recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Pass a real viewer to HeraldAdapter when doing test console runs

Summary:
Depends on D18932. Ref T13048. See PHI276. In the cluster, we don't have device keys on `web` nodes. This is generally good, since they don't need them, and it means that we aren't putting more credentials than we need on those hosts.

However, it means that when we pull diff content to test "Commit" rules via the Herald test console, we use the omnipotent user and try to use device credentials, and this fails since we don't have any.

Instead, pass the real viewer in this case so we just sign the request as them, like we do for normal Diffusion requests.

Test Plan:
Wrote and ran a commit content rule locally, no issues.

This isn't completely convincing since my local setup does have device credentials, but I'll double-check in production once this deploys.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13048

Differential Revision: https://secure.phabricator.com/D18933

epriestley 5058cfb9 a9f87857

+24 -2
+1 -1
src/applications/diffusion/herald/HeraldCommitAdapter.php
··· 209 209 } 210 210 211 211 private function loadCommitDiff() { 212 - $viewer = PhabricatorUser::getOmnipotentUser(); 212 + $viewer = $this->getViewer(); 213 213 214 214 $byte_limit = self::getEnormousByteLimit(); 215 215 $time_limit = self::getEnormousTimeLimit();
+20
src/applications/herald/adapter/HeraldAdapter.php
··· 38 38 private $actionMap; 39 39 private $edgeCache = array(); 40 40 private $forbiddenActions = array(); 41 + private $viewer; 41 42 42 43 public function getEmailPHIDs() { 43 44 return array_values($this->emailPHIDs); ··· 55 56 return $this; 56 57 } 57 58 59 + public function setViewer(PhabricatorUser $viewer) { 60 + $this->viewer = $viewer; 61 + return $this; 62 + } 63 + 64 + public function getViewer() { 65 + // See PHI276. Normally, Herald runs without regard for policy checks. 66 + // However, we use a real viewer during test console runs: this makes 67 + // intracluster calls to Diffusion APIs work even if web nodes don't 68 + // have privileged credentials. 69 + 70 + if ($this->viewer) { 71 + return $this->viewer; 72 + } 73 + 74 + return PhabricatorUser::getOmnipotentUser(); 75 + } 76 + 58 77 public function setContentSource(PhabricatorContentSource $content_source) { 59 78 $this->contentSource = $content_source; 60 79 return $this; 61 80 } 81 + 62 82 public function getContentSource() { 63 83 return $this->contentSource; 64 84 }
+3 -1
src/applications/herald/controller/HeraldTestConsoleController.php
··· 39 39 $object = $this->getTestObject(); 40 40 $adapter = $this->getTestAdapter(); 41 41 42 - $adapter->setIsNewObject(false); 42 + $adapter 43 + ->setIsNewObject(false) 44 + ->setViewer($viewer); 43 45 44 46 $rules = id(new HeraldRuleQuery()) 45 47 ->setViewer($viewer)