Page MenuHomePhabricator

In Audit, use repository identities to prevent author-auditors
ClosedPublic

Authored by epriestley on Mar 4 2021, 5:32 PM.

Details

Summary

See PHI2015. Diffusion attempts to prevent a commit's author from being made an auditor, but currently uses an out-of-date method for identifying the author.

Use the modern ("Repository Identity" aware) method instead.

Test Plan
  • Authored a commit as user "X", mapped to my account.
  • Pushed/imported/discovered it.
  • Changed the identity mapping for "X" from my account to a different account.
  • Tried to add myself as an auditor.
    • Before: error, "author can't be an auditor".
    • After: succeeds.
  • Tried to add the newly mapped user as an auditor. This correctly fails with the "author can't be an auditor" error.

It's possible to put commits into a wonky state by remapping the author identity to a user who is already an auditor, but I think that isn't important and we can't do much about it, realistically.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

This revision was not accepted when it landed; it landed in state Needs Review.Mar 4 2021, 5:33 PM
epriestley requested review of this revision.
This revision was automatically updated to reflect the committed changes.