Since the new management UI (T10922: Upgrading: New Repository UI, APIs, and URI management), we can no longer access our anonymous access repositories over HTTP.
Reproduction steps:
- For a Phabricator-hosted repository, click manage repository
- Go to policies
- Set visible to "Public (no login required)"
- Attempt to clone the repository over HTTP
- git clone http://phabricator.internal/diffusion/CALLSIGN/callsign.git
Expected result:
- Git clone is successful
Actual result:
- Git clone fails with an HTTP 403 error code
- fatal: unable to access 'http://phabricator.internal/diffusion/CALLSIGN/callsign.git/': The requested URL returned error: 403
The only way I have been able to get anonymous HTTP cloning to work is by enabling diffusion.allow-http-auth first, however the docs at https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/ state I should be able to leave this option disabled for anonymous access (specifically the first sentence under "Configuring HTTP which says: "If you plan to serve repositories over authenticated HTTP, you need to set diffusion.allow-http-auth in Config. If you don't plan to serve repositories over HTTP (or plan to use only anonymous HTTP) you can leave this setting disabled.").
Leaving this diffusion.allow-http-auth enabled is not ideal for us because it allows all of our repositories to be cloned over HTTP, not just the ones that we have given anonymous access to. This also causes issues to us that are similarly described in T10517: Make Harbormaster build variables extensible where the default {repository.uri} becomes the HTTP URI instead of the git URI which breaks how we use Harbormaster today.
Versions:
phabricator 08bea1d363fd6b51098b6687f0c7603b2a7f2faa (Thu, May 19) arcanist 2234c8cacc21ce61c9c10e8e5918b6a63cc38fc8 (Mon, May 16) phutil bd56873ae4c0f77d1fabc66289b62dfaa2ca56b5 (Thu, May 19) disqus 6720f9c7bbbed4a2e87ab8bfef9fa6d74bd48626 (Dec 22 2015)