archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

When loading project membership to evaluate the "Subscribers" policy, use the ominipotent viewer

Browse Source 
Summary: See PHI448. Ref T13106. The current implementation here can end up in an infinite stack if, e.g., a project uses "Visible to: Subscribers".

Test Plan: Will push.

Maniphest Tasks: T13106

Differential Revision: https://secure.phabricator.com/D19226
This commit is contained in:
epriestley
2018-03-14 12:48:20 -07:00
parent ce6e020d5d
commit f348721aed
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/applications/subscriptions/policyrule/PhabricatorSubscriptionsSubscribersPolicyRule.php
View File

@@ -45,10 +45,13 @@ final class PhabricatorSubscriptionsSubscribersPolicyRule
$this->subscribed[$viewer_phid] = array(); $this->subscribed[$viewer_phid] = array();
} }
// Load the project PHIDs the user is a member of. // Load the project PHIDs the user is a member of. We use the omnipotent
// user here because projects may themselves have "Subscribers" visibility
// policies and we don't want to get stuck in an infinite stack of
// recursive policy checks. See T13106.
if (!isset($this->sourcePHIDs[$viewer_phid])) { if (!isset($this->sourcePHIDs[$viewer_phid])) {
$projects = id(new PhabricatorProjectQuery()) $projects = id(new PhabricatorProjectQuery())
->setViewer($viewer) ->setViewer(PhabricatorUser::getOmnipotentUser())
->withMemberPHIDs(array($viewer_phid)) ->withMemberPHIDs(array($viewer_phid))
->execute(); ->execute();