Page MenuHomePhabricator
Create Task
Maniphest T5726

Add more information to story POSTs during the feed.http-hooks hook
Closed, WontfixPublic
Actions

Description

When the feed.http-hook is fired, the HTTP script only gets barebones information. Would be nice to have a storyURI and objectURI (and whatever else is easily accessible and equally useful).

Sample POST is below:

Array
        (
            [storyID] => 719
            [storyType] => PhabricatorApplicationTransactionFeedStory
            [storyData] => Array
                (
                    [objectPHID] => PHID-DREV-3y5ngrx26wfopfrbkyew
                    [transactionPHIDs] => Array
                        (
                            [0] => PHID-XACT-DREV-brw7rovwpvcurdh
                            [1] => PHID-XACT-DREV-prmajp3rypmbtri
                        )

                )

            [storyAuthorPHID] => PHID-USER-s7hj4zduwubpc57fsce6
            [storyText] => user43215 created D109: - fixed some stuff.
            [epoch] => 1406561703
        )

Revisions and Commits

rP Phabricator
AbandonedD10063 (Partial) Provide more useful information on feed.http-hooks
D11046rP9dd0eca335d5 Lock feed.public and feed.http-hooks config options

Related Objects
Search...

Event Timeline

andreas.lekas created this task.Jul 28 2014, 4:34 PM
andreas.lekas raised the priority of this task from to Needs Triage.
andreas.lekas updated the task description. (Show Details)
andreas.lekas added a project: Phabricator.
andreas.lekas added a subscriber: andreas.lekas.
epriestley added a revision: D10063: (Partial) Provide more useful information on feed.http-hooks.Jul 28 2014, 4:35 PM
epriestley added a subscriber: epriestley.Jul 28 2014, 4:38 PM

D10063 is likely a fix, but I need to test the POST part and that'll take more than 5 minutes to set up.

epriestley added a project: Support Impact.Oct 3 2014, 3:55 AM

Support Impact This feature is fairly useless right now for all but the simplest things.

epriestley added a comment.Dec 28 2014, 4:27 PM

One concern about this is that this information is policy-bypassing.

Given that there are basically reasonable approaches for doing Conduit from an arbitrary HTTP-capable client now (T5955), adding more PHIDs/URIs is safe but we should probably remove all the text/markup from these requests. The expectation is that the endpoint receiving the POST will make a Conduit call to feed.query (or similar) in order to retrieve a rendering for the story, under some set of credentials which we can do policy checks for.

This would align this better with existing un-authenticated notification channels, like Aphlict, where you can know that something happened (and get some information about what object(s) it affected) but must be authenticated to learn any substantive details.

epriestley added a revision: D11046: Lock feed.public and feed.http-hooks config options.Dec 28 2014, 4:29 PM
epriestley added a commit: rP9dd0eca335d5: Lock feed.public and feed.http-hooks config options.Dec 29 2014, 4:04 PM
chad removed a project: Phabricator.Dec 29 2014, 10:39 PM
epriestley added a comment.Jan 5 2015, 11:43 PM

Although I don't think this is particularly important, landing some version of D10063 is probably worthwhile since people who try to use it often end up pretty blocked in reasonable use cases. It's only blocked by it being kind of a pain to set up and test.

epriestley triaged this task as Normal priority.Jan 5 2015, 11:49 PM
epriestley mentioned this in Starmap.Apr 15 2015, 11:01 AM
marceldegraaf added a subscriber: marceldegraaf.Apr 23 2015, 9:22 AM
marceldegraaf added a comment.Jun 23 2015, 7:22 PM

@epriestley: this task being fixed might be an easier solution than writing our own Doorkeeper integration (as discussed on Conpherence today). I already have an application that receives feed data via POST; can I help test this change so we can get it merged?

epriestley mentioned this in T10363: Reorient Doorkeeper publishing around transactions instead of feed stories.Feb 16 2016, 1:27 PM
epriestley mentioned this in T5462: How do I publish Phabricator events into remote systems?.Mar 22 2016, 10:55 PM
epriestley mentioned this in T11256: Plan how to split apart instance permissions.Jul 2 2016, 2:33 PM
epriestley mentioned this in T11330: Allow Herald to "Queue Call to Webhook: ...".Aug 29 2016, 2:52 PM
epriestley added a parent task: T11330: Allow Herald to "Queue Call to Webhook: ...".Aug 29 2016, 3:03 PM
epriestley mentioned this in T12290: `arc diff` should copy the differential URL to clipboard.Feb 17 2017, 11:55 PM
epriestley edited projects, added Feed; removed Support Impact.Apr 12 2017, 2:49 PM
epriestley mentioned this in D18467: Allow ModularTransactions to opt in to providing data to Conduit.Aug 24 2017, 9:50 PM
epriestley mentioned this in rP6c9026c33a45: Allow ModularTransactions to opt in to providing data to Conduit.Aug 24 2017, 10:26 PM
arrowd added a subscriber: arrowd.Feb 6 2018, 4:57 PM
In T5726#88706, @epriestley wrote:

One concern about this is that this information is policy-bypassing.

I've digged into code a bit and found this in src/applications/feed/worker/FeedPushWorker.php:

$story = id(new PhabricatorFeedQuery())
      ->setViewer(PhabricatorUser::getOmnipotentUser())
      ...

I'm completely unfamiliar with Phabricator codebase, but it seems honouring policies is as simple as adding feed.user config option and using it instead of OmnipotentUser there.

epriestley closed this task as Wontfix.Feb 9 2018, 1:29 PM
epriestley claimed this task.

I'm planning to build T11330 ("policy-blind" webhooks) instead, and deprecate feed.http-hooks. See that task for details.

Phabricator · Built by Phacility