Page MenuHomePhabricator
Files F16490573

D15695.id37831.diff
No OneTemporary
Actions

D15695.id37831.diff
View Options

diff --git a/src/applications/conduit/controller/PhabricatorConduitAPIController.php b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
--- a/src/applications/conduit/controller/PhabricatorConduitAPIController.php
+++ b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
@@ -402,6 +402,23 @@
$user);
}
+
+ // For intracluster requests, use a public user if no authentication
+ // information is provided. We could do this safely for any request,
+ // but making the API fully public means there's no way to disable badly
+ // behaved clients.
+ if (PhabricatorEnv::isClusterRemoteAddress()) {
+ if (PhabricatorEnv::getEnvConfig('policy.allow-public')) {
+ $api_request->setIsClusterRequest(true);
+
+ $user = new PhabricatorUser();
+ return $this->validateAuthenticatedUser(
+ $api_request,
+ $user);
+ }
+ }
+
+
// Handle sessionless auth.
// TODO: This is super messy.
// TODO: Remove this in favor of token-based auth.
diff --git a/src/applications/people/storage/PhabricatorUser.php b/src/applications/people/storage/PhabricatorUser.php
--- a/src/applications/people/storage/PhabricatorUser.php
+++ b/src/applications/people/storage/PhabricatorUser.php
@@ -133,6 +133,19 @@
}
public function canEstablishAPISessions() {
+ if ($this->getIsDisabled()) {
+ return false;
+ }
+
+ // Intracluster requests are permitted even if the user is logged out:
+ // in particular, public users are allowed to issue intracluster requests
+ // when browsing Diffusion.
+ if (PhabricatorEnv::isClusterRemoteAddress()) {
+ if (!$this->isLoggedIn()) {
+ return true;
+ }
+ }
+
if (!$this->isUserActivated()) {
return false;
}

File Metadata

Mime Type
text/plain
Expires
Tue, Jun 17, 6:39 PM (18 h, 2 m)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
8137409
Default Alt Text
D15695.id37831.diff (1 KB)

Event Timeline

Phabricator · Built by Phacility