Page MenuHomePhabricator
Files F16490781

D15695.id37816.diff
No OneTemporary
Actions

D15695.id37816.diff
View Options

diff --git a/src/applications/conduit/controller/PhabricatorConduitAPIController.php b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
--- a/src/applications/conduit/controller/PhabricatorConduitAPIController.php
+++ b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
@@ -402,6 +402,23 @@
$user);
}
+
+ // For intracluster requests, use a public user if no authentication
+ // information is provided. We could do this safely for any request,
+ // but making the API fully public means there's no way to disable badly
+ // behaved clients.
+ if (PhabricatorEnv::isClusterRemoteAddress()) {
+ if (PhabricatorEnv::getEnvConfig('policy.allow-public')) {
+ $api_request->setIsClusterRequest(true);
+
+ $user = new PhabricatorUser();
+ return $this->validateAuthenticatedUser(
+ $api_request,
+ $user);
+ }
+ }
+
+
// Handle sessionless auth.
// TODO: This is super messy.
// TODO: Remove this in favor of token-based auth.
@@ -461,7 +478,11 @@
ConduitAPIRequest $request,
PhabricatorUser $user) {
- if (!$user->canEstablishAPISessions()) {
+ if (PhabricatorEnv::isClusterRemoteAddress()) {
+ // Intracluster requests are permitted even if the user could not
+ // directly use the API. In particular, public users are allowed to
+ // issue intracluster requests when browsing Diffusion.
+ } else if (!$user->canEstablishAPISessions()) {
return array(
'ERR-INVALID-AUTH',
pht('User account is not permitted to use the API.'),

File Metadata

Mime Type
text/plain
Expires
Tue, Jun 17, 6:40 PM (15 h, 33 m)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
8137424
Default Alt Text
D15695.id37816.diff (1 KB)

Event Timeline

Phabricator · Built by Phacility