recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Allow public users to make intracluster API requests

Summary:
Ref T10784. On `secure`, logged-out users currently can't browse repositories when cluster/service mode is enabled because they aren't permitted to make intracluster requests.

We don't allow totally public external requests (they're hard to rate limit and users might write bots that polled `feed.query` or whatever which we'd have no way to easily disable) but it's fine to allow intracluster public requests.

Test Plan: Browsed a clustered repository while logged out locally.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10784

Differential Revision: https://secure.phabricator.com/D15695

epriestley 99be132e abf37aa9

+30
+17
src/applications/conduit/controller/PhabricatorConduitAPIController.php
··· 402 402 $user); 403 403 } 404 404 405 + 406 + // For intracluster requests, use a public user if no authentication 407 + // information is provided. We could do this safely for any request, 408 + // but making the API fully public means there's no way to disable badly 409 + // behaved clients. 410 + if (PhabricatorEnv::isClusterRemoteAddress()) { 411 + if (PhabricatorEnv::getEnvConfig('policy.allow-public')) { 412 + $api_request->setIsClusterRequest(true); 413 + 414 + $user = new PhabricatorUser(); 415 + return $this->validateAuthenticatedUser( 416 + $api_request, 417 + $user); 418 + } 419 + } 420 + 421 + 405 422 // Handle sessionless auth. 406 423 // TODO: This is super messy. 407 424 // TODO: Remove this in favor of token-based auth.
+13
src/applications/people/storage/PhabricatorUser.php
··· 133 133 } 134 134 135 135 public function canEstablishAPISessions() { 136 + if ($this->getIsDisabled()) { 137 + return false; 138 + } 139 + 140 + // Intracluster requests are permitted even if the user is logged out: 141 + // in particular, public users are allowed to issue intracluster requests 142 + // when browsing Diffusion. 143 + if (PhabricatorEnv::isClusterRemoteAddress()) { 144 + if (!$this->isLoggedIn()) { 145 + return true; 146 + } 147 + } 148 + 136 149 if (!$this->isUserActivated()) { 137 150 return false; 138 151 }