Policy - lock down loadCommit() from DiffusionRequest objects

Summary: Ref T7094. The class DiffusionRequest has other public methods which use getUser() in an unguarded way. Code inspection of the call sites for loadCommit() also leads me to believe the $user is properly set.

Test Plan: clicked around diffusion a bunch and everything seemed to work okay. (happy to test any particular esoteric endpoints that come to mind)

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7094

Differential Revision: https://secure.phabricator.com/D11585

src/applications/diffusion/request/DiffusionRequest.php

@@ -387,12 +387,11 @@ abstract class DiffusionRequest {
     if (empty($this->repositoryCommit)) {
       $repository = $this->getRepository();
 
-      // TODO: (T603) This should be a real query, but we need to sort out
-      // the viewer.
-      $commit = id(new PhabricatorRepositoryCommit())->loadOneWhere(
-        'repositoryID = %d AND commitIdentifier = %s',
-        $repository->getID(),
-        $this->getStableCommit());
+      $commit = id(new DiffusionCommitQuery())
+        ->setViewer($this->getUser())
+        ->withRepositoryIDs(array($repository->getID()))
+        ->withIdentifiers(array($this->getStableCommit()))
+        ->executeOne();
       if ($commit) {
         $commit->attachRepository($repository);
       }