Plans: 2018 Week 10 Bonus Content
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	epriestley
	Mar 5 2018, 3:20 PM

Description

See T13096. An install is experiencing a cluster synchronization issue on one node, but the immediate symptom is a held lock.

See PHI410. See PHI348. Multiple installs would like API access to the commit which closes a revision.

See PHI417. An install would like to contextualize the "landed irresponsibly" stories from feed. (I plan to just hide these, there's just a bit of a technical trick which makes it non-trivial.)

Entering MFA credentials during an OAuth server redirect workflow can currently be blocked by the CSP.

See T13100. See support@ email thread about being unable to edit a revision. This is PCRE shenanigans.

See PHI423. An install would like T11015 fixed properly. PHI254 also touches on this.

See PHI424. Another install would like T11664 and I think we have enough interest in this now to just bite the bullet.

It would be nice to fix T12590 alongside the other Owners changes.

See T13101. See https://discourse.phabricator-community.org/t/meme-remarkup-tag-no-longer-working-after-upgrading-to-2018-w09/1210. The {meme ...} Remarkup composer currently violates the Content-Security-Policy if a CDN domain is configured. The {img ...} imageproxy rule also violates the Content-Security-Policy for similar reasons. See also PHI437, sort of.

See PHI432. An install would like to query repositories by short name.

See PHI434. The "Strip MFA" workflow in the cluster doesn't properly dirty the user enrollment cache. This is a Phacility-specific issue with our instance management toolset.

Revisions and Commits

rP Phabricator
	D19202	rPfc1ee20efe44 Support repository query by short name in Diffusion
	D19191	rPa4cc1373d3a2 Use a tokenizer, not a gigantic poorly-ordered "<select />", to choose…
	D19188	rP05b9016fc385 (stable) Restore lightbox behavior for thumbnailed images
	D19188	rP229d4677701a Restore lightbox behavior for thumbnailed images
	D19180	rPd14a0f4787b5 Add "All" and "With Non-Owner Author" options for all Owners Package autoreview…
	D19179	rPe57dbcda336a Hide "abraham landed Dxyz irresponsibly" stories from feed
	D19177	rP9356a993a8a0 (stable) Perform a client-side redirect after OAuth server authorization
	D19177	rPdbccfb234f8d Perform a client-side redirect after OAuth server authorization
	D19176	rPf3928962096c Return commit information for Revision "close" and "update" transactions over…
	D19175	rP743d1ac426fb Mostly modularize the Differential "update" transaction

Related Objects

Mentioned In: 2018 Week 10 (Early March)
T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy
rP18708bb59a72: (stable) Remove client OAuth redirect code which was only partially cleaned up
rP9462f8aa8908: Remove client OAuth redirect code which was only partially cleaned up
Mentioned Here: T13102: Plans: 2018 Week 11 Bonus Content
T731: Allow revisions to have alternate acceptance conditions
T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy
T12590: Owners expects users to choose a repository with a <select /> that lists every repository in ID order
T13100: PCRE segfaults readily with default "pcre.backtrack_limit" and "pcre.recursion_limit" values
T11664: Add option to allow owner packages to be added as reviewers to diffs, when the diff author is in the owner package
T11015: Owners has perplexing behavior when directory paths are not terminated with a slash
T13096: Implement a global lock log to make it easier to debug global locks

Event Timeline

epriestley triaged this task as Normal priority.Mar 5 2018, 3:20 PM

epriestley created this task.

Herald added subscribers: faulconbridge, eadler. · View Herald TranscriptMar 5 2018, 3:20 PM

epriestley moved this task from Backlog to Soon on the Plans board.Mar 5 2018, 3:20 PM

epriestley updated the task description. (Show Details)Mar 5 2018, 6:09 PM

PHI410 and PHI348 are both related to Differential's TYPE_UPDATE transaction. This is essentially the only Differential transaction which has not moved to ModularTransactions.

Actually, neither cares about TYPE_UPDATE -- they both care about the "close", but I'm most of the way through the TYPE_UPDATE change anyway so uhhh I've learned an important lesson about reading?

epriestley added a revision: D19175: Mostly modularize the Differential "update" transaction.Mar 6 2018, 4:36 PM

epriestley added a commit: rP743d1ac426fb: Mostly modularize the Differential "update" transaction.Mar 6 2018, 5:10 PM

epriestley updated the task description. (Show Details)Mar 6 2018, 5:11 PM

epriestley added a revision: D19176: Return commit information for Revision "close" and "update" transactions over the Conduit API.

epriestley added a commit: rPf3928962096c: Return commit information for Revision "close" and "update" transactions over….Mar 6 2018, 5:13 PM

epriestley updated the task description. (Show Details)Mar 6 2018, 5:31 PM

Entering MFA credentials during an OAuth server redirect workflow can currently be blocked by the CSP.

This is kind of a mess. The flow here is:

You visit turtle.phacility.com while logged out.
This redirects you to admin.phacility.com and you get a login screen.
You login, then you get sent to an MFA form.
You submit the MFA form.
We try to redirect you back to turtle.phacility.com.

Firefox and Safari are fine with this. Chrome, only, is not. Chrome requires any redirect destination after form submission to adhere to the form-action policy.

Chrome's behavior doesn't immediately make sense to me, and Mozilla's documentation warns about this and points at https://github.com/w3c/webappsec-csp/issues/8.

The easiest fix here is probably to just return an interstitial. Given the way this works, the MFA form currently has no clue that you're going to be redirected by OAuth when it renders, so we can't easily guess that the CSP needs the OAuth destination. We could parse the next cookie and see if it's /oauth/server/... but that feels unbelievably fragile.

epriestley added a revision: D19177: Perform a client-side redirect after OAuth server authorization.Mar 6 2018, 6:31 PM

epriestley updated the task description. (Show Details)Mar 6 2018, 7:38 PM

epriestley added a commit: rPdbccfb234f8d: Perform a client-side redirect after OAuth server authorization.Mar 6 2018, 8:18 PM

epriestley added a commit: rP9356a993a8a0: (stable) Perform a client-side redirect after OAuth server authorization.

epriestley updated the task description. (Show Details)Mar 6 2018, 8:28 PM

epriestley updated the task description. (Show Details)Mar 6 2018, 8:38 PM

epriestley added a revision: D19179: Hide "abraham landed Dxyz irresponsibly" stories from feed.Mar 7 2018, 1:41 AM

epriestley added a commit: rPe57dbcda336a: Hide "abraham landed Dxyz irresponsibly" stories from feed.Mar 7 2018, 1:48 AM

epriestley updated the task description. (Show Details)Mar 7 2018, 2:56 AM

epriestley added a revision: D19180: Add "All" and "With Non-Owner Author" options for all Owners Package autoreview rules.Mar 7 2018, 2:59 AM

epriestley added a commit: rPd14a0f4787b5: Add "All" and "With Non-Owner Author" options for all Owners Package autoreview….Mar 7 2018, 3:02 AM

epriestley updated the task description. (Show Details)Mar 7 2018, 4:33 AM