'public/' => 'PhabricatorFeedPublicStreamController', | ||||
|         '(?P<id>\d+)/' => 'PhabricatorFeedDetailController', | ||||
|         '(?:query/(?P<queryKey>[^/]+)/)?' => 'PhabricatorFeedListController', | ||||
|       ), | ||||
|   | ||||
| @@ -4,7 +4,6 @@ final class PhabricatorFeedBuilder extends Phobject { | ||||
|  | ||||
|   private $user; | ||||
|   private $stories; | ||||
|   private $framed; | ||||
|   private $hovercards = false; | ||||
|   private $noDataString; | ||||
|  | ||||
| @@ -13,11 +12,6 @@ final class PhabricatorFeedBuilder extends Phobject { | ||||
|     $this->stories = $stories; | ||||
|   } | ||||
|  | ||||
|   public function setFramed($framed) { | ||||
|     $this->framed = $framed; | ||||
|     return $this; | ||||
|   } | ||||
|  | ||||
|   public function setUser(PhabricatorUser $user) { | ||||
|     $this->user = $user; | ||||
|     return $this; | ||||
| @@ -47,7 +41,6 @@ final class PhabricatorFeedBuilder extends Phobject { | ||||
|  | ||||
|     $last_date = null; | ||||
|     foreach ($stories as $story) { | ||||
|       $story->setFramed($this->framed); | ||||
|       $story->setHovercard($this->hovercards); | ||||
|  | ||||
|       $date = ucfirst(phabricator_relative_date($story->getEpoch(), $user)); | ||||
|   | ||||
| @@ -21,24 +21,6 @@ final class PhabricatorFeedConfigOptions | ||||
|  | ||||
|   public function getOptions() { | ||||
|     return array( | ||||
|       $this->newOption('feed.public', 'bool', false) | ||||
|         ->setLocked(true) | ||||
|         ->setBoolOptions( | ||||
|           array( | ||||
|             pht('Allow anyone to view the feed'), | ||||
|             pht('Require authentication'), | ||||
|           )) | ||||
|         ->setSummary(pht('Should the feed be public?')) | ||||
|         ->setDescription( | ||||
|           pht( | ||||
|             "If you set this to true, you can embed Phabricator activity ". | ||||
|             "feeds in other pages using iframes. These feeds are completely ". | ||||
|             "public, and a login is not required to view them! This is ". | ||||
|             "intended for things like open source projects that want to ". | ||||
|             "expose an activity feed on the project homepage.\n\n". | ||||
|             "NOTE: You must also set `%s` to true for this ". | ||||
|             "setting to work properly.", | ||||
|             'policy.allow-public')), | ||||
|       $this->newOption('feed.http-hooks', 'list<string>', array()) | ||||
|         ->setLocked(true) | ||||
|         ->setSummary(pht('POST notifications of feed events.')) | ||||
|   | ||||
| @@ -1,39 +0,0 @@ | ||||
| <?php | ||||
|  | ||||
| final class PhabricatorFeedPublicStreamController | ||||
|   extends PhabricatorFeedController { | ||||
|  | ||||
|   public function shouldRequireLogin() { | ||||
|     return false; | ||||
|   } | ||||
|  | ||||
|   public function processRequest() { | ||||
|     if (!PhabricatorEnv::getEnvConfig('feed.public')) { | ||||
|       return new Aphront404Response(); | ||||
|     } | ||||
|  | ||||
|     $request = $this->getRequest(); | ||||
|     $viewer = PhabricatorUser::getOmnipotentUser(); | ||||
|  | ||||
|     $query = new PhabricatorFeedQuery(); | ||||
|     $query->setViewer($viewer); | ||||
|     $query->setLimit(100); | ||||
|     $stories = $query->execute(); | ||||
|  | ||||
|     $builder = new PhabricatorFeedBuilder($stories); | ||||
|     $builder | ||||
|       ->setFramed(true) | ||||
|       ->setUser($viewer); | ||||
|  | ||||
|     $view = phutil_tag_div( | ||||
|       'phabricator-public-feed-frame', | ||||
|       $builder->buildView()); | ||||
|  | ||||
|     return $this->buildStandardPageResponse( | ||||
|       $view, | ||||
|       array( | ||||
|         'title' => pht('Public Feed'), | ||||
|         'public' => true, | ||||
|       )); | ||||
|   } | ||||
| } | ||||
| @@ -16,7 +16,6 @@ abstract class PhabricatorFeedStory | ||||
|  | ||||
|   private $data; | ||||
|   private $hasViewed; | ||||
|   private $framed; | ||||
|   private $hovercard = false; | ||||
|   private $renderingTarget = PhabricatorApplicationTransaction::TARGET_HTML; | ||||
|  | ||||
| @@ -289,11 +288,6 @@ abstract class PhabricatorFeedStory | ||||
|     return $this->hasViewed; | ||||
|   } | ||||
|  | ||||
|   final public function setFramed($framed) { | ||||
|     $this->framed = $framed; | ||||
|     return $this; | ||||
|   } | ||||
|  | ||||
|   final public function setHandles(array $handles) { | ||||
|     assert_instances_of($handles, 'PhabricatorObjectHandle'); | ||||
|     $this->handles = $handles; | ||||
| @@ -367,24 +361,7 @@ abstract class PhabricatorFeedStory | ||||
|         return $handle->getLinkName(); | ||||
|     } | ||||
|  | ||||
|     // NOTE: We render our own link here to customize the styling and add | ||||
|     // the '_top' target for framed feeds. | ||||
|  | ||||
|     $class = null; | ||||
|     if ($handle->getType() == PhabricatorPeopleUserPHIDType::TYPECONST) { | ||||
|       $class = 'phui-link-person'; | ||||
|     } | ||||
|  | ||||
|     return javelin_tag( | ||||
|       'a', | ||||
|       array( | ||||
|         'href'    => $handle->getURI(), | ||||
|         'target'  => $this->framed ? '_top' : null, | ||||
|         'sigil'   => $this->hovercard ? 'hovercard' : null, | ||||
|         'meta'    => $this->hovercard ? array('hoverPHID' => $phid) : null, | ||||
|         'class'   => $class, | ||||
|       ), | ||||
|       $handle->getLinkName()); | ||||
|     return $handle->renderLink(); | ||||
|   } | ||||
|  | ||||
|   final protected function renderString($str) { | ||||
| @@ -462,16 +439,10 @@ abstract class PhabricatorFeedStory | ||||
|    * @task policy | ||||
|    */ | ||||
|   public function getPolicy($capability) { | ||||
|     $policy_object = $this->getPrimaryPolicyObject(); | ||||
|     if ($policy_object) { | ||||
|       return $policy_object->getPolicy($capability); | ||||
|     } | ||||
|  | ||||
|     // TODO: Remove this once all objects are policy-aware. For now, keep | ||||
|     // respecting the `feed.public` setting. | ||||
|     return PhabricatorEnv::getEnvConfig('feed.public') | ||||
|       ? PhabricatorPolicies::POLICY_PUBLIC | ||||
|       : PhabricatorPolicies::POLICY_USER; | ||||
|     // NOTE: We enforce that a user can see all the objects a story is about | ||||
|     // when loading it, so we don't need to perform a equivalent secondary | ||||
|     // policy check later. | ||||
|     return PhabricatorPolicies::getMostOpenPolicy(); | ||||
|   } | ||||
|  | ||||
|  | ||||
| @@ -479,39 +450,15 @@ abstract class PhabricatorFeedStory | ||||
|    * @task policy | ||||
|    */ | ||||
|   public function hasAutomaticCapability($capability, PhabricatorUser $viewer) { | ||||
|     $policy_object = $this->getPrimaryPolicyObject(); | ||||
|     if ($policy_object) { | ||||
|       return $policy_object->hasAutomaticCapability($capability, $viewer); | ||||
|     } | ||||
|  | ||||
|     return false; | ||||
|   } | ||||
|  | ||||
|  | ||||
|   public function describeAutomaticCapability($capability) { | ||||
|     return null; | ||||
|   } | ||||
|  | ||||
|  | ||||
|   /** | ||||
|    * Get the policy object this story is about, if such a policy object | ||||
|    * exists. | ||||
|    * | ||||
|    * @return PhabricatorPolicyInterface|null Policy object, if available. | ||||
|    * @task policy | ||||
|    */ | ||||
|   private function getPrimaryPolicyObject() { | ||||
|     $primary_phid = $this->getPrimaryObjectPHID(); | ||||
|     if (empty($this->objects[$primary_phid])) { | ||||
|       $object = $this->objects[$primary_phid]; | ||||
|       if ($object instanceof PhabricatorPolicyInterface) { | ||||
|         return $object; | ||||
|       } | ||||
|     } | ||||
|  | ||||
|     return null; | ||||
|   } | ||||
|  | ||||
|  | ||||
| /* -(  PhabricatorMarkupInterface Implementation )--------------------------- */ | ||||
|  | ||||
|  | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 epriestley
					epriestley