Page MenuHomePhabricator
Differential D13151

Make CSRF salt per-user instead of per-request
ClosedPublic
Actions

Authored by epriestley on Jun 4 2015, 6:49 PM.
Tags
None
Referenced Files
F15500826: D13151.id31788.diff
Sun, Apr 13, 7:32 PM
F15464928: D13151.id.diff
Wed, Apr 2, 1:07 PM
F15457794: D13151.diff
Sun, Mar 30, 7:02 PM
F15409655: D13151.id.diff
Mar 19 2025, 4:49 AM
F15398850: D13151.id31788.diff
Mar 17 2025, 1:50 AM
F15388795: D13151.id.diff
Mar 15 2025, 4:24 AM
F15387087: D13151.id31788.diff
Mar 15 2025, 1:48 AM
F15384538: D13151.diff
Mar 14 2025, 8:11 PM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Maniphest Tasks
T8326: Scripts may try to access PhabricatorStartup, but can not
T8424: Integrate Spaces into the core policy infrastructure
Commits
Restricted Diffusion Commit
rPe5b923743a13: Make CSRF salt per-user instead of per-request
Summary

Fixes T8326. This removes calls to PhabricatorStartup from places that daemons may access.

This salt doesn't need to be global; it's embedded in the token we return. It's fine if we use a different salt every time. In practice, we always use the same viewer, so this change causes little or no behavioral change.

Ref T8424. For Spaces, I need a per-request cache for all spaces, because they have unusual access patterns and require repeated access, in some cases by multiple viewers.

We don't currently have a per-request in-process cache that we, e.g., clear in the daemons.

We do have a weak/theoretical/forward-looking attempt at this in PhabricatorStartup::getGlobal() but I'm going to throw that away (it's kind of junky, partly because of T8326) and replace it with a more formal mechanism.

Test Plan
  • Submitted some forms.
  • Grepped for csrf.salt.
  • Viewed page source, saw nice CSRF tokens with salt.
  • All the salts are still the same on every page I checked, but it doesn't matter if this isn't true everywhere.

Diff Detail

Repository
rP Phabricator
Branch
spaces1
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 6543
Build 6565: [Placeholder Plan] Wait for 30 Seconds

Event Timeline

epriestley updated this revision to Diff 31788.Jun 4 2015, 6:49 PM
epriestley retitled this revision from to Make CSRF salt per-user instead of per-request.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added tasks: T8424: Integrate Spaces into the core policy infrastructure, T8326: Scripts may try to access PhabricatorStartup, but can not.
Herald added a subscriber: epriestley. · View Herald TranscriptJun 4 2015, 6:49 PM
btrahan accepted this revision.Jun 4 2015, 8:27 PM
btrahan edited edge metadata.
This revision is now accepted and ready to land.Jun 4 2015, 8:27 PM
Closed by commit rPe5b923743a13: Make CSRF salt per-user instead of per-request (authored by epriestley, committed by epriestley). · Explain WhyJun 5 2015, 12:26 AM
This revision was automatically updated to reflect the committed changes.
epriestley mentioned this in T8376: Develop Spaces (v1).Jun 5 2015, 12:02 PM

Revision Contents
Changeset List

PathSize
src/
applications/
people/
storage/
13 lines

Diff 31788

View Options

src/applications/people/storage/PhabricatorUser.php

Loading...
Phabricator · Built by Phacility