From c797f9511aef6b49bc872531305e2cf57f947dca Mon Sep 17 00:00:00 2001
From: tuomaspelkonen <tuomas.pelkonen@fb.com>
Date: Thu, 7 Apr 2011 17:03:41 -0700
Subject: [PATCH] Users cannot attach diffs to revisions they don't own
 anymore.

Summary:
Users were able to accidentally update revisions they didn't own. Now
it is impossible to update a revision that belongs to someone else or
has been marked as committed.

Test Plan:
Tested that normal workflow works as previously, but after running
'arc amend', running 'arc diff' fails.

Manually changed the revision number in the git commit message and tried
to update something that belongs to Jason -> Failed.

Reviewed By: epriestley
Reviewers: epriestley
CC: jungejason, epriestley, tuomaspelkonen
Differential Revision: 112
---
 .../ConduitAPI_differential_updaterevision_Method.php  | 10 +++++++++-
 .../method/differential/updaterevision/__init__.php    |  1 +
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/applications/conduit/method/differential/updaterevision/ConduitAPI_differential_updaterevision_Method.php b/src/applications/conduit/method/differential/updaterevision/ConduitAPI_differential_updaterevision_Method.php
index 0eeae59a66..7acc5824c9 100644
--- a/src/applications/conduit/method/differential/updaterevision/ConduitAPI_differential_updaterevision_Method.php
+++ b/src/applications/conduit/method/differential/updaterevision/ConduitAPI_differential_updaterevision_Method.php
@@ -39,6 +39,8 @@ class ConduitAPI_differential_updaterevision_Method extends ConduitAPIMethod {
     return array(
       'ERR_BAD_DIFF' => 'Bad diff ID.',
       'ERR_BAD_REVISION' => 'Bad revision ID.',
+      'ERR_WRONG_USER' => 'You are not the author of this revision.',
+      'ERR_COMMITTED' => 'This revision has already been committed.',
     );
   }
 
@@ -50,7 +52,13 @@ class ConduitAPI_differential_updaterevision_Method extends ConduitAPIMethod {
 
     $revision = id(new DifferentialRevision())->load($request->getValue('id'));
 
-    // TODO: verify owned, non-committed, etc.
+    if ($request->getUser()->getPHID() !== $revision->getAuthorPHID()) {
+      throw new ConduitException('ERR_WRONG_USER');
+    }
+
+    if ($revision->getStatus() == DifferentialRevisionStatus::COMMITTED) {
+      throw new ConduitException('ERR_COMMITTED');
+    }
 
     $editor = new DifferentialRevisionEditor(
       $revision,
diff --git a/src/applications/conduit/method/differential/updaterevision/__init__.php b/src/applications/conduit/method/differential/updaterevision/__init__.php
index 7ed1c36973..96f0fe8ce3 100644
--- a/src/applications/conduit/method/differential/updaterevision/__init__.php
+++ b/src/applications/conduit/method/differential/updaterevision/__init__.php
@@ -8,6 +8,7 @@
 
 phutil_require_module('phabricator', 'applications/conduit/method/base');
 phutil_require_module('phabricator', 'applications/conduit/protocol/exception');
+phutil_require_module('phabricator', 'applications/differential/constants/revisionstatus');
 phutil_require_module('phabricator', 'applications/differential/editor/revision');
 phutil_require_module('phabricator', 'applications/differential/storage/diff');
 phutil_require_module('phabricator', 'applications/differential/storage/revision');