From 189600e4116e97dde117083d5fa6778d7cb13755 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Wed, 25 May 2016 08:07:38 -0700
Subject: [PATCH] Allow broader HTTP access to public repositories, respect
 nonstandard Phabricator HTTP port when generating repository URIs

Summary:
Fixes T11030. Fixes T11032.

  - Allow HTTP access to "Public" repositories even if `diffusion.allow-http-auth` is disabled.
  - If you run Phabricator on an unusual port (???) use that port as the default when generating HTTP URIs.

Test Plan:
  - Faked `phabricator.base-uri` to an unusual port, saw repository HTTP URI generate with an unusual port.
  - Disabled `diffusion.allow-http-auth`, confirmed that toggling view policy between "public" and "users" activated or deactivated HTTP clone URI.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11030, T11032

Differential Revision: https://secure.phabricator.com/D15973
---
 .../storage/PhabricatorRepository.php         |  8 +++-
 .../storage/PhabricatorRepositoryURI.php      | 40 +++++++++++++++----
 .../user/userguide/diffusion_uris.diviner     |  6 ++-
 3 files changed, 44 insertions(+), 10 deletions(-)

diff --git a/src/applications/repository/storage/PhabricatorRepository.php b/src/applications/repository/storage/PhabricatorRepository.php
index bc786e46a1..c95a4361e1 100644
--- a/src/applications/repository/storage/PhabricatorRepository.php
+++ b/src/applications/repository/storage/PhabricatorRepository.php
@@ -2078,7 +2078,13 @@ final class PhabricatorRepository extends PhabricatorRepositoryDAO
       PhabricatorRepositoryURI::BUILTIN_IDENTIFIER_ID => true,
     );
 
-    $allow_http = PhabricatorEnv::getEnvConfig('diffusion.allow-http-auth');
+    // If the view policy of the repository is public, support anonymous HTTP
+    // even if authenticated HTTP is not supported.
+    if ($this->getViewPolicy() === PhabricatorPolicies::POLICY_PUBLIC) {
+      $allow_http = true;
+    } else {
+      $allow_http = PhabricatorEnv::getEnvConfig('diffusion.allow-http-auth');
+    }
 
     $base_uri = PhabricatorEnv::getURI('/');
     $base_uri = new PhutilURI($base_uri);
diff --git a/src/applications/repository/storage/PhabricatorRepositoryURI.php b/src/applications/repository/storage/PhabricatorRepositoryURI.php
index 53b9040453..f0326f12a9 100644
--- a/src/applications/repository/storage/PhabricatorRepositoryURI.php
+++ b/src/applications/repository/storage/PhabricatorRepositoryURI.php
@@ -379,14 +379,40 @@ final class PhabricatorRepositoryURI
   }
 
   private function getForcedPort() {
-    switch ($this->getBuiltinProtocol()) {
-      case self::BUILTIN_PROTOCOL_SSH:
-        return PhabricatorEnv::getEnvConfig('diffusion.ssh-port');
-      case self::BUILTIN_PROTOCOL_HTTP:
-      case self::BUILTIN_PROTOCOL_HTTPS:
-      default:
-        return null;
+    $protocol = $this->getBuiltinProtocol();
+
+    if ($protocol == self::BUILTIN_PROTOCOL_SSH) {
+      return PhabricatorEnv::getEnvConfig('diffusion.ssh-port');
     }
+
+    // If Phabricator is running on a nonstandard port, use that as the defualt
+    // port for URIs with the same protocol.
+
+    $is_http = ($protocol == self::BUILTIN_PROTOCOL_HTTP);
+    $is_https = ($protocol == self::BUILTIN_PROTOCOL_HTTPS);
+
+    if ($is_http || $is_https) {
+      $uri = PhabricatorEnv::getURI('/');
+      $uri = new PhutilURI($uri);
+
+      $port = $uri->getPort();
+      if (!$port) {
+        return null;
+      }
+
+      $uri_protocol = $uri->getProtocol();
+      $use_port =
+        ($is_http && ($uri_protocol == 'http')) ||
+        ($is_https && ($uri_protocol == 'https'));
+
+      if (!$use_port) {
+        return null;
+      }
+
+      return $port;
+    }
+
+    return null;
   }
 
   private function getForcedPath() {
diff --git a/src/docs/user/userguide/diffusion_uris.diviner b/src/docs/user/userguide/diffusion_uris.diviner
index 7377250f21..08be97b6b8 100644
--- a/src/docs/user/userguide/diffusion_uris.diviner
+++ b/src/docs/user/userguide/diffusion_uris.diviner
@@ -173,14 +173,16 @@ SSH clone URIs by examining configuration.
 **HTTP**: The `http://` clone URI will be available if these conditions are
 satisfied:
 
-  - `diffusion.allow-http-auth` must be enabled.
+  - `diffusion.allow-http-auth` must be enabled or the repository view policy
+    must be "Public".
   - The repository must be a Git or Mercurial repository.
   - `security.require-https` must be disabled.
 
 **HTTPS**: The `https://` clone URI will be available if these conditions are
 satisfied:
 
-  - `diffusion.allow-http-auth` must be enabled.
+  - `diffusion.allow-http-auth` must be enabled or the repository view policy
+    must be "Public".
   - The repository must be a Git or Mercurial repository.
   - The `phabricator.base-uri` protocol must be `https://`.