Prevent creation of inline comments with mismatched changesetID / revisionPHID

Summary: Ref T11092. With Quicksand (or, possibly, some as-yet-unknown non-Quicksand workflow) the client can get stuck with an out-of-date revision PHID. We then save comments with a `revisionPHID` from one revision and a `changesetID` from a different one. Detect and prevent this. This stops the workflow immediately when the use first clicks, so it should allow us to detect this issue if it has some other non-Quicksand cause. Test Plan: - Opened revision `D123`. - Pressed `\` to enable the sidebar and Quicksand. - Clicked a link to revision `D124`. - Added inlines. Previously, these could ghost. The exact UI behavior is difficult to describe, but in the database they end up with a `changesetID` for `D124` but the original `revisionPHID` for `D123`, presumably because state is sticking around from the first page. After this patch, an exception is thrown immediately. Additionally: - Reloaded to clear quicksand state, added comments fine. - Disabled sidebar/quicksand, added comments fine. Reviewers: chad Reviewed By: chad Maniphest Tasks: T11092 Differential Revision: https://secure.phabricator.com/D16031
2024-11-23 15:22:41 +01:00 · 2016-06-03 13:33:43 -07:00 · 2016-06-03 13:33:43 -07:00 · a34b769b4f
commit a34b769b4f
parent 03e54afc14
1 changed files with 24 additions and 3 deletions
--- a/src/applications/differential/controller/DifferentialInlineCommentEditController.php
+++ b/src/applications/differential/controller/DifferentialInlineCommentEditController.php
@ -23,13 +23,34 @@ final class DifferentialInlineCommentEditController
  }

  protected function createComment() {
-    // Verify revision and changeset correspond to actual objects.
+    // Verify revision and changeset correspond to actual objects, and are
+    // connected to one another.
    $changeset_id = $this->getChangesetID();
+    $viewer = $this->getViewer();

    $revision = $this->loadRevision();

-    if (!id(new DifferentialChangeset())->load($changeset_id)) {
-      throw new Exception(pht('Invalid changeset ID!'));
+    $changeset = id(new DifferentialChangesetQuery())
+      ->setViewer($viewer)
+      ->withIDs(array($changeset_id))
+      ->executeOne();
+    if (!$changeset) {
+      throw new Exception(
+        pht(
+          'Invalid changeset ID "%s"!',
+          $changeset_id));
+    }
+
+    $diff = $changeset->getDiff();
+    if ($diff->getRevisionID() != $revision->getID()) {
+      throw new Exception(
+        pht(
+          'Changeset ID "%s" is part of diff ID "%s", but that diff '.
+          'is attached to reivsion "%s", not revision "%s".',
+          $changeset_id,
+          $diff->getID(),
+          $diff->getRevisionID(),
+          $revision->getID()));
    }

    return id(new DifferentialInlineComment())