Page MenuHomePhabricator

Replacement for actAsUser in Conduit API
Closed, WontfixPublic


We have an internal tool that uses the Conduit API to let users file tasks against other users.

Previously, we were able to use actAsUser to set the author of the task to be the person using the tool. Since D13120, all tasks created with this tool have had the same author.

We would like some way to record who used this tool to create the task.

Event Timeline

jhurwitz raised the priority of this task from to Needs Triage.
jhurwitz updated the task description. (Show Details)
jhurwitz added projects: Conduit, Restricted Project.
jhurwitz added subscribers: jhurwitz, angie.
jhurwitz added a subscriber: akhilravidas.

We don't plan to restore actAsUser in any form to the upstream, since it violates policies and can not be made safe (in the sense of not-policy-violating).

Some alternatives are:

  • Use a bot user, and record the proxy author in a custom field, in the description, or in a comment.
  • Use OAuth, after T7303 or similar (currently, OAuth works but only supports user.whoami, since we haven't fully sorted out the permissions model; there's also no JS client written yet).
  • Write a custom endpoint that generates an API token for an arbitrary user. Like actAsUser, this represents a huge reduction in the strength of the security model.
epriestley claimed this task.

See above.

angie moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Sep 10 2015, 4:53 PM