Make restricted objects in commit messages work more consistently with the web UI

Summary:
Fixes T11344. In the web UI, if a field like "Subscribers" on an object (like a task) contains values you don't have permission to see, you see tokens for them (like "Restricted Project") but not their names.

Make commit messages work the same way: you see the PHID, and can remove it or leave it there, but can't see the underlying name.

(We have to render an actual PHID rather than just "Restricted Thing" because we have to be able to figure out what edit the user is actually trying to make.)

Test Plan: Interacted with a revision via the CLI that had project reviewers I couldn't see.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11344

Differential Revision: https://secure.phabricator.com/D17124

src/applications/phid/query/PhabricatorObjectListQuery.php

@@ -149,7 +149,22 @@ final class PhabricatorObjectListQuery extends Phobject {
     $missing = array();
     foreach ($name_map as $key => $name) {
       if (empty($objects[$key])) {
-        $missing[] = $name;
+        $missing[$key] = $name;
+      }
+    }
+
+    $result = array_unique(mpull($objects, 'getPHID'));
+
+    // For values which are plain PHIDs of allowed types, let them through
+    // unchecked. This can happen occur if subscribers or reviewers which the
+    // revision author does not have permission to see are added by Herald
+    // rules. Any actual edits will be checked later: users are not allowed
+    // to add new reviewers they can't see, but they can touch a field which
+    // contains them.
+    foreach ($missing as $key => $value) {
+      if (isset($allowed[phid_get_type($value)])) {
+        unset($missing[$key]);
+        $result[$key] = $value;
       }
     }
 
@@ -181,8 +196,6 @@ final class PhabricatorObjectListQuery extends Phobject {
       }
     }
 
-    $result = array_unique(mpull($objects, 'getPHID'));
-
     if ($suffixes) {
       foreach ($result as $key => $phid) {
         $result[$key] = array(