1. 14 Jan, 2014 1 commit
    • epriestley's avatar
      Separate session management from PhabricatorUser · eef314b7
      epriestley authored
      Summary: Ref T4310. Ref T3720. Session operations are currently part of PhabricatorUser. This is more tightly coupled than needbe, and makes it difficult to establish login sessions for non-users. Move all the session management code to a `SessionEngine`.
      
      Test Plan:
        - Viewed sessions.
        - Regenerated Conduit certificate.
        - Verified Conduit sessions were destroyed.
        - Logged out.
        - Logged in.
        - Ran conduit commands.
        - Viewed sessions again.
      
      Reviewers: btrahan
      
      Reviewed By: btrahan
      
      CC: aran
      
      Maniphest Tasks: T4310, T3720
      
      Differential Revision: https://secure.phabricator.com/D7962
      eef314b7
  2. 19 Dec, 2013 1 commit
    • epriestley's avatar
      Provide convenience method addTextCrumb() to PhabricatorCrumbsView · a5dc9067
      epriestley authored
      Summary: We currently have a lot of calls to `addCrumb(id(new PhabricatorCrumbView())->...)` which can be expressed much more simply with a convenience method. Nearly all crumbs are only textual.
      
      Test Plan:
        - This was mostly automated, then I cleaned up a few unusual sites manually.
        - Bunch of grep / randomly clicking around.
      
      Reviewers: btrahan, chad
      
      Reviewed By: btrahan
      
      CC: hach-que, aran
      
      Differential Revision: https://secure.phabricator.com/D7787
      a5dc9067
  3. 12 Nov, 2013 1 commit
    • epriestley's avatar
      Improve handling of email verification and "activated" accounts · 7f11e8d7
      epriestley authored
      Summary:
      Small step forward which improves existing stuff or lays groudwork for future stuff:
      
        - Currently, to check for email verification, we have to single-query the email address on every page. Instead, denoramlize it into the user object.
          - Migrate all the existing users.
          - When the user verifies an email, mark them as `isEmailVerified` if the email is their primary email.
          - Just make the checks look at the `isEmailVerified` field.
        - Add a new check, `isUserActivated()`, to cover email-verified plus disabled. Currently, a non-verified-but-not-disabled user could theoretically use Conduit over SSH, if anyone deployed it. Tighten that up.
        - Add an `isApproved` flag, which is always true for now. In a future diff, I want to add a default-on admin approval queue for new accounts, to prevent configuration mistakes. The way it will work is:
          - When the queue is enabled, registering users are created with `isApproved = false`.
          - Admins are sent an email, "[Phabricator] New User Approval (alincoln)", telling them that a new user is waiting for approval.
          - They go to the web UI and approve the user.
          - Manually-created accounts are auto-approved.
          - The email will have instructions for disabling the queue.
      
      I think this queue will be helpful for new installs and give them peace of mind, and when you go to disable it we have a better opportunity to warn you about exactly what that means.
      
      Generally, I want to improve the default safety of registration, since if you just blindly coast through the path of least resistance right now your install ends up pretty open, and realistically few installs are on VPNs.
      
      Test Plan:
        - Ran migration, verified `isEmailVerified` populated correctly.
        - Created a new user, checked DB for verified (not verified).
        - Verified, checked DB (now verified).
        - Used Conduit, People, Diffusion.
      
      Reviewers: btrahan
      
      Reviewed By: btrahan
      
      CC: chad, aran
      
      Differential Revision: https://secure.phabricator.com/D7572
      7f11e8d7
  4. 11 Nov, 2013 1 commit
  5. 17 Sep, 2013 1 commit
  6. 20 Aug, 2013 1 commit
  7. 01 Jul, 2013 2 commits
    • epriestley's avatar
      Mostly modernize Conduit logs · c3b21849
      epriestley authored
      Summary:
        - Add GC support to conduit logs.
        - Add Query support to conduit logs.
        - Record the actual user PHID.
        - Show client name.
        - Support querying by specific method, so I can link to this from a setup issue.
      
      @wez, this migration may not be fast. It took about 8 seconds for me to migrate 800,000 rows in the `conduit_methodcalllog` table. This adds a GC which should keep the table at a more manageable size in the future.
      
      You can safely delete all data older than 30 days from this table, although you should do it by `id` instead of `dateCreated` since there's no key on `dateCreated` until this patch.
      
      Test Plan:
        - Ran GC.
        - Looked at log UI.
        - Ran Conduit methods.
      
      Reviewers: btrahan
      
      Reviewed By: btrahan
      
      CC: wez, aran
      
      Differential Revision: https://secure.phabricator.com/D6332
      c3b21849
    • epriestley's avatar
      Modernize most Conduit console interfaces · f82e4b0c
      epriestley authored
      Summary:
      Ref T603. Ref T2625.
      
      Long chain of "doing the right thing" here: I want to clean this up, so I can clean up the Conduit logs, so I can add a setup issue for deprecated method calls, so I can remove deprecated methods, so I can get rid of `DifferentialRevisionListData`, so I can make Differntial policy-aware.
      
      Adds modern infrastructure and UI to all of the Conduit interfaces (except only partially for the logs, that will be the next diff).
      
      Test Plan:
      {F48201}
      {F48202}
      {F48203}
      {F48204}
      {F48206}
      
      This will get further updates in the next diff:
      
      {F48205}
      
      Reviewers: btrahan, chad
      
      Reviewed By: chad
      
      CC: aran
      
      Maniphest Tasks: T603, T2625
      
      Differential Revision: https://secure.phabricator.com/D6331
      f82e4b0c
  8. 31 May, 2013 1 commit
    • Jakub Vrana's avatar
      Store hash of session key · 32f91557
      Jakub Vrana authored
      Summary:
      This prevents security by obscurity.
      If I have read-only access to the database then I can pretend to be any logged-in user.
      
      I've used `PhabricatorHash::digest()` (even though we don't need salt as the hashed string is random) to be compatible with user log.
      
      Test Plan:
      Applied patch.
      Verified I'm still logged in.
      Logged out.
      Logged in.
      
        $ arc tasks
      
      Reviewers: epriestley
      
      Reviewed By: epriestley
      
      CC: aran, Korvin
      
      Differential Revision: https://secure.phabricator.com/D6080
      32f91557
  9. 19 May, 2013 1 commit
    • Gareth Evans's avatar
      Route internal conduit calls if other hosts available · 94e7878a
      Gareth Evans authored
      Summary:
      Ref T2785
      
      Looks for hosts in `conduit.servers` config and if any exist route any conduit calls through any one of the hosts.
      
      Test Plan:
      Make some curl calls to public methods (`conduit.ping`), watch the access log for two requests. Make some calls from the UI that require authentication, watch the access log a bit more.
      
      Also ran the unit tests.
      
      Reviewers: epriestley
      
      Reviewed By: epriestley
      
      CC: aran, Korvin
      
      Maniphest Tasks: T2785
      
      Differential Revision: https://secure.phabricator.com/D5970
      94e7878a
  10. 13 Feb, 2013 2 commits
  11. 09 Feb, 2013 1 commit
    • vrana's avatar
      Convert AphrontTableView to safe HTML · 9b8da737
      vrana authored
      Summary:
      Lots of killed `phutil_escape_html()`.
      
      Done by searching for `AphrontTableView` and then `$rows` (usually) backwards.
      
      Test Plan:
      Looked at homepage.
      
        echo id(new AphrontTableView(array(array('<'))))->render();
      
      Reviewers: epriestley
      
      Reviewed By: epriestley
      
      CC: aran, Korvin
      
      Differential Revision: https://secure.phabricator.com/D4884
      9b8da737
  12. 05 Feb, 2013 1 commit
    • vrana's avatar
      Convert some phutil_escape_html() to hsprintf() · bcf9b9d4
      vrana authored
      Summary:
      In the second phase, I want to get rid of the most of `phutil_escape_html()` calls in favor of plain strings or `PhutilSafeHTML`.
      This is an example of how it could look.
      
      Test Plan: /api/user.whoami
      
      Reviewers: epriestley
      
      Reviewed By: epriestley
      
      CC: aran, Korvin
      
      Maniphest Tasks: T2432
      
      Differential Revision: https://secure.phabricator.com/D4823
      bcf9b9d4
  13. 17 Dec, 2012 1 commit
  14. 11 Dec, 2012 1 commit
    • epriestley's avatar
      Detect missing 'params' in Conduit calls · 0b9c54a6
      epriestley authored
      Summary:
      Suhosin has about 50 options for filtering input variables, doucmented here:
      
      http://www.hardened-php.net/suhosin/configuration.html
      
      The default behavior of Suhosin is to drop the variable entirely if it violates any of the rules, then continue with the request. It doesn't affect 'php://input' and doesn't drop other variables, so it evades existing detection, and we can't figure out that it's happened at runtime. We could add blanket checks (Suhosin enabled + suhosin.filter.action set to nothing means this may happen, and will be undetectable if it does happen) but can't tailor a check or recovery to this specific problem.
      
      Instead, raise a better error in the specific case where we encounter this, which is Conduit calls of "arc diff" of files over 1MB (the default POST limit). In these cases, Suhosin drops the variable entirely. If there is no 'params', scream. We never encounter this case normall (`arc`, including `arc call-conduit`, always sends this parameter) although other clients might omit it. The only exception is the web console with `conduit.ping`, which submits nothing; make it submit something so it keeps working.
      
      See also https://github.com/facebook/phabricator/issues/233#issuecomment-11186074
      
      Test Plan: Brought up a Debian + Suhosin box, verified the behavior of Suhosin, made requests with and without 'params'.
      
      Reviewers: btrahan, vrana
      
      Reviewed By: btrahan
      
      CC: aran
      
      Differential Revision: https://secure.phabricator.com/D4144
      0b9c54a6
  15. 05 Nov, 2012 1 commit
    • vrana's avatar
      Delete license headers from files · ef85f49a
      vrana authored
      Summary:
      This commit doesn't change license of any file. It just makes the license implicit (inherited from LICENSE file in the root directory).
      
      We are removing the headers for these reasons:
      
      - It wastes space in editors, less code is visible in editor upon opening a file.
      - It brings noise to diff of the first change of any file every year.
      - It confuses Git file copy detection when creating small files.
      - We don't have an explicit license header in other files (JS, CSS, images, documentation).
      - Using license header in every file is not obligatory: http://www.apache.org/dev/apply-license.html#new.
      
      This change is approved by Alma Chao (Lead Open Source and IP Counsel at Facebook).
      
      Test Plan: Verified that the license survived only in LICENSE file and that it didn't modify externals.
      
      Reviewers: epriestley, davidrecordon
      
      Reviewed By: epriestley
      
      CC: aran, Korvin
      
      Maniphest Tasks: T2035
      
      Differential Revision: https://secure.phabricator.com/D3886
      ef85f49a
  16. 04 Oct, 2012 1 commit
  17. 13 Aug, 2012 1 commit
    • Bob Trahan's avatar
      Remove shield for Conduit API responses · dd26bc6d
      Bob Trahan authored
      Summary: 'cuz we don't need it and it's lame complexity for API clients of all kinds. Rip the band-aid off now.
      
      Test Plan: used conduit console and verified no more shield. also did some JS stuff around the suite to verify I didn't kill JS
      
      Reviewers: epriestley
      
      Reviewed By: epriestley
      
      CC: aran, Korvin
      
      Maniphest Tasks: T891
      
      Differential Revision: https://secure.phabricator.com/D3265
      dd26bc6d
  18. 28 Jun, 2012 1 commit
    • epriestley's avatar
      Allow 'repository.create' to set description and autoclose · bbfb686d
      epriestley authored
      Summary:
      These are currently not available via Conduit.
      
      Also fix a bug where bad JSON input triggers an error about undefined `$metadata`.
      
      Test Plan: Ran 'repository.create' with and without a description and with and without autoclose. Verified the created repositories had the requested attributes.
      
      Reviewers: btrahan, vrana
      
      Reviewed By: btrahan
      
      CC: aran
      
      Differential Revision: https://secure.phabricator.com/D2881
      bbfb686d
  19. 17 Jun, 2012 1 commit
    • epriestley's avatar
      Allow applications to call Conduit directly · cdd3683e
      epriestley authored
      Summary:
      Sorry this took so long, had a bunch of stuff going on today.
      
      Separate the actual core part of making conduit calls from the controller, so the application can make conduit calls without needing to invoke HTTP or redo auth. Generally, this lets us build more parts of the application on top of Conduit, as appropriate.
      
      This diff can be simplified, but I wanted to unblock you guys first. I'll followup with a cleanup patch once I have a chance.
      
      Test Plan: Ran unit tests, ran calls from the conduit API console, and ran calls over arc.
      
      Reviewers: nodren, 20after4, btrahan, vrana
      
      Reviewed By: 20after4
      
      CC: aran, svemir
      
      Maniphest Tasks: T945
      
      Differential Revision: https://secure.phabricator.com/D2718
      cdd3683e
  20. 01 Jun, 2012 1 commit
    • vrana's avatar
      Move files in Phabricator one level up · 6cc196a2
      vrana authored
      Summary:
      - `kill_init.php` said "Moving 1000 files" - I hope that this is not some limit in `FileFinder`.
      - [src/infrastructure/celerity] `git mv utils.php map.php; git mv api/utils.php api.php`
      - Comment `phutil_libraries` in `.arcconfig` and run `arc liberate`.
      
      NOTE: `arc diff` timed out so I'm pushing it without review.
      
      Test Plan:
      /D1234
      Browsed around, especially in `applications/repository/worker/commitchangeparser` and `applications/` in general.
      
      Auditors: epriestley
      
      Maniphest Tasks: T1103
      6cc196a2
  21. 26 May, 2012 1 commit
    • epriestley's avatar
      Allow restriction of permitted email domains · 557e5086
      epriestley authored
      Summary:
      Allow allowed email addresses to be restricted to certain domains. This implies email must be verified.
      
      This probably isn't QUITE ready for prime-time without a few other tweaks (better administrative tools, notably) but we're nearly there.
      
      Test Plan:
        - With no restrictions:
          - Registered with OAuth
          - Created an account with accountadmin
          - Added an email
        - With restrictions:
          - Tried to OAuth register with a restricted address, was prompted to provide a valid one.
          - Tried to OAuth register with a valid address, worked fine.
          - Tried to accountadmin a restricted address, got blocked.
          - Tried to accountadmin a valid address, worked fine.
          - Tried to add a restricted address, blocked.
          - Tried to add a valid address, worked fine.
          - Created a user with People with an invalid address, got blocked.
          - Created a user with People with a valid address, worked fine.
      
      Reviewers: btrahan, csilvers
      
      Reviewed By: csilvers
      
      CC: aran, joe, csilvers
      
      Maniphest Tasks: T1184
      
      Differential Revision: https://secure.phabricator.com/D2581
      557e5086
  22. 21 May, 2012 2 commits
    • epriestley's avatar
      Bump Conduit server version · 8bbc7242
      epriestley authored
      Summary:
      We introduced a "user.query" call recently which is only about two weeks old. Bump versions so users get a forced upgrade.
      
      Also, we raise a fairly confusing message when the user calls a nonexistent method. This is not the intent; `class_exists()` throws. Tailor this exception more carefully.
      
      Test Plan:
        - Ran `echo {} | arc call-conduit derp.derp`, got a better exception.
        - Bumped version, ran `arc list`, got told to upgrade.
      
      Reviewers: indiefan, nh, vrana, btrahan, jungejason, Makinde
      
      Reviewed By: vrana
      
      CC: aran
      
      Differential Revision: https://secure.phabricator.com/D2527
      8bbc7242
    • epriestley's avatar
      Allow installs to require email verification · 77f546c5
      epriestley authored
      Summary:
      Allow installs to require users to verify email addresses before they can use Phabricator. If a user logs in without a verified email address, they're given instructions to verify their address.
      
      This isn't too useful on its own since we don't actually have arbitrary email registration, but the next step is to allow installs to restrict email to only some domains (e.g., @mycompany.com).
      
      Test Plan:
        - Verification
          - Set verification requirement to `true`.
          - Tried to use Phabricator with an unverified account, was told to verify.
          - Tried to use Conduit, was given a verification error.
          - Verified account, used Phabricator.
          - Unverified account, reset password, verified implicit verification, used Phabricator.
        - People Admin Interface
          - Viewed as admin. Clicked "Administrate User".
          - Viewed as non-admin
        - Sanity Checks
          - Used Conduit normally from web/CLI with a verified account.
          - Logged in/out.
          - Sent password reset email.
          - Created a new user.
          - Logged in with an unverified user but with the configuration set to off.
      
      Reviewers: btrahan, vrana, jungejason
      
      Reviewed By: btrahan
      
      CC: aran, csilvers
      
      Maniphest Tasks: T1184
      
      Differential Revision: https://secure.phabricator.com/D2520
      77f546c5
  23. 30 Apr, 2012 1 commit
  24. 28 Apr, 2012 1 commit
  25. 25 Apr, 2012 1 commit
  26. 09 Mar, 2012 1 commit
    • epriestley's avatar
      Add "final" to all Phabricator "Controller" classes · b2890eeb
      epriestley authored
      Summary:
      These are all unambiguously unextensible. Issues I hit:
      
        - Maniphest Change/Diff controllers, just consolidated them.
        - Some search controllers incorrectly extend from "Search" but should extend from "SearchBase". This has no runtime effects.
        - D1836 introduced a closure, which we don't handle correctly (somewhat on purpose; we target PHP 5.2). See T962.
      
      Test Plan: Ran "testEverythingImplemented" unit test to identify classes extending from `final` classes. Resolved issues.
      
      Reviewers: btrahan
      
      Reviewed By: btrahan
      
      CC: aran, epriestley
      
      Maniphest Tasks: T795
      
      Differential Revision: https://secure.phabricator.com/D1843
      b2890eeb
  27. 22 Feb, 2012 1 commit
    • Bob Trahan's avatar
      OAuth Server enhancements -- more complete access token response and groundwork · af295e0b
      Bob Trahan authored
      for scope
      
      Summary:
      this patch makes the access token response "complete" relative to spec by
      returning when it expires AND that the token_type is in fact 'Bearer'.
      
      This patch also lays the groundwork for scope by fixing the underlying data
      model and adding the first scope checks for "offline_access" relative to expires
      and the "whoami" method.   Further, conduit is augmented to open up individual
      methods for access via OAuth generally to enable "whoami" access.   There's also
      a tidy little scope class to keep track of all the various scopes we plan to
      have as well as strings for display (T849 - work undone)
      
      Somewhat of a hack but Conduit methods by default have SCOPE_NOT_ACCESSIBLE.  We
      then don't even bother with the OAuth stuff within conduit if we're not supposed
      to be accessing the method via Conduit.   Felt relatively clean to me in terms
      of additional code complexity, etc.
      
      Next up ends up being T848 (scope in OAuth) and T849 (let user's authorize
      clients for specific scopes which kinds of needs T850).  There's also a bunch of
      work that needs to be done to return the appropriate, well-formatted error
      codes.  All in due time...!
      
      Test Plan:
      verified that an access_token with no scope doesn't let me see
      anything anymore.  :(  verified that access_tokens made awhile ago expire.  :(
      
      Reviewers: epriestley
      
      Reviewed By: epriestley
      
      CC: aran, epriestley
      
      Maniphest Tasks: T888, T848
      
      Differential Revision: https://secure.phabricator.com/D1657
      af295e0b
  28. 20 Feb, 2012 1 commit
    • Bob Trahan's avatar
      Make conduit read access_token and login the pertinent $user · be66a520
      Bob Trahan authored
      Summary: This makes the oauth server a bunch more useful.
      
      Test Plan:
      - used /oauth/phabricator/diagnose/ and it actually passed!
      - played around with conduit via hacking URL to include access_token on a logged
      out browser
      - linked my account to itself by going to /settings/page/phabricator/, clicking
      "link" account, then cutting and pasting the pertinent ?code=X into
      /oauth/phabricator/login/.
      
      Reviewers: epriestley
      
      Reviewed By: epriestley
      
      CC: aran, epriestley
      
      Maniphest Tasks: T852
      
      Differential Revision: https://secure.phabricator.com/D1644
      be66a520
  29. 14 Feb, 2012 1 commit
    • epriestley's avatar
      Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks · c8b4bfdc
      epriestley authored
      Summary:
      Some browsers will still sniff content types even with "Content-Type" and
      "X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from
      sniffing the content as HTML.
      
      See T865.
      
      Also unified some of the code on this pathway.
      
      Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for
      the test case in T865. Unit tests pass.
      
      Reviewers: cbg, btrahan
      
      Reviewed By: cbg
      
      CC: aran, epriestley
      
      Maniphest Tasks: T139, T865
      
      Differential Revision: https://secure.phabricator.com/D1606
      c8b4bfdc
  30. 13 Jan, 2012 1 commit
    • Bob Trahan's avatar
      Adding an "ssh" client for conduit · cf61f0e3
      Bob Trahan authored
      Summary: ..."ssh" is in quotes 'cuz this is step 1 and there's no ssh in sight
      at the moment.
      
      Test Plan:
      ran api.php PHID-USER-xee4ju2teq7mflitwfcs differential.query a few times...
       - tried valid input, it worked!
       - tried bad input, it worked in that it failed and told me so!
      ran api.php crap_user differential.query a few times...
       - verified error message with respect to crap_user
      ran api.php PHID-USER-xee4ju2teq7mflitwfcs crap_method a few times...
       - verified error message with respect to crap_method
      visited http://phabricator.dev/conduit/method/differential.query a few times...
       - tried valid input, it worked!
      
      Reviewers: epriestley
      
      Reviewed By: epriestley
      
      CC: aran, btrahan, epriestley
      
      Maniphest Tasks: T550
      
      Differential Revision: https://secure.phabricator.com/D1357
      cf61f0e3
  31. 22 Dec, 2011 1 commit
    • epriestley's avatar
      Bump Phabricator server version to 3 · f901befc
      epriestley authored
      Summary: See D1257. Also make the error message more friendly, and remove a very
      very old Facebook-specific error.
      
      Test Plan:
        - Tried to diff with an older arc.
        - Tried to diff with a newer arc.
        - Diffed with the right arc.
      
      Reviewers: btrahan, jungejason, aran
      
      Reviewed By: aran
      
      CC: aran, epriestley
      
      Differential Revision: https://secure.phabricator.com/D1258
      f901befc
  32. 02 Dec, 2011 1 commit
    • epriestley's avatar
      Allow "differential.getcommitmessage" to be called without a revision ID in · 19f2110e
      epriestley authored
      order to generate a template
      
      Summary: See T614. This allows us to generate an empty template by calling
      Conduit, so we can build command-line editing workflows for SVN, Mercurial, and
      conservative-Git.
      
      Test Plan: Used web console to invoke Conduit method; got a reasonable empty
      template out of it.
      
      Reviewers: btrahan, jungejason
      
      Reviewed By: btrahan
      
      CC: aran, epriestley, btrahan
      
      Differential Revision: 1156
      19f2110e
  33. 08 Nov, 2011 1 commit
    • Emil Hesslow's avatar
      Add actAsUser to API · 88dc9c47
      Emil Hesslow authored
      Summary: createrevision creates the revision as the user which certificate is
      used. Add a meta parameter to API calls named actAsUser so one user can create
      revisions for someone else. Right now there is no authentication.
      
      Test Plan: Called createrevision with one users cert and set actAsUser to
      someone else. The revision was created as the actAsUser user.
      
      Reviewers: epriestley, nh, jungejason
      
      Reviewed By: epriestley
      
      CC: aran, epriestley
      
      Differential Revision: 1087
      88dc9c47
  34. 21 Oct, 2011 1 commit
    • epriestley's avatar
      Provide a better error message when a user enters a Conduit parameter string · abb39d06
      epriestley authored
      without quotes around it (and similar)
      
      Summary: See D1010. The API uniformly requires JSON, which is good for
      strictness and predictablity but can be bad for UEX, especially considering that
      we silently continue after failing to decode things. Toss the user a lifeline
      when they make this common mistake.
      
      Test Plan: Ran API calls with invalid and valid inputs. Invalid inputs gave me a
      reasonable error message.
      
      Reviewers: davidreuss, jungejason, nh, tuomaspelkonen, aran
      
      Reviewed By: nh
      
      CC: aran, nh
      
      Differential Revision: 1012
      abb39d06
  35. 17 Aug, 2011 1 commit
    • epriestley's avatar
      Make Herald Rules sticky in X-Herald-Rules · cd3a3bf7
      epriestley authored
      Summary:
      See T354. List every rule which has ever been applied in X-Herald-Rules, not
      just the ones which most recently triggered.
      
      Also some random fixes while I was debugging this:
      
        - When conduit methods throw non-conduit exceptions, make sure they get
      logged.
        - Trigger the Facebook "tasks" backcompat block only if we were going to fail
      (this should reduce the shakniess of the transition).
        - Fix some log spew from the new field stuff.
      
      Test Plan:
        - Created a rule (ID #3) "No Zebras" which triggers for revisions without
      "zebra" in the title.
        - Created a revision without "zebra" in the title, got X-Herald-Rules: <2>,
      <3>
        - Updated revision to have "zebra" in the title, verified rule did not trigger
      in Herald transcript.
        - Verified X-Herald-Rules is still: <2>, <3>
      
      Reviewed By: aran
      Reviewers: aran, jungejason, tuomaspelkonen
      CC: aran, epriestley
      Differential Revision: 817
      cd3a3bf7
  36. 16 Aug, 2011 1 commit
    • epriestley's avatar
      Create AphrontWriteGuard, a backup mechanism for CSRF validation · 39b4d20c
      epriestley authored
      Summary:
      Provide a catchall mechanism to find unprotected writes.
      
        - Depends on D758.
        - Similar to WriteOnHTTPGet stuff from Facebook's stack.
        - Since we have a small number of storage mechanisms and highly structured
      read/write pathways, we can explicitly answer the question "is this page
      performing a write?".
        - Never allow writes without CSRF checks.
        - This will probably break some things. That's fine: they're CSRF
      vulnerabilities or weird edge cases that we can fix. But don't push to Facebook
      for a few days unless you're prepared to deal with this.
        - **>>> MEGADERP: All Conduit write APIs are currently vulnerable to CSRF!
      <<<**
      
      Test Plan:
        - Ran some scripts that perform writes (scripts/search indexers), no issues.
        - Performed normal CSRF submits.
        - Added writes to an un-CSRF'd page, got an exception.
        - Executed conduit methods.
        - Did login/logout (this works because the logged-out user validates the
      logged-out csrf "token").
        - Did OAuth login.
        - Did OAuth registration.
      
      Reviewers: pedram, andrewjcg, erling, jungejason, tuomaspelkonen, aran,
      codeblock
      Commenters: pedram
      CC: aran, epriestley, pedram
      Differential Revision: 777
      39b4d20c
  37. 30 Jul, 2011 1 commit
    • epriestley's avatar
      Provide a paste.create Conduit method · 10486691
      epriestley authored
      Summary:
        - Allow the console to handle abstract classes correctly.
        - Move paste dictionary generation to an abstract base class.
        - Add paste.create.
        - Add 'objectName', 'parentPHID', and 'content' to Paste info dictionaries
      (you can use filePHID with file.download to get the content but I think just
      always sending it back is reasonable).
      
      Test Plan:
        - Use paste.create to create new pastes.
        - Used paste.info to get existing pastes.
        - Checked console UI to make sure "paste." didn't show up or anything
      silly/dumb like that.
        - Tried to call the method "paste" and got the right exception.
      
      Reviewed By: codeblock
      Reviewers: codeblock, jungejason, tuomaspelkonen, aran
      CC: aran, codeblock
      Differential Revision: 747
      10486691