mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-10 00:42:41 +01:00
Allow public users to make intracluster API requests
Summary: Ref T10784. On `secure`, logged-out users currently can't browse repositories when cluster/service mode is enabled because they aren't permitted to make intracluster requests. We don't allow totally public external requests (they're hard to rate limit and users might write bots that polled `feed.query` or whatever which we'd have no way to easily disable) but it's fine to allow intracluster public requests. Test Plan: Browsed a clustered repository while logged out locally. Reviewers: chad Reviewed By: chad Maniphest Tasks: T10784 Differential Revision: https://secure.phabricator.com/D15695
This commit is contained in:
parent
abf37aa979
commit
99be132ea2
2 changed files with 30 additions and 0 deletions
|
@ -402,6 +402,23 @@ final class PhabricatorConduitAPIController
|
|||
$user);
|
||||
}
|
||||
|
||||
|
||||
// For intracluster requests, use a public user if no authentication
|
||||
// information is provided. We could do this safely for any request,
|
||||
// but making the API fully public means there's no way to disable badly
|
||||
// behaved clients.
|
||||
if (PhabricatorEnv::isClusterRemoteAddress()) {
|
||||
if (PhabricatorEnv::getEnvConfig('policy.allow-public')) {
|
||||
$api_request->setIsClusterRequest(true);
|
||||
|
||||
$user = new PhabricatorUser();
|
||||
return $this->validateAuthenticatedUser(
|
||||
$api_request,
|
||||
$user);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Handle sessionless auth.
|
||||
// TODO: This is super messy.
|
||||
// TODO: Remove this in favor of token-based auth.
|
||||
|
|
|
@ -133,6 +133,19 @@ final class PhabricatorUser
|
|||
}
|
||||
|
||||
public function canEstablishAPISessions() {
|
||||
if ($this->getIsDisabled()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Intracluster requests are permitted even if the user is logged out:
|
||||
// in particular, public users are allowed to issue intracluster requests
|
||||
// when browsing Diffusion.
|
||||
if (PhabricatorEnv::isClusterRemoteAddress()) {
|
||||
if (!$this->isLoggedIn()) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
if (!$this->isUserActivated()) {
|
||||
return false;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue