Use a unique random key to identify queries, not a sequential ID
a5f8846f472b
Actions

Authored by epriestley <git@epriestley.com> on Feb 7 2012, 23:58.

Description

Use a unique random key to identify queries, not a sequential ID

Summary:
We save search information and then redirect to a "/search/<query_id>/" URI in
order to make search URIs short and bookmarkable, and save query data for
analysis/improvement of search results.

Currently, there's a vague object enumeration security issue with using
sequential IDs to identify searches, where non-admins can see searches other
users have performed. This isn't really too concerning but we lose nothing by
using random keys from a large ID space instead.

Drop 'authorPHID', which was unused anyway, so searches can not be

personally identified, even by admins.

Identify searches by random hash keys, not sequential IDs.
Map old queries' keys to their IDs so we don't break any existing bookmarked

URIs.

Test Plan: Ran several searches, got redirected to URIs with random hashes from
a large ID space rather than sequential integers.

Reviewers: arice, btrahan

Reviewed By: arice

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1587

Details

Committed

epriestley <git@epriestley.com>

Feb 7 2012, 23:58

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH4ac29d108cc2: Simplify Aphront transaction code

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHa5f8846f472b: Use a unique random key to identify queries, not a sequential ID (authored by epriestley <git@epriestley.com>).Feb 7 2012, 23:58

Changes (5)

				Path
	A			resources/sql/patches/104.searchkey.sql
	M			src/aphront/default/configuration/AphrontDefaultApplicationConfiguration.php
	M			src/applications/search/controller/search/PhabricatorSearchController.php
	M			src/applications/search/storage/query/PhabricatorSearchQuery.php
	M			src/applications/search/storage/query/__init__.php