Make Differential views capability-sensitive

Summary:
Ref T603. Make Differential behaviors for logged-out and underprivleged users more similar to other apps.

I'm going to drop this "anonymous access" thing at some point, but `reviews.fb.net` actually looks like it's running semi-modern code, so leave it alive until we have a more compelling replacement in the upstream.

Test Plan: As a logged out user, browsed Differential and clicked things and such.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7148

src/applications/differential/controller/DifferentialChangesetViewController.php

@@ -3,7 +3,15 @@
 final class DifferentialChangesetViewController extends DifferentialController {
 
   public function shouldRequireLogin() {
-    return !$this->allowsAnonymousAccess();
+    if ($this->allowsAnonymousAccess()) {
+      return false;
+    }
+
+    return parent::shouldRequireLogin();
+  }
+
+  public function shouldAllowPublic() {
+    return true;
   }
 
   public function processRequest() {
@@ -28,6 +36,17 @@ final class DifferentialChangesetViewController extends DifferentialController {
       return new Aphront404Response();
     }
 
+    // TODO: (T603) Make Changeset policy-aware. For now, just fake it
+    // by making sure we can see the diff.
+    $diff = id(new DifferentialDiffQuery())
+      ->setViewer($request->getUser())
+      ->withIDs(array($changeset->getDiffID()))
+      ->executeOne();
+    if (!$diff) {
+      return new Aphront404Response();
+    }
+
+
     $view = $request->getStr('view');
     if ($view) {
       $changeset->attachHunks($changeset->loadHunks());