When updating revisions in responset to commits, use the omnipotent viewer to pull diffs

Summary: Ref T13625. See that task for discussion. Currently, the Viewer when performing revision updates in response to commits may be an arbitrary low-privilege user (an Application, a disabled User, a bot, a mailing list, etc). Today, this leads to an exception when trying to make API calls. Ideally, we probably would not perform the update in these cases. However, performing the update isn't a policy violation and is generally less surprising than not performing it, so continue performing it for now: just use the omnipotent user to interact with the API. Test Plan: - Authored a commit as a bot user without permission to view the repository or revision. - Commented out a couple of caches, and used `bin/repository reparse --publish ...` to republish the commit. - Before: exception when trying to interact with the API. - After: clean publish. Maniphest Tasks: T13625 Differential Revision: https://secure.phabricator.com/D21582
2024-09-20 01:08:50 +02:00 · 2021-03-01 10:54:46 -08:00 · 2021-03-01 10:54:46 -08:00 · 55f4a258d2
commit 55f4a258d2
parent 0a3093ef9c
1 changed files with 27 additions and 5 deletions
--- a/src/applications/diffusion/worker/DiffusionUpdateObjectAfterCommitWorker.php
+++ b/src/applications/diffusion/worker/DiffusionUpdateObjectAfterCommitWorker.php
@ -148,17 +148,39 @@ final class DiffusionUpdateObjectAfterCommitWorker
    PhabricatorRepositoryCommit $commit,
    DifferentialRevision $revision) {

+    $acting_phid = $this->getActingPHID($commit);
+    $acting_user = $this->loadActingUser($acting_phid);
+
+    // See T13625. The "Acting User" is the author of the commit based on the
+    // author string, or the Diffusion application PHID if we could not
+    // identify an author.
+
+    // This user may not be able to view the commit or the revision, and may
+    // also be unable to make API calls. Here, we execute queries and apply
+    // transactions as the omnipotent user.
+
+    // It would probably be better to use the acting user everywhere here, and
+    // exit gracefully if they can't see the revision (this is how the flow
+    // on tasks works). However, without a positive indicator in the UI
+    // explaining "no revision was updated because the author of this commit
+    // can't see anything", this might be fairly confusing, and break workflows
+    // which have worked historically.
+
+    // This isn't, per se, a policy violation (you can't get access to anything
+    // you don't already have access to by making commits that reference
+    // revisions, even if you can't see the commits or revisions), so just
+    // leave it for now.
+
+    $viewer = $this->getViewer();
+
    // Reload the revision to get the active diff, which is currently required
    // by "updateRevisionWithCommit()".
    $revision = id(new DifferentialRevisionQuery())
-      ->setViewer($this->getViewer())
+      ->setViewer($viewer)
      ->withIDs(array($revision->getID()))
      ->needActiveDiffs(true)
      ->executeOne();

-    $acting_phid = $this->getActingPHID($commit);
-    $acting_user = $this->loadActingUser($acting_phid);
-
    $xactions = array();

    $xactions[] = $this->newEdgeTransaction(
@ -177,7 +199,7 @@ final class DiffusionUpdateObjectAfterCommitWorker
      ->setMetadataValue('commitPHID', $commit->getPHID());

    $extraction_engine = id(new DifferentialDiffExtractionEngine())
-      ->setViewer($acting_user)
+      ->setViewer($viewer)
      ->setAuthorPHID($acting_phid);

    $content_source = $this->newContentSource();