Allow broader HTTP access to public repositories, respect nonstandard Phabricator HTTP port when generating repository URIs

Summary:
Fixes T11030. Fixes T11032.

  - Allow HTTP access to "Public" repositories even if `diffusion.allow-http-auth` is disabled.
  - If you run Phabricator on an unusual port (???) use that port as the default when generating HTTP URIs.

Test Plan:
  - Faked `phabricator.base-uri` to an unusual port, saw repository HTTP URI generate with an unusual port.
  - Disabled `diffusion.allow-http-auth`, confirmed that toggling view policy between "public" and "users" activated or deactivated HTTP clone URI.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11030, T11032

Differential Revision: https://secure.phabricator.com/D15973

src/applications/repository/storage/PhabricatorRepository.php

@@ -2078,7 +2078,13 @@ final class PhabricatorRepository extends PhabricatorRepositoryDAO
       PhabricatorRepositoryURI::BUILTIN_IDENTIFIER_ID => true,
     );
 
+    // If the view policy of the repository is public, support anonymous HTTP
+    // even if authenticated HTTP is not supported.
+    if ($this->getViewPolicy() === PhabricatorPolicies::POLICY_PUBLIC) {
+      $allow_http = true;
+    } else {
       $allow_http = PhabricatorEnv::getEnvConfig('diffusion.allow-http-auth');
+    }
 
     $base_uri = PhabricatorEnv::getURI('/');
     $base_uri = new PhutilURI($base_uri);

src/applications/repository/storage/PhabricatorRepositoryURI.php

@@ -379,14 +379,40 @@ final class PhabricatorRepositoryURI
   }
 
   private function getForcedPort() {
-    switch ($this->getBuiltinProtocol()) {
-      case self::BUILTIN_PROTOCOL_SSH:
+    $protocol = $this->getBuiltinProtocol();
+
+    if ($protocol == self::BUILTIN_PROTOCOL_SSH) {
       return PhabricatorEnv::getEnvConfig('diffusion.ssh-port');
-      case self::BUILTIN_PROTOCOL_HTTP:
-      case self::BUILTIN_PROTOCOL_HTTPS:
-      default:
+    }
+
+    // If Phabricator is running on a nonstandard port, use that as the defualt
+    // port for URIs with the same protocol.
+
+    $is_http = ($protocol == self::BUILTIN_PROTOCOL_HTTP);
+    $is_https = ($protocol == self::BUILTIN_PROTOCOL_HTTPS);
+
+    if ($is_http || $is_https) {
+      $uri = PhabricatorEnv::getURI('/');
+      $uri = new PhutilURI($uri);
+
+      $port = $uri->getPort();
+      if (!$port) {
         return null;
       }
+
+      $uri_protocol = $uri->getProtocol();
+      $use_port =
+        ($is_http && ($uri_protocol == 'http')) ||
+        ($is_https && ($uri_protocol == 'https'));
+
+      if (!$use_port) {
+        return null;
+      }
+
+      return $port;
+    }
+
+    return null;
   }
 
   private function getForcedPath() {

src/docs/user/userguide/diffusion_uris.diviner

@@ -173,14 +173,16 @@ SSH clone URIs by examining configuration.
 **HTTP**: The `http://` clone URI will be available if these conditions are
 satisfied:
 
-  - `diffusion.allow-http-auth` must be enabled.
+  - `diffusion.allow-http-auth` must be enabled or the repository view policy
+    must be "Public".
   - The repository must be a Git or Mercurial repository.
   - `security.require-https` must be disabled.
 
 **HTTPS**: The `https://` clone URI will be available if these conditions are
 satisfied:
 
-  - `diffusion.allow-http-auth` must be enabled.
+  - `diffusion.allow-http-auth` must be enabled or the repository view policy
+    must be "Public".
   - The repository must be a Git or Mercurial repository.
   - The `phabricator.base-uri` protocol must be `https://`.