staticanalysis/bot: ERR-CONDUIT-CORE : [Access Denied: D679] (Can Edit) You do not have permission to edit this object

[jankeromnes]

We hit this problem a few times now. Not sure if it's a bug, or just our usage of Phabricator's API that is wrong.

The error looks like this:

1. Analysis is triggered and runs fine
2. While trying to publish results on Phabricator (or Phabricator-dev), we get this:

Conduit API error ERR-CONDUIT-CORE : [Access Denied: D679] (Can Edit) You do not have permission to edit this object. // Members of the project "Restricted Project" can take this action. The owner of a revision can always view and edit it.

It happened with https://phabricator-dev.allizom.org/D679 (staging), while using https://phabricator-dev.allizom.org/p/rbartlensky/ 's access token, but it didn't reproduce once we switched to https://phabricator-dev.allizom.org/p/reviewbot/ 's token.

@globau also found an occurrence of this problem in production, on https://phabricator.services.mozilla.com/D4217, probably because @ueno manually changing view/edit rights around the time of the review (note: view/edit right changes were then reverted by phab-bot a bit later):

ueno changed the visibility from "Public (No Login Required)" to "Custom Policy".
ueno changed the edit policy from "bmo-editbugs-team (Project)" to "Custom Policy".
ueno added Bugzilla Bug ID 1485989.
phab-bot changed the visibility from "Custom Policy" to "Public (No Login Required)".
phab-bot changed the edit policy from "Custom Policy" to "bmo-editbugs-team (Project)".
Fri, Aug 24, 4:08 PM

[jankeromnes]

Thankfully, manually changing view/edit rights is not something that is supposed to happen, so the production failure is not a problem with our bot:

15:40:47 glob> janx: [...] it's something we need to prevent people from doing (it's a footgun). there's a bug for this

[globau]

when a revision is initially submitted it's in a private state until bmo updates the revision to match the corresponding bug (or to make it public if there's no bug). on phabricator this looks like:

phab-bot changed the visibility from "Custom Policy" to "Public (No Login Required)".
phab-bot changed the edit policy from "Custom Policy" to "bmo-editbugs-team (Project)".
phab-bot removed a project: secure-revision.

unfortunately this time this takes is variable, depending on the number of requests and other issues. because this has to work as a pure FIFO queue, problems processing the request at the head of the queue will result in a backlog.

you should be able to check this by matching up the exact times of your error messages with phab-bot's actions on phabricator.

if that's what's going on, you could add a delay before processing a revision, or retry permission issues with an eventual timeout.

Thankfully, manually changing view/edit rights is not something that is supposed to happen, so the production failure is not a problem with our bot:

15:40:47 glob> janx: [...] it's something we need to prevent people from doing (it's a footgun). there's a bug for this

https://bugzilla.mozilla.org/show_bug.cgi?id=1480687 for the curious.

[globau]

oh - that analysis worked fine probably means that initial visibility isn't the problem here.

probably best to get exact timestamps and revisions of when this happens and correlate with permissions related activity on phabricator.

[La0]

Outdated with the move to try: pulselistener now checks on the revision public/private state