mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-10 00:42:41 +01:00
In Audit, use repository identities to prevent author-auditors
Summary: See PHI2015. Diffusion attempts to prevent a commit's author from being made an auditor, but currently uses an out-of-date method for identifying the author. Use the modern ("Repository Identity" aware) method instead. Test Plan: - Authored a commit as user "X", mapped to my account. - Pushed/imported/discovered it. - Changed the identity mapping for "X" from my account to a different account. - Tried to add myself as an auditor. - Before: error, "author can't be an auditor". - After: succeeds. - Tried to add the newly mapped user as an auditor. This correctly fails with the "author can't be an auditor" error. It's possible to put commits into a wonky state by remapping the author identity to a user who is already an auditor, but I think that isn't important and we can't do much about it, realistically. Differential Revision: https://secure.phabricator.com/D21594
This commit is contained in:
parent
9b6a030292
commit
a9704428ff
1 changed files with 1 additions and 1 deletions
|
@ -182,7 +182,7 @@ final class DiffusionCommitAuditorsTransaction
|
|||
return $errors;
|
||||
}
|
||||
|
||||
$author_phid = $object->getAuthorPHID();
|
||||
$author_phid = $object->getEffectiveAuthorPHID();
|
||||
$can_author_close_key = 'audit.can-author-close-audit';
|
||||
$can_author_close = PhabricatorEnv::getEnvConfig($can_author_close_key);
|
||||
|
||||
|
|
Loading…
Reference in a new issue