| blob | c43edaefcba1342962e91a9c51d2698ea3748dc2 |
1 <?php
3 /**
4 * A @{class:PhabricatorQuery} which filters results according to visibility
5 * policies for the querying user. Broadly, this class allows you to implement
6 * a query that returns only objects the user is allowed to see.
7 *
8 * $results = id(new ExampleQuery())
9 * ->setViewer($user)
10 * ->withConstraint($example)
11 * ->execute();
12 *
13 * Normally, you should extend @{class:PhabricatorCursorPagedPolicyAwareQuery},
14 * not this class. @{class:PhabricatorCursorPagedPolicyAwareQuery} provides a
15 * more practical interface for building usable queries against most object
16 * types.
17 *
18 * NOTE: Although this class extends @{class:PhabricatorOffsetPagedQuery},
19 * offset paging with policy filtering is not efficient. All results must be
20 * loaded into the application and filtered here: skipping `N` rows via offset
21 * is an `O(N)` operation with a large constant. Prefer cursor-based paging
22 * with @{class:PhabricatorCursorPagedPolicyAwareQuery}, which can filter far
23 * more efficiently in MySQL.
24 *
25 * @task config Query Configuration
26 * @task exec Executing Queries
27 * @task policyimpl Policy Query Implementation
28 */
39 /**
40 * Should we continue or throw an exception when a query result is filtered
41 * by policy rules?
42 *
43 * Values are `true` (raise exceptions), `false` (do not raise exceptions)
44 * and `null` (inherit from parent query, with no exceptions by default).
45 */
52 /* -( Query Configuration )------------------------------------------------ */
55 /**
56 * Set the viewer who is executing the query. Results will be filtered
57 * according to the viewer's capabilities. You must set a viewer to execute
58 * a policy query.
59 *
60 * @param PhabricatorUser The viewing user.
61 * @return this
62 * @task config
63 */
67 }
70 /**
71 * Get the query's viewer.
72 *
73 * @return PhabricatorUser The viewing user.
74 * @task config
75 */
78 }
81 /**
82 * Set the parent query of this query. This is useful for nested queries so
83 * that configuration like whether or not to raise policy exceptions is
84 * seamlessly passed along to child queries.
85 *
86 * @return this
87 * @task config
88 */
92 }
95 /**
96 * Get the parent query. See @{method:setParentQuery} for discussion.
97 *
98 * @return PhabricatorPolicyAwareQuery The parent query.
99 * @task config
100 */
103 }
106 /**
107 * Hook to configure whether this query should raise policy exceptions.
108 *
109 * @return this
110 * @task config
111 */
115 }
118 /**
119 * @return bool
120 * @task config
121 */
124 }
127 /**
128 * @task config
129 */
133 }
138 }
143 }
146 /* -( Query Execution )---------------------------------------------------- */
149 /**
150 * Execute the query, expecting a single result. This method simplifies
151 * loading objects for detail pages or edit views.
152 *
153 * // Load one result by ID.
154 * $obj = id(new ExampleQuery())
155 * ->setViewer($user)
156 * ->withIDs(array($id))
157 * ->executeOne();
158 * if (!$obj) {
159 * return new Aphront404Response();
160 * }
161 *
162 * If zero results match the query, this method returns `null`.
163 * If one result matches the query, this method returns that result.
164 *
165 * If two or more results match the query, this method throws an exception.
166 * You should use this method only when the query constraints guarantee at
167 * most one match (e.g., selecting a specific ID or PHID).
168 *
169 * If one result matches the query but it is caught by the policy filter (for
170 * example, the user is trying to view or edit an object which exists but
171 * which they do not have permission to see) a policy exception is thrown.
172 *
173 * @return mixed Single result, or null.
174 * @task exec
175 */
184 }
188 }
192 }
195 }
198 /**
199 * Execute the query, loading all visible results.
200 *
201 * @return list<PhabricatorPolicyInterface> Result objects.
202 * @task exec
203 */
207 }
213 }
227 }
231 // If we examine and filter significantly more objects than the query
232 // limit, we stop early. This prevents us from looping through a huge
233 // number of records when the viewer can see few or none of them. See
234 // T11773 for some discussion.
237 // See T13386. If we are on an old offset-based paging workflow, we need
238 // to base the overheating limit on both the offset and limit.
247 }
254 }
257 }
265 }
268 }
281 }
282 }
283 }
285 }
289 }
295 }
296 }
300 // NOTE: We call "nextPage()" before checking if we've found enough
301 // results because we want to build the internal cursor object even
302 // if we don't need to execute another query: the internal cursor may
303 // be used by a parent query that is using this query to translate an
304 // external cursor into an internal cursor.
310 // If we have an offset, we just ignore that many results and start
311 // storing them only once we've hit the offset. This reduces memory
312 // requirements for large offsets, compared to storing them all and
313 // slicing them away later.
316 }
319 // If we have all the rows we need, break out of the paging query.
321 }
322 }
325 // If we don't have a load count, we loaded all the results. We do
326 // not need to load another page.
328 }
331 // If we have a load count but the unfiltered results contained fewer
332 // objects, we know this was the last page of objects; we do not need
333 // to load another page because we can deduce it would be empty.
335 }
349 }
352 }
353 }
359 }
369 }
374 }
378 );
379 }
384 }
388 }
391 // Some objects (like commits) may be rejected because related objects
392 // (like repositories) can not be loaded. In some cases, we may need these
393 // related objects to determine the object policy, so it's expected that
394 // we may occasionally be unable to determine the policy.
400 }
402 // Mark this object as filtered so handles can render "Restricted" instead
403 // of "Unknown".
411 }
417 }
419 }
425 }
427 }
430 /**
431 * Return a map of all object PHIDs which were loaded in the query but
432 * filtered out by policy constraints. This allows a caller to distinguish
433 * between objects which do not exist (or, at least, were filtered at the
434 * content level) and objects which exist but aren't visible.
435 *
436 * @return map<phid, phid> Map of object PHIDs which were filtered
437 * by policies.
438 * @task exec
439 */
442 }
445 /* -( Query Workspace )---------------------------------------------------- */
448 /**
449 * Put a map of objects into the query workspace. Many queries perform
450 * subqueries, which can eventually end up loading the same objects more than
451 * once (often to perform policy checks).
452 *
453 * For example, loading a user may load the user's profile image, which might
454 * load the user object again in order to verify that the viewer has
455 * permission to see the file.
456 *
457 * The "query workspace" allows queries to load objects from elsewhere in a
458 * query block instead of refetching them.
459 *
460 * When using the query workspace, it's important to obey two rules:
461 *
462 * **Never put objects into the workspace which the viewer may not be able
463 * to see**. You need to apply all policy filtering //before// putting
464 * objects in the workspace. Otherwise, subqueries may read the objects and
465 * use them to permit access to content the user shouldn't be able to view.
466 *
467 * **Fully enrich objects pulled from the workspace.** After pulling objects
468 * from the workspace, you still need to load and attach any additional
469 * content the query requests. Otherwise, a query might return objects
470 * without requested content.
471 *
472 * Generally, you do not need to update the workspace yourself: it is
473 * automatically populated as a side effect of objects surviving policy
474 * filtering.
475 *
476 * @param map<phid, PhabricatorPolicyInterface> Objects to add to the query
477 * workspace.
478 * @return this
479 * @task workspace
480 */
486 }
492 // The workspace is scoped per viewer to prevent accidental contamination.
495 }
500 }
503 /**
504 * Retrieve objects from the query workspace. For more discussion about the
505 * workspace mechanism, see @{method:putObjectsInWorkspace}. This method
506 * searches both the current query's workspace and the workspaces of parent
507 * queries.
508 *
509 * @param list<phid> List of PHIDs to retrieve.
510 * @return this
511 * @task workspace
512 */
517 }
526 }
527 }
530 }
533 /**
534 * Mark PHIDs as in flight.
535 *
536 * PHIDs which are "in flight" are actively being queried for. Using this
537 * list can prevent infinite query loops by aborting queries which cycle.
538 *
539 * @param list<phid> List of PHIDs which are now in flight.
540 * @return this
541 */
545 }
547 }
550 /**
551 * Get PHIDs which are currently in flight.
552 *
553 * PHIDs which are "in flight" are actively being queried for.
554 *
555 * @return map<phid, phid> PHIDs currently in flight.
556 */
561 }
563 }
566 /* -( Policy Query Implementation )---------------------------------------- */
569 /**
570 * Get the number of results @{method:loadPage} should load. If the value is
571 * 0, @{method:loadPage} should load all available results.
572 *
573 * @return int The number of results to load, or 0 for all results.
574 * @task policyimpl
575 */
578 }
581 /**
582 * Hook invoked before query execution. Generally, implementations should
583 * reset any internal cursors.
584 *
585 * @return void
586 * @task policyimpl
587 */
590 }
593 /**
594 * Load a raw page of results. Generally, implementations should load objects
595 * from the database. They should attempt to return the number of results
596 * hinted by @{method:getRawResultLimit}.
597 *
598 * @return list<PhabricatorPolicyInterface> List of filterable policy objects.
599 * @task policyimpl
600 */
604 /**
605 * Update internal state so that the next call to @{method:loadPage} will
606 * return new results. Generally, you should adjust a cursor position based
607 * on the provided result page.
608 *
609 * @param list<PhabricatorPolicyInterface> The current page of results.
610 * @return void
611 * @task policyimpl
612 */
616 /**
617 * Hook for applying a page filter prior to the privacy filter. This allows
618 * you to drop some items from the result set without creating problems with
619 * pagination or cursor updates. You can also load and attach data which is
620 * required to perform policy filtering.
621 *
622 * Generally, you should load non-policy data and perform non-policy filtering
623 * later, in @{method:didFilterPage}. Strictly fewer objects will make it that
624 * far (so the program will load less data) and subqueries from that context
625 * can use the query workspace to further reduce query load.
626 *
627 * This method will only be called if data is available. Implementations
628 * do not need to handle the case of no results specially.
629 *
630 * @param list<wild> Results from `loadPage()`.
631 * @return list<PhabricatorPolicyInterface> Objects for policy filtering.
632 * @task policyimpl
633 */
636 }
638 /**
639 * Hook for performing additional non-policy loading or filtering after an
640 * object has satisfied all policy checks. Generally, this means loading and
641 * attaching related data.
642 *
643 * Subqueries executed during this phase can use the query workspace, which
644 * may improve performance or make circular policies resolvable. Data which
645 * is not necessary for policy filtering should generally be loaded here.
646 *
647 * This callback can still filter objects (for example, if attachable data
648 * is discovered to not exist), but should not do so for policy reasons.
649 *
650 * This method will only be called if data is available. Implementations do
651 * not need to handle the case of no results specially.
652 *
653 * @param list<wild> Results from @{method:willFilterPage()}.
654 * @return list<PhabricatorPolicyInterface> Objects after additional
655 * non-policy processing.
656 */
659 }
662 /**
663 * Hook for removing filtered results from alternate result sets. This
664 * hook will be called with any objects which were returned by the query but
665 * filtered for policy reasons. The query should remove them from any cached
666 * or partial result sets.
667 *
668 * @param list<wild> List of objects that should not be returned by alternate
669 * result mechanisms.
670 * @return void
671 * @task policyimpl
672 */
675 }
678 /**
679 * Hook for applying final adjustments before results are returned. This is
680 * used by @{class:PhabricatorCursorPagedPolicyAwareQuery} to reverse results
681 * that are queried during reverse paging.
682 *
683 * @param list<PhabricatorPolicyInterface> Query results.
684 * @return list<PhabricatorPolicyInterface> Final results.
685 * @task policyimpl
686 */
689 }
692 /**
693 * Allows a subclass to disable policy filtering. This method is dangerous.
694 * It should be used only if the query loads data which has already been
695 * filtered (for example, because it wraps some other query which uses
696 * normal policy filtering).
697 *
698 * @return bool True to disable all policy filtering.
699 * @task policyimpl
700 */
703 }
706 /**
707 * If this query belongs to an application, return the application class name
708 * here. This will prevent the query from returning results if the viewer can
709 * not access the application.
710 *
711 * If this query does not belong to an application, return `null`.
712 *
713 * @return string|null Application class name.
714 */
718 /**
719 * Determine if the viewer has permission to use this query's application.
720 * For queries which aren't part of an application, this method always returns
721 * true.
722 *
723 * @return bool True if the viewer has application-level permission to
724 * execute the query.
725 */
730 }
734 }
741 }
742 }
750 }
751 }
761 }
768 }
775 }
778 }
779 }
782 }
784 }